[OT] SELinux vs. other systems [was Re: [idea] udev + selinux]
Luke Kenneth Casson Leighton
lkcl at lkcl.net
Thu Sep 2 17:19:35 UTC 2004
On Thu, Sep 02, 2004 at 10:15:20PM +1000, Russell Coker wrote:
> > Compare that to this thread, where we are talking about atomic vs.
> > non-atomic restoration of context for udev-mounted temp file systems.
> > Shudder. This seems to be begging for an exploit to be discovered.
> > Are we sure that SELinux is really on the right track here?
>
> The original udev implementation had the device nodes relabelled after
> creation. As of recent times (since 2002) the default SE Linux policy has
> denied almost all domains (only two system domains) access to device nodes
> labelled as device_t. This means that there is no window of opportunity for
> an attacker to access a device before it is correctly labelled.
>
> The worst race condition attack would be a DOS attack, cause an access at the
> wrong time and have it be denied when otherwise it would be permitted. This
> is the least serious of all possible problems related to device labelling.
... and with the use of matchpathcon() followed by setfscreatecon(),
it isn't even that: inode, symlink and directory
creation-plus-filecontext-setting are done as an atomic operation.
problem goes away.
the _old_ selinux udev support (0.024), on the other hand, suffered
from the big-deal-DOS-attack that russell describes above.
l.
More information about the fedora-selinux-list
mailing list