From: Daniel J Walsh <dwalsh@redhat.com>
To: Stephen Smalley <sds@tycho.nsa.gov>, SE Linux <selinux@tycho.nsa.gov>
Subject: I am more worried about open then read and write, SELinux needs open access checks.
Date: Wed, 23 Jan 2008 17:01:18 -0500 [thread overview]
Message-ID: <4797B92E.7050901@redhat.com> (raw)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
One of the things I have talked about in the past was separating the
access for open from read/write.
An example of where this is a problem is the following AVC from a
bugzilla I got today.
type=AVC msg=audit(1201052518.765:1352): avc: denied { write } for
pid=5767 comm="dbus-daemon" path="/home/zack/startx.log" dev=sda3
ino=2227350
scontext=unconfined_u:unconfined_r:unconfined_dbusd_t:s0-s0:c0.c1023
tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file
This indicates that zack started x windows with startx. With its
standard output directed to /home/zack/startx.log. The avc indicates
that dbus has suddenly started trying to write files in the users home
directory.
My choice is to allow it or dontaudit it.
Neither is correct. I really want to know if a confined application
suddenly opens a file in the users homedir for writing, but if the
processes is handed an open file descriptor, I want to allow it.
This is a fundamental flaw in the usability of SELinux. Handling of
stdin/stdout/stderr are always generating AVC messages that we either
cover up or allow, and this can prevent us from discovering a real
cracker situation.
I would like to propose that we add one or more avc's to deal with
opening a file. open or open_read open_write. Leave the existing
access for those that are worried about leaking file descriptors and
information flow, but allow us to concentrate on real vulnerability s
versus noicy avc messages.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
iEYEARECAAYFAkeXuS4ACgkQrlYvE4MpobOx7gCg6g4GRpNEv7OxeHJSdVG6oqI1
tq4AmwWwa/sZVbvpFb480LJRcfn7BjLN
=jPAC
-----END PGP SIGNATURE-----
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
next reply other threads:[~2008-01-23 22:01 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2008-01-23 22:01 Daniel J Walsh [this message]
2008-01-24 13:08 ` I am more worried about open then read and write, SELinux needs open access checks Stephen Smalley
2008-01-24 13:33 ` Stephen Smalley
2008-01-24 14:59 ` James Morris
-- strict thread matches above, loose matches on Subject: below --
2008-01-24 18:48 Steve G
2008-01-24 20:35 ` Brett Lentz
2008-01-24 20:43 ` Stephen Smalley
2008-01-24 21:13 ` Daniel J Walsh
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4797B92E.7050901@redhat.com \
--to=dwalsh@redhat.com \
--cc=sds@tycho.nsa.gov \
--cc=selinux@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.