Re: Shell redirection and denials

[Daniel J Walsh <dwalsh@redhat.com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Stephen Smalley wrote:
> On Wed, 2007-10-10 at 00:10 -0700, Kroum Antov wrote:
>> Dan's suggestion for dropping checks entirely on inheritance and transfer of 
>> descriptors and do check for OPEN instead
>> seems to be solid and simple solution.
>> I don't see any potential security danger in doing this. Once an application 
>> has the proper rights on a descriptor it can do anything with it anyway. By 
>> passing the descriptor to other applications and allowing them to work with 
>> this descriptor without problems there is No security issue with this.
>> Controlling the Open of the confined applications is sufficient in my 
>> opinion.
> 
> Not if you want to be able to claim that the system enforces mandatory
> access control.  The ability to leak a descriptor at will (unwittingly
> or maliciously) to an unauthorized entity violates the principles of
> mandatory access control.  And SELinux controls on descriptor
> inheritance have caught any number of unwitting leaks of descriptors by
> programs.
> 
>> Introducing transfer_read and transfer_write permissions will do the work 
>> too but in my opinion introduces unnecessary complexity to an already 
>> complex system.
>>
>> SElinux has potential beyond the standard security control but these AVC 
>> denials for file descriptors and ports transfers are greatly limiting the 
>> SELinux usability.
>>
>> I surely would like to see this issue addressed soon.
> 
> Splitting the permissions to allow distinctions to be made is ok, but
> entirely dropping the ability to control propagation of access rights is
> not.
> 
I agree, but we can also use some common sense, there are levels of
paranoia that differ depending on the context.  Allowing a confined
domain read/write/use any FD that is handed to them that is connected to
a terminal, logfile, tmpfile, and not allowing them to open a connection
to a terminal, tmpfile, logfile is a big step forward.

Perhaps also allowing them to talk to fifo_file file owned by user but
not open one.

We can also allow the addition of booleans or changes in policy.  Not ok
for MLS but ok for Targeted.


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iD8DBQFHDPgUrlYvE4MpobMRAhTrAJ40w4lHmvXyUYhTNaF9o6DRG+KHDQCfYZUS
Nng/pXmaQK/JmGotQ6jFif0=
=9oR2
-----END PGP SIGNATURE-----

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.