permissions on /proc/self/attrib/current

permissions on /proc/self/attrib/current

[Chuck Mead]

[-- Attachment #1: Type: text/plain, Size: 414 bytes --]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

The file /proc/self/attrib/current is world read and write. Is this
correct? Why does it need world read and write?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iD8DBQFEhcEAZfy0juH51WsRAsXBAKCgFqHPpEfK5NSP5o/sZGqcbWBnCwCgjQZD
4kXDs9cr3Dax9ygN5BZ/x0I=
=cz5D
-----END PGP SIGNATURE-----

[-- Attachment #2: csm.vcf --]
[-- Type: text/x-vcard, Size: 376 bytes --]

begin:vcard
fn:Chuck Mead
n:Mead;Chuck
org:Red Hat, Inc.;GPS,
adr:;;1801 Varsity Drive;Raleigh;NC;27606;USA
email;internet:csm@redhat.com
title:Consultant
tel;cell:919-621-0605
note;quoted-printable:You can have peace. Or you can have freedom. Don=E2=80=99t ever count onh=
	aving both at once. - Lazarus Long
x-mozilla-html:FALSE
url:http://redhat.com
version:2.1
end:vcard

Re: permissions on /proc/self/attrib/current

[James Antill]

[-- Attachment #1: Type: text/plain, Size: 405 bytes --]

On Tue, 2006-06-06 at 13:53 -0400, Chuck Mead wrote:

> The file /proc/self/attrib/current is world read and write. Is this
> correct? Why does it need world read and write?

 Just my opinion but...

/proc/self/attr/* are only used as part of SELinux policy, so it makes
sense for their access control to be limited by just SELinux policy.

-- 
James Antill <james.antill@redhat.com>
Red Hat

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 191 bytes --]

Re: permissions on /proc/self/attrib/current

[Russell Coker]

On Wednesday 07 June 2006 08:16, James Antill <james.antill@redhat.com> wrote:
> On Tue, 2006-06-06 at 13:53 -0400, Chuck Mead wrote:
> > The file /proc/self/attrib/current is world read and write. Is this
> > correct? Why does it need world read and write?
>
>  Just my opinion but...
>
> /proc/self/attr/* are only used as part of SELinux policy, so it makes
> sense for their access control to be limited by just SELinux policy.

That's not the case.  When SE Linux is in permissive mode those files are not 
writable by other processes.  Showing the file as mode 0600 would be a closer 
representation of the non-SE access controls on those files than the current 
situation.

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: permissions on /proc/self/attrib/current

[Stephen Smalley]

On Tue, 2006-06-06 at 13:53 -0400, Chuck Mead wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> The file /proc/self/attrib/current is world read and write. Is this
> correct? Why does it need world read and write?

To completely disable DAC restrictions, and leave it entirely to SELinux
to control access.  The corresponding hook functions in the SELinux
"module", selinux_getprocattr and selinux_setprocattr, apply permission
checks on reading and writing these nodes, and selinux_setprocattr
further prohibits a task from setting (writing) attributes other than
its own.

The DAC restrictions can be problematic when the task becomes
undumpable, e.g. setuid or setgid programs could otherwise lose access
to their own /proc/pid/attr nodes.

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: permissions on /proc/self/attrib/current

[Chuck Mead]

[-- Attachment #1: Type: text/plain, Size: 1157 bytes --]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Stephen Smalley wrote:
> On Tue, 2006-06-06 at 13:53 -0400, Chuck Mead wrote:
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> The file /proc/self/attrib/current is world read and write. Is this
>> correct? Why does it need world read and write?
> 
> To completely disable DAC restrictions, and leave it entirely to SELinux
> to control access.  The corresponding hook functions in the SELinux
> "module", selinux_getprocattr and selinux_setprocattr, apply permission
> checks on reading and writing these nodes, and selinux_setprocattr
> further prohibits a task from setting (writing) attributes other than
> its own.
> 
> The DAC restrictions can be problematic when the task becomes
> undumpable, e.g. setuid or setgid programs could otherwise lose access
> to their own /proc/pid/attr nodes.

If selinux is disabled is this file still present?

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iD8DBQFEjW/xZfy0juH51WsRAtwCAJ0bFY7+YKxe7sr9WgQCvx8VY4okcgCgkVT/
EVDRmiSlQ48BC0s3EdkpvNo=
=44pn
-----END PGP SIGNATURE-----

[-- Attachment #2: csm.vcf --]
[-- Type: text/x-vcard, Size: 376 bytes --]

begin:vcard
fn:Chuck Mead
n:Mead;Chuck
org:Red Hat, Inc.;GPS,
adr:;;1801 Varsity Drive;Raleigh;NC;27606;USA
email;internet:csm@redhat.com
title:Consultant
tel;cell:919-621-0605
note;quoted-printable:You can have peace. Or you can have freedom. Don=E2=80=99t ever count onh=
	aving both at once. - Lazarus Long
x-mozilla-html:FALSE
url:http://redhat.com
version:2.1
end:vcard

Re: permissions on /proc/self/attrib/current

[Stephen Smalley]

On Mon, 2006-06-12 at 09:45 -0400, Chuck Mead wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Stephen Smalley wrote:
> > On Tue, 2006-06-06 at 13:53 -0400, Chuck Mead wrote:
> >> -----BEGIN PGP SIGNED MESSAGE-----
> >> Hash: SHA1
> >>
> >> The file /proc/self/attrib/current is world read and write. Is this
> >> correct? Why does it need world read and write?
> > 
> > To completely disable DAC restrictions, and leave it entirely to SELinux
> > to control access.  The corresponding hook functions in the SELinux
> > "module", selinux_getprocattr and selinux_setprocattr, apply permission
> > checks on reading and writing these nodes, and selinux_setprocattr
> > further prohibits a task from setting (writing) attributes other than
> > its own.
> > 
> > The DAC restrictions can be problematic when the task becomes
> > undumpable, e.g. setuid or setgid programs could otherwise lose access
> > to their own /proc/pid/attr nodes.
> 
> If selinux is disabled is this file still present?

The pseudo file is present, but reads and writes on it will always fail
(with errno EINVAL).
 
-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.