From: Daniel J Walsh <dwalsh@redhat.com>
To: Valdis.Kletnieks@vt.edu
Cc: Stephen Smalley <sds@tycho.nsa.gov>, SE Linux <selinux@tycho.nsa.gov>
Subject: Re: Changes to policycoreutils.
Date: Sat, 18 Mar 2006 11:54:42 -0500 [thread overview]
Message-ID: <441C3B52.7060702@redhat.com> (raw)
In-Reply-To: <200603180532.k2I5Wuhe004158@turing-police.cc.vt.edu>
Valdis.Kletnieks@vt.edu wrote:
> On Fri, 17 Mar 2006 16:39:07 EST, Daniel J Walsh said:
>
>
>> This will give us the ability of instantly labeling the ~/public_html
>> directory. So if a user logs in and does a
>> mkdir ~/public_html to tool will label the file correctly.
>>
>
> Do you have an estimate on how fast "instantly" is? A few second's delay in
> relabelling ~/public_html is probably not a big thing, but a delay in
> relabelling a just-created file to a more restrictive context may be opening a
> timing hole (for instance, allowing the grabbing of a just-created GPG or SSH
> key before the door is closed).
>
> I'm suspecting the answer is "there's a small hard-to-hit hole" that people
> find acceptable risk (which I'm OK on, as long as we're honest about the size
> of the risk and how it works....)
>
>
The answer is that is, if the file is created by a confined domain it
will be instantly. SELinux
aware application also create it instantly. This is more for the non
SELinux aware applicaitons.
So the example of the user creating the public_html directory.
It happens very fast, as a matter of fact you can try this command to see it
rmdir public_html; mkdir public_html; ls -ldZ public_html
drwxrwxr-x dwalsh dwalsh user_u:object_r:httpd_sys_content_t
public_html
This should not be considered a failsafe security measure, but more of a
usability issue.
If you have an file that is of critical secuirty you might not want to
use this tool on it.
Dan
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
next prev parent reply other threads:[~2006-03-18 16:54 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
2006-03-17 21:39 Changes to policycoreutils Daniel J Walsh
2006-03-18 5:32 ` Valdis.Kletnieks
2006-03-18 16:54 ` Daniel J Walsh [this message]
2006-03-20 13:45 ` Stephen Smalley
2006-03-20 14:51 ` Daniel J Walsh
2006-03-20 15:51 ` Stephen Smalley
2006-03-20 17:25 ` Stephen Smalley
2006-03-21 19:12 ` Daniel J Walsh
2006-03-20 20:27 ` Russell Coker
2006-03-20 20:47 ` Stephen Smalley
2006-03-20 20:11 ` Stephen Smalley
2006-03-20 21:23 ` Daniel J Walsh
2006-03-20 21:45 ` Stephen Smalley
2006-03-21 13:56 ` Stephen Smalley
2006-03-21 16:13 ` Daniel J Walsh
2006-03-20 21:26 ` Stephen Smalley
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=441C3B52.7060702@redhat.com \
--to=dwalsh@redhat.com \
--cc=Valdis.Kletnieks@vt.edu \
--cc=sds@tycho.nsa.gov \
--cc=selinux@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.