/sbin/restorecon and hard links
Stephen Smalley
sds at tycho.nsa.gov
Wed Feb 15 16:07:28 UTC 2006
On Wed, 2006-02-15 at 07:44 -0800, John Reiser wrote:
> Stephen Smalley wrote:
> > BTW, it is important to remember here that targeted policy doesn't try
> > to confine users (just specific programs and daemons) and that
> > relabeling /etc/passwd or other system files doesn't give the user any
> > greater access since he is already unconfined as far as SELinux is
> > concerned.
>
> That's true for SELinux policy itself. However, the linux kernel _does_
> confine users, independent of "external [to the kernel]" SELinux policy,
> as an unavoidable part of the complete selinux package. Namely, the
> restrictions on execmod and execmem can make life difficult for legitimate
> software which uses non-mainstream techniques to achieve higher performance
> and/or create a richer debugging environment. Even in targeted mode,
> SELinux has greater-than-zero operational costs for non-targeted software.
The exec* checks are a bit different in that they are primarily
protecting the user from malicious activity (e.g. preventing his stack
from being made executable) rather than protecting the system against a
malicious user. So the original poster was worried about a user
maliciously hard linking to /etc/passwd in order to trick restorecon run
by root later into mislabeling the file, but that doesn't create any
greater exposure than already existed since the user was already
unconfined by SELinux (but still limited by Linux DAC, so regardless of
the SELinux label, the user still couldn't write to /etc/passwd).
Whereas under strict policy, the user would be confined, and wouldn't be
allowed to hard link to /etc/passwd in the first place.
--
Stephen Smalley
National Security Agency
More information about the fedora-selinux-list
mailing list