[Meego-security-discussion] Smack problem

Rolf Offermanns roffermanns at sysgo.com
Mon Apr 25 13:55:43 PDT 2011 

On 04/25/2011 06:19 PM, casey.schaufler at nokia.com wrote:
>> ________________________________________
>> From: meego-security-discussion-bounces at lists.meego.com [meego-security-discussion-bounces at lists.meego.com] on behalf of ext Rolf Offermanns [roffermanns at sysgo.com]
>> Sent: Saturday, April 23, 2011 9:33 AM
>> To: meego-security-discussion at lists.meego.com
>> Subject: [Meego-security-discussion] Smack problem
>>
>> Hi All,
>>
>> again not strictly MeeGo related, but since the relevant people are on
>> this list and I am trying this on a MeeGo system, I hope it qualifies... ;)
>>
>> So, my setup:
>> - MeeGo 1.2 trunk image from last week (2.6.37 kernel)
>> - Kernel config changed to have Smack enabled
>>
>> Test:
>> # echo test>  /proc/self/attr/current
>> # cat /proc/self/attr/current
>> test
>>
>> # attr -S -s SMACK64 -V '*' /tmp
>>
>> # su - user
>> $ cat /proc/self/attr/current
>> test
>>
>> $ touch /tmp/my-test-file
>> $ chsmack /tmp/-my-test-file
>> /tmp/my-test-file access="_"
>>
>> $ attr -g SMACK64 -S /tmp/my-test-file
>> Attribute "SMACK64" had a 2 byte value for /tmp/my-test-file:
>> _
>>
>>
>> Shouldn't the new file have the "test" label? From the Smack.txt:
>> "One example is the familiar spy model of sensitivity, where a scientist
>> working on a highly classified project would be able to read documents
>> of lower classifications and anything she writes will be "born" highly
>> classified."
>>
>> I expected my test file to be "born" with the test label.
>>
>> What am I missing?
>
> The result should be what you are expecting, not what you are seeing.
> What filesystem type is /tmp? The output of mount could be instructive.
> if /tmp is on a filesystem that does not support extended attributes this
> is a possible behavior.

The filesystem is BRTFS, mount options:
/dev/sda2 on / type btrfs (rw,relatime,nodatasum)

"/tmp" was only an example. The same happened, when I ran chromium with 
a "test" Smack label and downloaded a file. The downloaded file then 
also got the floor label.

-Rolf

More information about the MeeGo-security-discussion mailing list