Research
Skip Research Menus
Research MenuSecurity Enhanced Linux What's New Frequently Asked Questions Background Documents License Download Participating Mail List Archives Remaining Work Contributors Related Work Press Releases Information Assurance Research NIARL In-house Research Areas Mathematical Sciences Program Sabbaticals Computer & Information Sciences Research Technology Transfer Advanced Computing Advanced Mathematics Communications & Networking Information Processing Microelectronics Other Technologies Technology Fact Sheets Publications Related Links |
SELinux Mailing ListRe: Single home directory type for all roles.
From: Russell Coker <rcoker_at_redhat.com>
Date: Fri, 10 Dec 2004 06:08:37 +1100
You are correct that there are cases of applications calling readlink(2) for the purpose of canonicalising a path which would be vulnerable to race conditions after such a change. However writing an application that does such things in a manner such that it is not vulnerable to any race conditions is really difficult and it seems likely that most such applications can be attacked in other ways (which will be more difficult to implement). But it would catch the majority of attacks and make it more difficult for an attack to leave a file system. Some of the attacks might work if the attacker found a symlink in a directory that they could rename - but the attacker would need to discover the contents of the sym-link which should be impossible.
> In any event, we could apply different permission checks - it just Fixing the policy should be easy enough.
> > The solution then would be to have a separate domain for the Yes. But it would give a practical use for ls_exec_t. ;)
> > Can we break the tradition of having only /home/$USER in this regard? That's an entirely different issue. If we have both strict policy in it's current form and MLS then we would have two ways of categorising the files (role and level). I think that probably the best thing to do for MLS is to polyinstantiate /home per MLS level. Anything else seems to get too confusing too fast. I hope that we don't plan on supporting polyinstantiation for MLS over NFS. -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message.Received on Thu 9 Dec 2004 - 14:08:52 EST |
|
Date Posted: Jan 15, 2009 | Last Modified: Jan 15, 2009 | Last Reviewed: Jan 15, 2009 |