SELinux Mailing List - NSA/CSS

Skip All Menus Skip Top Menu

Top Navigation Menus

Research Skip Research Menus Research Menu Security Enhanced Linux What's New Frequently Asked Questions Background Documents License Download Participating Mail List Archives Remaining Work Contributors Related Work Press Releases Information Assurance Research NIARL In-house Research Areas Mathematical Sciences Program Sabbaticals Computer & Information Sciences Research Technology Transfer Advanced Computing Advanced Mathematics Communications & Networking Information Processing Microelectronics Other Technologies Technology Fact Sheets Publications Related Links	Skip Search Box Searchbox SELinux Mailing List Re: trusted vs untrusted packages This message: [ Message body ] [ More options ] Related messages: [ Next message ] [ Previous message ] [ Maybe in reply to ] From: Jeff Johnson <n3npq_at_nc.rr.com> Date: Tue, 14 Oct 2003 12:47:10 -0400 attached mail follows: Russell Coker wrote: >We have been having some IRC discussions about trusted RPMs. But please note >that I am not an expert on RPM, so I'll probably get terminology wrong (at >least). Please correct any errors and CC the list for the benefit of all >readers. > >RPMs can be signed or unsigned. If an RPM is signed by a trusted organization >then there should be some differences in an SE Linux install than if it is >not signed or if we don't trust the signer. > >One idea is to have signed packages be installed by rpm running as rpm_t and >unsigned packages be installed by rpm running as rpm_unsigned_t [1]. So for >example we could allow rpm_unsigned_t to install files in /sbin as >sbin_unsigned_t and in /bin as bin_unsigned_t [2]. Then a program installed >from an untrusted package can't be run from sysadm_t, and if it's run from >other trusted domains (EG part of the mail server) then it could trigger an >automatic domain transition to an appropriate domain. > >Now this raises some interesting issues. If a signed package has a program >which relies on some other program (and has a dependency), what happens if >the dependency is satisfied by an unsigned package? Installing the unsigned >package may not result in the system being fully functional (execution of the >file in question may be denied). > > The key phrase is "relies on some other program" and the type of relationship. Clearly, a trusted executable cannot invoke an untrusted executable without losing its trustedness. The answer is far less clear when the relationship is a dependency between signed and unsigned packages, and the files contained within. Which indicates to me that decicisions on whether to permit file exec based on package signatures needs to be reworked. An executable (or library or script) might lose some aspect of "trust" because the executable came from an unsigned package, but a stronger definition of "trust" must be associated with the file itself, not the cellophane from which it came. 73 de Jeff -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. Received on Tue 14 Oct 2003 - 12:47:20 EDT This message: [ Message body ] Next message: Jeff Johnson: "Re: trusted vs untrusted packages" Previous message: Dale Amon: "Re: avc_toggle and avc_enforcing" Maybe in reply to: Russell Coker: "trusted vs untrusted packages" Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ]
	Date Posted: Jan 15, 2009 \| Last Modified: Jan 15, 2009 \| Last Reviewed: Jan 15, 2009

bottom