Re: mdadm policy

[antoine <antoine@nagafix.co.uk>]

On Fri, 2005-06-24 at 13:46 -0400, Ivan Gyurdiev wrote:
> > Well that's no comfort at all, mdadm_t domain has the ability to access
> > raw disks and send mail... That's worrying enough.
> 
> I don't see anything about sending mail, but perhaps
> I'm not looking hard enough. You're talking about adding this
> privilege?
Sorry, sending mail is not actually a function of mdadm (in code), it is
just a configuration option that pipes to sendmail:

>From the man page:

MAILADDR
The mailaddr line gives an E-mail address that alerts should be sent to
when is running in --monitor mode (and was given the --scan option).
There  should  only be one MAILADDR line and it should have only one
address.

PROGRAM
The  program  line  gives the name of a program to be run when mdadm
--monitor detects potentially interesting events on any of the arrays
that it is monitoring.
This program gets run with two or three arguments, they being the Event,
the md device, and possibly the related component device.
There should only be one program line and it should be give only one
program.


So it looks to me like the transition to sendmail should always be
included - well actually, ifdef(mta.te).

> > # RAID block device access
> > allow mdadm_t fixed_disk_device_t:blk_file create_file_perms;
> 
> hmm..yes..
> 
> Well, in this case, mdadm_t is the trusted domain,
> and you *want* to transition it to other domains upon execution
> of something that you don't trust.
> 
> So yes, if  you want want to send mail, you would add 
> a transition like this:
> domain_auto_trans(mdadm_t, sendmail_exec_t, sendmail_t (or whatever..))
> 
> What is this PROGRAM configurable option - can you describe in more 
> detail. I don't know anything about mdadm.
> 
> > I will tweak my policy to make it run sendmail in
> > sendmail_t and nothing else. That's safer than mdadm_t.
> 
> Perhaps this is something that should be in default policy - it
> sounds like a good threat model.

What should be the domain to transition to upon execution of bin/sbin?
Rather than using can_exec, I believe it should be:
domain_auto_trans(mdadm_t, bin_t, that_domain_t)
domain_auto_trans(mdadm_t, sbin_t, that_domain_t)
But personally, I'll leave that out and rely on the email notification.

Antoine


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.