[redhat-lspp] New pam src rpm with namespace

Serge E. Hallyn serue at us.ibm.com
Fri Feb 17 13:29:33 UTC 2006 

Quoting Russell Coker (rcoker at redhat.com):
> On Thu, 2006-02-16 at 08:32 -0500, Stephen Smalley wrote:
> > On Thu, 2006-02-16 at 11:08 +1100, Russell Coker wrote:
> > > Might it be time to split sys_admin capability?
> > > 
> > > sshd by it's nature needs network access and therefore is something we
> > > want to lock down as much as possible.  sys_admin gives a heap of access
> > > and we certainly don't want to permit all that if we can avoid it.
> > > 
> > > Below are the sys_admin items which don't seem to be restricted by other
> > > parts of SE Linux policy.
> >  
> > And no doubt that is only a partial list, as people are unlikely to have
> > documented all uses of CAP_SYS_ADMIN in capability.h.
> 
> It's even worse than I thought then.
> 
> > Might be easier to just move the mount/umount processing from being
> > directly done by the pam_namespace module into a helper program, and run
> > that in its own domain separate from sshd and other callers.
> 
> Contrary to the opinion of other people here, I believe that is
> possible.
> 
> We could have sshd execute a binary (with an appropriate
> domain_auto_trans()) that will call unshare() and then launch the user
> session.  The binary in question could take a parameter to specify the
> context of the session, it would then relabel the controlling terminal,
> set the execcon for executing the shell, and call unshare().
> 
> As we already have SE Linux and audit patches in sshd I think there's a
> strong precedent for this type of thing.  It would significantly
> decrease the level of system access granted to sshd (removing access to
> relabel ttys among other things).
> 
> If this is considered a reasonable idea I'll write the patch for sshd.

Sounds like a good idea to me.  The other thing of course - which could
be done in addition to this - would be to have unshare be checked by an
LSM hook, security_task_unshare(), which in capability.c happens to
check CAP_SYS_ADMIN, but in selinux checks for

	self:process unshare

and doesn't propagate the check to capability.

But if the same helper would unshare and mount, then I guess it may not
be worthwhile.

-serge

More information about the redhat-lspp mailing list