All of lore.kernel.org
 help / color / mirror / Atom feed
From: Karl MacMillan <kmacmillan@mentalrootkit.com>
To: SE Linux <selinux@tycho.nsa.gov>
Cc: Daniel J Walsh <dwalsh@redhat.com>
Subject: Shell redirection and denials
Date: Mon, 08 Oct 2007 15:08:57 -0400	[thread overview]
Message-ID: <1191870537.14569.23.camel@localhost.localdomain> (raw)

One of Dan's constant sources of avcs is something like:

/usr/sbin/my_confined_app > some_file

Because the file is created by the shell, opened, and the FD handed to
the application avcs can occur on read and write.

Getting rid of these via policy is next to impossible - the destination
file type is usually governed by the directory and we don't actually
want to allow that access directly to the confined application. I'd like
to see if there is some other way to get rid of these denials.

I see two possible solutions:

1) Make the shell create and pass a descriptor to a pipe to the
application - the shell itself would read / write to the file. This
seems, to me, to more accurately reflect how we want to enforce the
permissions.

2) Allow applications to confer access by passing the file descriptor
(more like capabilities). This more closely matches how Unix actually
works and, of course, is a huge source of vulnerabilities. Allowing this
type of scheme just for shells might not be that bad.

Has either of these been investigated? 1 seems pretty simple - is there
something I'm missing here (perhaps the redirection should outlast the
shell lifetime?).

Karl


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

             reply	other threads:[~2007-10-08 19:09 UTC|newest]

Thread overview: 10+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2007-10-08 19:08 Karl MacMillan [this message]
2007-10-09 14:23 ` Shell redirection and denials Daniel J Walsh
2007-10-09 16:55   ` Stephen Smalley
2007-10-10  7:10     ` Kroum Antov
2007-10-10 12:00       ` Stephen Smalley
2007-10-10 16:04         ` Daniel J Walsh
2007-10-10 16:18           ` Stephen Smalley
2007-10-09 14:37 ` Stephen Smalley
2007-10-09 15:04   ` Karl MacMillan
2007-10-09 17:17     ` Christopher J. PeBenito

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1191870537.14569.23.camel@localhost.localdomain \
    --to=kmacmillan@mentalrootkit.com \
    --cc=dwalsh@redhat.com \
    --cc=selinux@tycho.nsa.gov \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.