lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:	Tue, 17 Apr 2007 13:19:54 -0700 (PDT)
From:	Casey Schaufler <casey@...aufler-ca.com>
To:	Andi Kleen <andi@...stfloor.org>, James Morris <jmorris@...ei.org>
Cc:	linux-kernel@...r.kernel.org,
	linux-security-module@...r.kernel.org,
	linux-fsdevel@...r.kernel.org
Subject: Re: AppArmor FAQ


--- Andi Kleen <andi@...stfloor.org> wrote:

> On Tue, Apr 17, 2007 at 01:47:39PM -0400, James Morris wrote:
> > Normal applications need zero modification under SELinux.
> > 
> > Some applications which manage security may need to be made SELinux-aware, 
> 
> Anything that can touch /etc/resolv.conf? That's potentially a lot of
> binaries
> if you consider anything scripts could do with it.

Well, no, you don't have to modify everything that might modify resolv.conf.
You do have to define your policy so that the set of things that might
modify resolv.conf is limited to the set of things that are appropriate.

You also need to note that SELinux has a notion of privilege that is
different from what is traditional. The ability to modify resolv.conf
is determined by the domain containing it and the relationship of the
domain containing the application to that domain, modified by any
domain transitions that may have occured to the process prior to or
during the attempted access.

> > although this can often be done with PAM plugins, which is a standard way 
> > to do this kind of thing in modern Unix & Linux OSs.
> 
> PAM plugins in vi and emacs? Scary idea.
> 
> And what do you do if someone decides to use OpenOffice to edit their
> /etc/resolv.conf? For a lot of people that's the only text editor 
> they know.

For SELinux to be effective it has to have a complete policy definition.
This would prevent the OpenOffice access (unless OpenOffice is in the
modify_resolv_conf_t domain) above.

This, by the way, is a fundimental advantage of a path scheme over a
label scheme in that label schemes require every object be labeled
(it's Section 3.1.1.3 of the TCSEC if you want to look it up) while a
path scheme (in the absences of a published requirement) only requires
those names it cares about. SELinux in the absence of a correct and
complete policy could be considered dangerous.


Casey Schaufler
casey@...aufler-ca.com
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ