Untrusted content domain

Ivan Gyurdiev ivg2 at cornell.edu
Wed May 11 01:34:36 UTC 2005

> Would it be OK to figure out a certain set of permissions that is OK for
> random untrusted software to use. For instance Flash developers get a lot
> of milage out of the ability to write fun games that operate entirely
> inside the Flash sandbox which is pretty restrictive, it seems like there
> should be some level of control we can give programs so that humanities
> innate urge to distribute electronic greetings cards can be satisifed
> securely :)

Mozilla is allowed to execute downloaded content right now...
I think for Java it transitions to a special javaplugin domain.
I suppose the same thing can be setup for flash, if necessary.

> The thing I'm not really sure about is why preventing programs from
> accessing downloaded data files is useful. If you know you can overflow a
> program with malicious data the only sure protection is to fix the app,
> right? It seems a bit different to viruses which are actually programs.

Fixing the app is one aspect of security, and probably the most
important one. However, it might not always be possible - what about
third-party closed software? Besides, maybe you just don't trust the
app, and you don't want to allow it to handle potentially hostile
content. SELinux is mostly about containment, and allowing the sysadmin
to control interactions between various domains and objects. If we can
give the sysadmin a say in how potentially hostile content is handled,
I think we should.

Basically, the content you download from the Internet 
has to be labeled somehow, and the current labeling scheme is not
appropriate IMHO. I want to setup a better labeling scheme. I don't
know at this point exactly how it might be taken advantage of, 
but I'm sure there's all kinds of things that can be done to improve
security, with a common hostile content type, as opposed to multiple
hostile content types, or worse, no differentiation from ROLE_home_t.


By the way, since you're involved with Codeweavers - does all of wine
require text relocations? If so, it needs to be marked textrel_shlib_t.
I should probably file a policy bug, because it doesn't work at all
under SELinux strict - I use wine quite a lot (games on Linux!), 
and it's annoying that I have to turn SELinux off all the 
time to make use of it.

for FILE in /usr/local/lib/wine/*.so; do if [ ! -z "`readelf -d $FILE|
grep TEXTREL`" ]; then echo $FILE; fi; done;

(result: everything)

wine: failed to initialize: /usr/local/lib/wine/ntdll.dll.so: cannot
restore segment prot after reloc: Permission denied

Ivan Gyurdiev <ivg2 at cornell.edu>
Cornell University

More information about the fedora-selinux-list mailing list