[redhat-lspp] New pam src rpm with namespace
Serge E. Hallyn
serue at us.ibm.com
Fri Feb 17 13:29:33 UTC 2006
Quoting Russell Coker (rcoker at redhat.com):
> On Thu, 2006-02-16 at 08:32 -0500, Stephen Smalley wrote:
> > On Thu, 2006-02-16 at 11:08 +1100, Russell Coker wrote:
> > > Might it be time to split sys_admin capability?
> > >
> > > sshd by it's nature needs network access and therefore is something we
> > > want to lock down as much as possible. sys_admin gives a heap of access
> > > and we certainly don't want to permit all that if we can avoid it.
> > >
> > > Below are the sys_admin items which don't seem to be restricted by other
> > > parts of SE Linux policy.
> >
> > And no doubt that is only a partial list, as people are unlikely to have
> > documented all uses of CAP_SYS_ADMIN in capability.h.
>
> It's even worse than I thought then.
>
> > Might be easier to just move the mount/umount processing from being
> > directly done by the pam_namespace module into a helper program, and run
> > that in its own domain separate from sshd and other callers.
>
> Contrary to the opinion of other people here, I believe that is
> possible.
>
> We could have sshd execute a binary (with an appropriate
> domain_auto_trans()) that will call unshare() and then launch the user
> session. The binary in question could take a parameter to specify the
> context of the session, it would then relabel the controlling terminal,
> set the execcon for executing the shell, and call unshare().
>
> As we already have SE Linux and audit patches in sshd I think there's a
> strong precedent for this type of thing. It would significantly
> decrease the level of system access granted to sshd (removing access to
> relabel ttys among other things).
>
> If this is considered a reasonable idea I'll write the patch for sshd.
Sounds like a good idea to me. The other thing of course - which could
be done in addition to this - would be to have unshare be checked by an
LSM hook, security_task_unshare(), which in capability.c happens to
check CAP_SYS_ADMIN, but in selinux checks for
self:process unshare
and doesn't propagate the check to capability.
But if the same helper would unshare and mount, then I guess it may not
be worthwhile.
-serge
More information about the redhat-lspp
mailing list