Re: [OT] SELinux vs. other systems [was Re: [idea] udev + selinux]

[Luke Kenneth Casson Leighton <lkcl@lkcl.net>]

On Thu, Sep 02, 2004 at 10:15:20PM +1000, Russell Coker wrote:

> > Compare that to this thread, where we are talking about atomic vs.
> > non-atomic restoration of context for udev-mounted temp file systems.
> > Shudder. This seems to be begging for an exploit to be discovered.
> > Are we sure that SELinux is really on the right track here?
> 
> The original udev implementation had the device nodes relabelled after 
> creation.  As of recent times (since 2002) the default SE Linux policy has 
> denied almost all domains (only two system domains) access to device nodes 
> labelled as device_t.  This means that there is no window of opportunity for 
> an attacker to access a device before it is correctly labelled.
> 
> The worst race condition attack would be a DOS attack, cause an access at the 
> wrong time and have it be denied when otherwise it would be permitted.  This 
> is the least serious of all possible problems related to device labelling.

 ... and with the use of matchpathcon() followed by setfscreatecon(),
 it isn't even that: inode, symlink and directory
 creation-plus-filecontext-setting are done as an atomic operation.

 problem goes away.

 the _old_ selinux udev support (0.024), on the other hand, suffered
 from the big-deal-DOS-attack that russell describes above.

 l.


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.