SELinux Mailing List - NSA/CSS

Skip All Menus Skip Top Menu

Top Navigation Menus

Research Skip Research Menus Research Menu Security Enhanced Linux What's New Frequently Asked Questions Background Documents License Download Participating Mail List Archives Remaining Work Contributors Related Work Press Releases Information Assurance Research NIARL In-house Research Areas Mathematical Sciences Program Sabbaticals Computer & Information Sciences Research Technology Transfer Advanced Computing Advanced Mathematics Communications & Networking Information Processing Microelectronics Other Technologies Technology Fact Sheets Publications Related Links	Skip Search Box Searchbox SELinux Mailing List Re: Diamond Rio 500 and other device nodes This message: [ Message body ] [ More options ] Related messages: [ Next message ] [ Previous message ] [ In reply to ] From: Russell Coker <russell_at_coker.com.au> Date: Fri, 31 Oct 2003 03:23:46 +1100 On Fri, 31 Oct 2003 03:02, Stephen Smalley wrote: > On Thu, 2003-10-30 at 09:33, Russell Coker wrote: > > However there is a more important issue, we can't allow anyone other than > > an administrator to mount a ext3 file system from a floppy disk or other > > removable media. If we do then it would be trivial to create a file > > system with a file of type newrole_exec_t and take over the system. > > > > Steve, any ideas on how to solve this? > > Just to clarify, subverting newrole isn't fatal to security, as newrole > can only change to roles for which you are authorized in the policy, and > that is enforced by the kernel. newrole is _not_ like su. True. However currently newrole has permissions to read /etc/shadow... I can probably change this now as with the latest PAM changes newrole should only need auth_chkpwd not auth. > To answer your question, at the suggestion of James Morris, we > overloaded the nosuid mount option back in July to also prohibit domain > transitions on programs in the filesystem. Hence, if you mount with > nosuid, it won't matter whether any programs on the filesystem are > labeled with an entrypoint type. Great. This just leaves the issue of symlink race-condition attacks to try and trick sysadm_t into running a file that you label as bin_t, so I guess that noexec is needed for full protection. But the modified nosuid should cover 99% of the problems. > However, that isn't a full solution to the general problem, as you > really want to be able to constrain the set of security contexts that > can exist on files in a given filesystem. Likely requires changes to > mount(8) as well as the kernel and new mount options to support such > functionality. Simplest implementation is to just allow a single > context to be applied to an entire filesystem via a mount option, > similar to the existing uid= and gid= options. This would solve some of the issues we discussed recently regarding /boot... -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/ Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. Received on Thu 30 Oct 2003 - 11:24:47 EST This message: [ Message body ] Next message: Stephen Smalley: "Re: root login with enforcing on" Previous message: Stephen Smalley: "Re: Diamond Rio 500 and other device nodes" In reply to: Stephen Smalley: "Re: Diamond Rio 500 and other device nodes" Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ]
	Date Posted: Jan 15, 2009 \| Last Modified: Jan 15, 2009 \| Last Reviewed: Jan 15, 2009

bottom