Security Enhanced Linux
What's New
Frequently Asked Questions
Background
Documents
License
Download
Participating
Mail List
Archives
Remaining Work
Contributors
Related Work
Press Releases
Information Assurance Research
NIARL In-house Research Areas
Mathematical Sciences Program
Sabbaticals
Computer & Information Sciences Research
Technology Transfer
Advanced Computing
Advanced Mathematics
Communications & Networking
Information Processing
Microelectronics
Other Technologies
Technology Fact Sheets
Publications
Related Links
|
SELinux Mailing ListRe: Changes to policycoreutils.
From: Stephen Smalley <sds_at_tycho.nsa.gov>
Date: Mon, 20 Mar 2006 10:51:03 -0500
restorecond, restorecon, and setfiles could benefit from a rewrite to
follow the more paranoid conventions of other programs that walk the
file tree (e.g. look at coreutils programs like rm -r logic, which has
been modified a number of times in response to security-related issues).
To date, restorecon and setfiles have simply relied on policy to
prevent:
And we originally only expected setfiles to be applied upon installation, not for normal runtime operation. But the code itself could provide stronger safeguards against the threat, particularly now that you are automating the invocation of restorecon-like functionality in response to user events. Again, look to what has been done already in coreutils and elsewhere. There are also recently added new syscalls to help reduce races in walking the file tree (i.e. openat and friends) - possibly there should be some for lsetxattr as well so that lsetfileconat() could be implemented? Under strict policy, the policy restrictions over creating hard links and over following sym links help counter the risk. Under targeted policy, users are unconfined by TE, so there is no direct benefit to a malicious user in tricking restorecond into relabeling a file to a different type. But now that users are supposed to be limited by MCS restrictions in -targeted, you have to consider the risk that a malicious user might try to use this avenue to get MCS categories dropped from some target file so that he can access it. -- Stephen Smalley National Security Agency -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message.Received on Mon 20 Mar 2006 - 10:46:10 EST |
|
Date Posted: Jan 15, 2009 | Last Modified: Jan 15, 2009 | Last Reviewed: Jan 15, 2009 |