Re: Silly audit2allows - Christopher J. PeBenito

All of lore.kernel.org
 help / color / mirror / Atom feed

From: "Christopher J. PeBenito" <cpebenito@tresys.com>
To: Daniel J Walsh <dwalsh@redhat.com>
Cc: w.chimiak@ieee.org, selinux <selinux@tycho.nsa.gov>
Subject: Re: Silly audit2allows
Date: Mon, 25 Feb 2008 15:50:26 -0500	[thread overview]
Message-ID: <1203972626.32061.145.camel@gorn> (raw)
In-Reply-To: <47C320D9.9030102@redhat.com>

On Mon, 2008-02-25 at 15:11 -0500, Daniel J Walsh wrote:
> Bill Chimiak wrote:
> > 3. Are any of these potentially dangerous (my apologies if this is a stupid 
> > request)?

> > allow fsdaemon_t urandom_device_t:chr_file read;
> fsdaemon reading /dev/urandom - Not dangerous

Right, not dangerous.  Generally it could only be a problem if you were
concerned about the domain draining all of the entropy in order to DoS
apps that use /dev/random.

> > allow groupadd_t devpts_t:chr_file { read write };
> groupadd read/write of a generice pty. Not dangerous, since what
> groupadd can do is far more dangerous.
[...]
> > allow semanage_t devpts_t:chr_file { read write };
> > allow setfiles_t devpts_t:chr_file { read write };
> > allow useradd_t devpts_t:chr_file { read write };
> All three of these are trying to read/write pty that has generic label.
>  Nothing to worry about since these domains can do much more interesting
> damage.

That's true if you look at as the domain doing malicious things to the
terminal.  Another way to look at it would be that these privileged
domains could be influenced by malicious data they read from a user's
terminal.  So if you don't care about the latter than its not a problem.
If you're running all unconfined users, then you trust the users and it
definitely isn't a problem.

-- 
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

     prev parent reply	other threads:[~2008-02-25 20:52 UTC|newest]

Thread overview: 4+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2008-02-25 18:11 Silly audit2allows Bill Chimiak
2008-02-25 19:06 ` Joe Nall
2008-02-25 20:11 ` Daniel J Walsh
2008-02-25 20:50   ` Christopher J. PeBenito [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1203972626.32061.145.camel@gorn \
    --to=cpebenito@tresys.com \
    --cc=dwalsh@redhat.com \
    --cc=selinux@tycho.nsa.gov \
    --cc=w.chimiak@ieee.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.