Casey Schaufler [off-list ref] writes:

On 9/30/2017 6:02 PM, Eric W. Biederman wrote:

quoted

I don't have a smack configuration handy, but reading through
the code smack setxattr the permission checks for all xattrs
that are not smack xattrs to cap_inode_setxattr.

It's not hard to configure Smack. But, if you have a test case
I can run it for you.

All I did was take /bin/ping from a RHEL or equally a fedora code base
where it is setcap, and copied it with rsync as root in a user namespace
and looked at the xattr.

From memory:

$ cd
$ unshare -Ur
# rsync -Xp /bin/ping ping

quoted

So smack and commoncap combined will not fail.

smack and selinux will result in people who should be able to set
selinux xattrs not being able to.  That however is less of an immediate
problem.

That's not currently a problem as you can't configure
them both to be enabled.

Like I said not immediate.

You clearly don't work in security is running into a brick
wall is a shocking experience :)

The shock was that the security code was so b0rked.

Eric
--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html