Re: [RFC PATCH] newrole suid breakdown

[Michael C Thompson <thompsmc@us.ibm.com>]

Stephen Smalley wrote:
> On Sat, 2006-10-07 at 03:37 +1000, Russell Coker wrote:
>> Without even trying I've found six setuid-root programs that are included in a 
>> fairly default install of Fedora and which are never needed by the vast 
>> majority of users.  I doubt that all six are as well audited as newrole.
> 
> Keep in mind that newrole didn't start life as a setuid program, so it
> wasn't written specifically from that perspective.   It was even fairly
> limited wrt SELinux - it couldn't transition you to an arbitrary role
> and domain, only one that you were already authorized for in the kernel
> policy (vs. su, which can serve as the gateway from any uid to any uid).
> The only real power it had was access to the tty/ptys.

I have a patch (its really big, so I'll try to break it down into 
meaningful chunks) that basically restructures newrole in a more 
maintainable, and paranoid, way. If I can't break it down easily, would 
you (the reader) be ok with reading a ~1600 line patch? Like I said, 
I'll try to break it down, but the changes are very wide sweeping, and 
hopefully a large improvement of what was there.

Based on all of the previous discussion wrt checking the capabilities, 
if this is still desired, I can change the behavior to be:

call_do_priv_action
{
   if !(have_right_capabilities)
     return 0 (flag success, even though its not done anything)
   /* if we do have caps, then do actions and expect them to work */
   ...
}

That acceptable? (And is it even needed anymore due to new package?)

Mike




--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.