selinux diversion [was Re: Usermode request: add patch enabling group membership to control auth user]

Stephen Smalley sds at epoch.ncsc.mil
Fri Apr 16 15:38:37 UTC 2004


On Fri, 2004-04-16 at 11:24, Matthew Miller wrote:
> Yep. I'm just increasingly unsure about the implementation. If a SELinux
> configuration can allow a user to access things that would normally be
> denied by traditional Unix security, that's *crazy*.

At present, the SELinux kernel mandatory access controls only further
restrict what can be done, e.g. to perform some privileged operation,
you need to be uid 0 (or have the necessary Linux capability) _and_ have
the right role/domain.  That was done to reduce the risk that SELinux
would ever undermine the existing system security.  As for the usermode
SELinux code, I can't directly speak to it, as it was written by RedHat,
but I think that they did alter the authentication scheme to
re-authenticate the user (if the user has a SELinux user identity, and
is not just being mapped to user_u) when SELinux was enabled rather than
root, since they could use the SELinux role authorizations to control
use and wanted to avoid having to give the root password to all users of
userhelper.

In the long term, the requirement for uid 0 is undesirable; we
ultimately want to be able to completely manage privileges via the
SELinux role-based access control and type enforcement policies and
eliminate the need for uid 0; see
http://www.securecomputing.com/pdf/secureos.pdf for a comparison of
POSIX.1e capabilities and Type Enforcement for such privilege
management.  But before we can this safely, we need to ensure that
userland has been appropriately adjusted (some of this has already been
done, e.g. glibc secure mode for SELinux transitions, pam_rootok SELinux
checking, etc), and that the policy is properly configured to fully
manage privileges.  Hence, I don't expect this to happen for some time.

-- 
Stephen Smalley <sds at epoch.ncsc.mil>
National Security Agency





More information about the fedora-test-list mailing list