On Mon, 2006-03-20 at 09:51 -0500, Daniel J Walsh wrote:
> Stephen Smalley wrote:
> > It shouldn't be applied to any directory writable by an untrusted entity
> > (e.g. ~/public_html) unless you are taking some kind of safeguards to
> > prevent it from being used as a way to relabel files outside the user's
> > control via links.
> >
> >
> Not sure what you mean. It is taking into account the users homedir.
> And the file. If public_html was not a directory it would be labeled
> user_home_t. I don't know how someone could cause the relabel to be a
> problem. I guess if the administrator was to start to add files in
> /tmp or ~/subdir/subdir/SecretFile. This could be a problem.

restorecond, restorecon, and setfiles could benefit from a rewrite to follow the more paranoid conventions of other programs that walk the file tree (e.g. look at coreutils programs like rm -r logic, which has been modified a number of times in response to security-related issues). To date, restorecon and setfiles have simply relied on policy to prevent:
- untrustworthy domains from creating hard links to files that they shouldn't be able to access in the first place, and - restorecon/setfiles from following untrustworthy symlinks.

And we originally only expected setfiles to be applied upon installation, not for normal runtime operation.

But the code itself could provide stronger safeguards against the threat, particularly now that you are automating the invocation of restorecon-like functionality in response to user events. Again, look to what has been done already in coreutils and elsewhere. There are also recently added new syscalls to help reduce races in walking the file tree (i.e. openat and friends) - possibly there should be some for lsetxattr as well so that lsetfileconat() could be implemented?

Under strict policy, the policy restrictions over creating hard links and over following sym links help counter the risk. Under targeted policy, users are unconfined by TE, so there is no direct benefit to a malicious user in tricking restorecond into relabeling a file to a different type. But now that users are supposed to be limited by MCS restrictions in -targeted, you have to consider the risk that a malicious user might try to use this avenue to get MCS categories dropped from some target file so that he can access it.

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.