From: guido@trentalancia.com (Guido Trentalancia)
To: refpolicy@oss.tresys.com
Subject: [refpolicy] [PATCH v2]: fix packagekit file context (standard location for the daemon)
Date: Wed, 27 Jun 2012 20:28:00 +0200 [thread overview]
Message-ID: <1340821680.2819.20.camel@vortex> (raw)
In-Reply-To: <1340817239.27654.5.camel@x220.mydomain.internal>
Hello again Dominick.
On Wed, 2012-06-27 at 19:13 +0200, Dominick Grift wrote:
> On Wed, 2012-06-27 at 18:59 +0200, Guido Trentalancia wrote:
> > an hijacked copy of
> > policykitd installed in the other location would be able to run with the
> > same permissions as the trusted packagekitd without the user noticing
> > anything.
>
> It would not have to be installed in the other location for it to be
> able to do damage. Same thing could also happen with a single location.
Yes, although it's a little bit more difficult to detect. That's why, I
was suggesting to introduce an optional last field for enforceable
hash-based digest verification (at that point only heuristic run-time
analysis would be missing).
> This is why it is important to only install packages from trusted
> sources. SELinux is no substitute for that imho.
Yes, it's an unsigned package therefore an hijacked version could be
easily be injected while in transit on the network(s) as a substitute
for the authentic version by a man in the middle.
The last thing I can add is that 0.6.x is apparently considered as
stable (it should follow the even/stable odd/unstable rule), therefore
you now have all the information to make an (informed) choice about it.
> Think about it, a distro like Fedora has modules for all kinds of
> services and applications of which many you may not even have installed:
I am not using Fedora.
> example:
>
> # semanage fcontext -l | grep unconfined_exec_t
> /usr/bin/vncserver regular file
> system_u:object_r:unconfined_exec_t:s0
> /usr/sbin/xrdp regular file
> system_u:object_r:unconfined_exec_t:s0
> /usr/sbin/xrdp-sesman regular file
> system_u:object_r:unconfined_exec_t:s0
It should possible to turn off individual modules as long as there is
enough granularity in modules. But, to be honest, I have not tested
whether or not that always behaves as expected.
Regards,
Guido
next prev parent reply other threads:[~2012-06-27 18:28 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-06-20 15:56 [refpolicy] [PATCH]: fix packagekit file context (standard location for the daemon) Guido Trentalancia
2012-06-21 1:09 ` [refpolicy] [PATCH v2]: " Guido Trentalancia
2012-06-26 13:44 ` Christopher J. PeBenito
2012-06-26 13:50 ` Dominick Grift
2012-06-26 14:06 ` Christopher J. PeBenito
2012-06-26 19:39 ` Guido Trentalancia
2012-06-26 19:45 ` Dominick Grift
2012-06-27 16:59 ` Guido Trentalancia
2012-06-27 17:13 ` Dominick Grift
2012-06-27 18:28 ` Guido Trentalancia [this message]
2012-06-27 17:32 ` Guido Trentalancia
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1340821680.2819.20.camel@vortex \
--to=guido@trentalancia.com \
--cc=refpolicy@oss.tresys.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.