From: Dmitry Bogatov <KAction@debian.org>
To: Jason Zaman <jason@perfinion.com>, 929063@bugs.debian.org
Cc: Laurent Bigonville <bigon@debian.org>,
selinux@vger.kernel.org, kaction@debian.org
Subject: Re: Bug#929063: SELinux integration in sysVinit
Date: Wed, 29 May 2019 03:40:42 +0000 [thread overview]
Message-ID: <1559104433.284129.14732@localhost> (raw)
In-Reply-To: <20190524130015.GA25786@baraddur.perfinion.com>
[ Sorry, if I messed quotation. It is complex ]
[2019-05-24 21:00] Jason Zaman <jason@perfinion.com>
> > > There is currently some discussion at [0] about SELinux
> > > integration in sysVinit and the fact that somebody wants to
> > > delegate the loading of the policy to an other binary than PID1.
> > >
> > > Has somebody a remark or an objection to that proposal?
> >
> > I object too. There is a *huge* change in functionality. Originally if
> > you boot with SELinux enforcing, there are only two things that can
> > happen. Either you end up with the policy loaded or the machine halts.
> >
> > In the new patch, an attacker can just chmod -x /sbin/selinux-check then
> > next boot there will be no selinux enabled.
> >
> > if (access(SELINUX_CHECK, X_OK) != 0) fails, the machine will continue
> > to boot without SELinux enabled. There is no difference between a user
> > without /sbin/selinux-check on purpose and an attacker just chmod -x'd
> > the tool.
> >
> > SELinux does not protect /sbin anywhere near as much as /etc/selinux
> > (and doing that would probably be impossible). You'd need to check if
> > selinux is enabled and enforcing before skipping the loading ... which
> > is done by calling is_selinux_enabled() which needs linking to
> > libselinux. The important part of the original design is not
> > selinux_init_load_policy(), its is_selinux_enabled().
How does it come that attacker can just "chmod -x /sbin/selinux-check"?
Aren't there supposed to be SELinux rule, preventing attacker from doing
this, even if he cracked root process?
Okay, this patch should be accompanied with patch to src:refpolicy,
correct?
--
Note, that I send and fetch email in batch, once every 24 hours.
If matter is urgent, try https://t.me/kaction
--
next prev parent reply other threads:[~2019-05-29 4:34 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-05-24 11:17 SELinux integration in sysVinit Laurent Bigonville
2019-05-24 12:55 ` Jason Zaman
2019-05-24 13:00 ` Jason Zaman
2019-05-24 13:40 ` Stephen Smalley
2019-05-29 3:40 ` Bug#929063: " Dmitry Bogatov
2019-05-29 3:40 ` Dmitry Bogatov [this message]
2019-05-29 3:40 ` Dmitry Bogatov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1559104433.284129.14732@localhost \
--to=kaction@debian.org \
--cc=929063@bugs.debian.org \
--cc=bigon@debian.org \
--cc=jason@perfinion.com \
--cc=selinux@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.