/proc {getattr} failures
Russell Coker
russell at coker.com.au
Wed May 25 05:32:34 UTC 2005
On Wednesday 25 May 2005 03:06, Valdis.Kletnieks at vt.edu wrote:
> On Tue, 24 May 2005 10:47:12 EDT, Stephen Smalley said:
> > On Sun, 2005-05-22 at 21:53 -0400, Valdis.Kletnieks at vt.edu wrote:
> > > Am I the only one here who thinks that this is really something that
> > > can't be supported in the context of the 'targeted' policy, and would
> > > be much easier to do in 'strict'?
> >
> > It shouldn't be done at all, other than to dontaudit these attempts. No
> > legitimate reason for a CGI script to be probing init's /proc/pid files.
>
> I've always been leery of using dontaudit to shut things up - it means that
> there's a possibility that we miss the early warning signs of an actual
> attack.
If you want to complain about dontaudit then look for file_type -
secure_file_type as the thing you want to complain about.
> I wonder if the cgi script is just doing something like 'ps ax|grep
> mydaemon' to see if a daemon is running...
If the cgi script does "ps ax" as a regular operation then there's no way to
determine the difference between that and "ps ax" for a hostile operation.
Some people don't have cgi scripts running ps. We could have a boolean about
this, but if so then the number of booleans would explode and become
unmanagable.
--
http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/ Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/ My home page
More information about the fedora-selinux-list
mailing list