Re: mdadm policy

[Daniel J Walsh <dwalsh@redhat.com>]

antoine wrote:

>On Fri, 2005-06-24 at 15:05 -0400, Ivan Gyurdiev wrote:
>  
>
>>>So it looks to me like the transition to sendmail should always be
>>>included - well actually, ifdef(mta.te).
>>>      
>>>
>>cc-ed Dan Walsh.
>>Proposed transition to sendmail from mdadm.te
>>(so it can send alerts to user).
>>
>>Re: can_exec({ bin_t, sbin_t }) rule
>>
>>Antoine, you have to be root/sysadm_t to configure
>>execution of such programs, right? If you have sysadm_t, you
>>can disable any and all security. The only protection
>>from sysadm_t that selinux provides is protection from
>>inadvertently running hostile code that messes w/ selinux
>>files - that's why we have a role called secadm_t
>>(I think this is work in progress).
>>    
>>
>I admit the threat is minimal, but I just don't like the idea of running
>things as mdadm_t when it isn't necessary.
>You would need to know what is run by mdadm (as mdadm.conf is not
>readable by non root/sysadm_t) *and* find a flaw in it *and* trigger the
>mdadm error condition. Very slim indeed.
>On the other hand, any flaw in one of the bin_t/sbin_t programs run by
>mdadm would lead to a full compromise (using raw disks). And there has
>been more than one flaw found in sendmail/postfix/... And since it is
>avoidable, why not remove access to raw disks before launching the
>program. (I think the transition to sendmail_t is the minimum)
>
>  
>
>>So, we can't stop an intentional attack like this.
>>The only question is whether we should stop unintentional
>>attack (sysadm doesn't know bin_t/sbin_t program is hostile,
>>sysadm installed it anyway, sysadm doesn't have capability
>>to write to fixed_disk_device, but mdadm does, and 
>>gives hostile program desired escalation). 
>>    
>>
>Hostile program  *or* shell script with insecure privileges/files, etc.
>
>Antoine
>
>  
>
Add privmail attribute and you will transition to system_mail_t when 
starting sendmai.

-- 




--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.