Is arbitrary access to rpm_t by sysadm_r a security problem?
Aleksey Nogin
aleksey at nogin.org
Wed Mar 31 07:42:42 UTC 2004
I would imagine sysadm_r can do a lot anyway, but just in case it is a
problem, here it is:
% id
uid=500(aleksey) gid=500(aleksey) groups=500(aleksey)
context=aleksey:sysadm_r:sysadm_t
% rpm -q rpm --pipe id
uid=500(aleksey) gid=500(aleksey) groups=500(aleksey)
context=aleksey:sysadm_r:rpm_t
Basically, the --pipe option to rpm seems to be giving sysadm_r full
access to sysadm_r:rpm_t
--
Aleksey Nogin
Home Page: http://nogin.org/
E-Mail: nogin at cs.caltech.edu (office), aleksey at nogin.org (personal)
Office: Jorgensen 70, tel: (626) 395-2907
More information about the fedora-selinux-list
mailing list