From: Joshua Brindle <jbrindle@tresys.com>
To: Stephen Smalley <sds@epoch.ncsc.mil>
Cc: Luke Kenneth Casson Leighton <lkcl@lkcl.net>,
SE-Linux <selinux@tycho.nsa.gov>
Subject: Re: banning copying of binaries (e.g. mozilla etc).
Date: Tue, 31 Aug 2004 12:25:57 -0400 [thread overview]
Message-ID: <4134A695.9060008@tresys.com> (raw)
In-Reply-To: <1093958949.8517.81.camel@moss-spartans.epoch.ncsc.mil>
Stephen Smalley wrote:
> On Tue, 2004-08-31 at 09:27, Luke Kenneth Casson Leighton wrote:
>
>> ... so port type equates to port number.
>
>
> The net_contexts configuration maps port numbers to port types, so you
> can group them into equivalence classes. Note that there has been a
> recent change to checkpolicy (in the sourceforge CVS tree) in this area
> to preserve the specified ordering for matching so that you can have
> overlapping port ranges, and a general entry for ports 1-1023 has been
> added to net_contexts to map them all to reserved_port_t if not
> otherwise specified.
>
>
>> ... but it would be easy to, say, deny users the ability to execute
>> user_u:object_r:user_t binaries, or default_t binaries etc. yes?
>
>
> user_home_t? Yes. If you look at macros/base_user_macros.te, you'll
> see the specific can_exec() rules that allow the user domains to execute
> files in their home directories and their own temporary files in the
> current policy. You would want to go through and remove all such rules
> for any type that the user can create/write. apol is your friend for
> such analysis, as it can quickly find all cases including those covered
> by rules that use type attributes.
>
It's worth noting that this will not stop execution of said binaries
entirely. One only needs to know enough to use /lib/ld.so to run any
dynamically linked binary which he doesn't have execute access on.
Unfortunatly disabling user domains access to ld.so would make him
unable to run any dynamically linked apps whatsoever, sounds like we
need a userland enforcer in glibc ;)
Joshua Brindle
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
next prev parent reply other threads:[~2004-08-31 16:26 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2004-08-30 22:23 banning copying of binaries (e.g. mozilla etc) Luke Kenneth Casson Leighton
2004-08-30 23:33 ` Joshua Brindle
2004-08-31 9:24 ` Luke Kenneth Casson Leighton
2004-08-31 11:29 ` Stephen Smalley
2004-08-31 12:25 ` Luke Kenneth Casson Leighton
2004-08-31 12:34 ` Stephen Smalley
2004-08-31 13:27 ` Luke Kenneth Casson Leighton
2004-08-31 13:29 ` Stephen Smalley
2004-08-31 16:25 ` Joshua Brindle [this message]
2004-08-31 16:49 ` Stephen Smalley
2004-08-31 17:00 ` Joshua Brindle
2004-08-31 17:21 ` Stephen Smalley
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4134A695.9060008@tresys.com \
--to=jbrindle@tresys.com \
--cc=lkcl@lkcl.net \
--cc=sds@epoch.ncsc.mil \
--cc=selinux@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.