--- Steve Grubb <sgrubb(a)redhat.com> wrote:
On Monday 24 January 2005 11:57, Casey Schaufler
wrote:
> If I have 6 capabilities but only need one
> of them to perform an action the process list
> does not identify the policy that is being
> overridden.
Maybe this is a wording issue. In Linux, you start
with capabilities and lose
them. You cannot override.
A posix capability gives the process the privilege
to override a system policy. A process with
CAP_DAC_READ in its effective set can override
the system DAC policy.
> If I need 2 capabilities but only
> have one, the one that I don't have but needed
> needs to be pointed out.
I can see this being useful when writing software,
but production systems
should have the capabilities set correctly at
installation.
If everything could be counted on to work just
right then we wouldn't need an audit trail.
> The capabilities required to perform an action
will not
> be sent in concrete. For example, accessing
> /a/file may require different capabilities
depending on
> the mode of /a.
We are talking about posix capabilities, right?
Oh my, yes.
They are bound to a process
and enforced on a syscall by the kernel. That *is*
cast in concrete unless
you hack the kernel sources.
Yes. A syscall (e.g. open) may require more
than one capability, depending on the objects
involved and their security attributes. Or they
may require none. Whatever the case, the audit
record needs to indicate which of three statements
are true:
- The action succeeded without use of privilege
- The action succeeded, but only because it had
some set of capabilities.
- The action failed, but would have succeeded
had it had some set of capabilities.
In either of the last two cases the capabilities
that were checked must be reported, at least
according to the evaluation team I dealt with.
Note that "the action failed, but not because
of the absence of capabilities" is not on the list.
This is the case that does not have to be audited.
=====
Casey Schaufler
casey(a)schaufler-ca.com
__________________________________
Do you Yahoo!?
Yahoo! Mail - now with 250MB free storage. Learn more.
http://info.mail.yahoo.com/mail_250