[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Why "id -Z" get the current process security context but says "of th
From: |
Jarkko Sakkinen |
Subject: |
Re: Why "id -Z" get the current process security context but says "of the current user" in help? |
Date: |
Thu, 16 Jan 2014 08:24:39 +0200 |
User-agent: |
Mutt/1.5.21 (2010-09-15) |
Hi
On Thu, Jan 16, 2014 at 02:16:28AM +0000, Pádraig Brady wrote:
> On 01/16/2014 01:50 AM, Yang Chengwei wrote:
> > Hi List,
> >
> > I found that both id manpage and its help info says something about
> > security context like:
> >
> > -Z, --context print only the security context of the current user\n\
> >
> > As it said, it gets the security context of *the current user*. However,
> > I found in its source code, it implemented in a way to get *the current
> > process* security context, in both SELinux and SMACK way.
> >
> > As I understand, *the current process* whenever "id -Z" executed, it's
> > the id process, its security context doesn't equal *the current user*
> > security context. Right?
> >
> > So far I haven't worked with SELinux a lot, but have some SMACk
> > experience, so currently "id -Z" in SMACK environment *only* works if *id*
> > hasn't itself SMACK64EXEC label, in that way, *id* will inherent the shell
> > security context, so the security context of *the current process* is
> > the same as security context of *the current user*. Otherwise, it will
> > surprise user, like me.
>
> There was a large change to SELinux handling recently,
> but this functionality or --help output didn't change.
>
> You're right that this just prints the context for
> the id _process_, and also one can specify a particular user:
>
> $ id -u $USER -Z
> id: cannot print security context when user specified
>
> So I suppose we might change the --help docs etc. to say
> _process_ rather than _user_. Is SMACK64EXEC a common
> label to have set on the id executable? Jarkko I don't suppose
> there is any way to avoid that?
I don't see any reason why anyone would set SMACK64EXEC for 'id'. There's
no realistic use case to do that.
> thanks,
> Pádraig.
/Jarkko