From: Daniel J Walsh <dwalsh@redhat.com>
To: russell@coker.com.au
Cc: SE Linux <selinux@tycho.nsa.gov>
Subject: Re: Patch to libsemanage to remove labeling of /root
Date: Fri, 27 Feb 2009 17:08:42 -0500 [thread overview]
Message-ID: <49A8646A.5050604@redhat.com> (raw)
In-Reply-To: <200902271322.18928.russell@coker.com.au>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Russell Coker wrote:
> On Thu, 19 Feb 2009, Daniel J Walsh <dwalsh@redhat.com> wrote:
>> The problem with treating /root as the same as every other homedir, is
>> confined daemons all consider /root their home dir, so they want to be
>> able to read/write contents in the homedir.
>
> We should not be allowing confined daemons to write to /root.
>
> There is little point in confining a daemon if it can write to a file such
> as /root/.bashrc which is likely to be executed as unconfined_t.
>
> The only reason a confined daemon should access /root is if the sysadmin
> starts it immediately after logging in without changing directory. A daemon
> starting with a cwd that is not accessible should not be a problem, if it is
> then there are other usage cases that will get you.
>
There is potential to allow confine domains to write to subdirs of
/root. or at least read it.
sshd_t needs to be able to read /root/.ssh/*
Others like xauth_t need to be able to write but this is more a confined
helper app then a real confined app.
In current targeted policy I see the following
# sesearch --allow -t admin_home_t -c dir | grep write | awk '{ print
$2 " " $3 }'
sysadm_t admin_home_t
rpm_t admin_home_t
rpm_script_t admin_home_t
xauth_t admin_home_t
nfsd_t admin_home_t
nmbd_t admin_home_t
smbd_t admin_home_t
ftpd_t admin_home_t
kernel_t admin_home_t
Where these are either an unconfined_domain or have a boolean that
allows them to write anywhere.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
iEYEARECAAYFAkmoZGoACgkQrlYvE4MpobPtjQCfYRtnQvjRxdEwk5Fugev1fs+M
33sAoN+LFFJS37gpGNAY/MIMSr5vlick
=DiAa
-----END PGP SIGNATURE-----
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
next prev parent reply other threads:[~2009-02-27 22:09 UTC|newest]
Thread overview: 24+ messages / expand[flat|nested] mbox.gz Atom feed top
2009-01-13 13:43 Patch to libsemanage to remove labeling of /root Daniel J Walsh
2009-02-17 20:25 ` Joshua Brindle
2009-02-17 20:31 ` Daniel J Walsh
2009-02-17 20:32 ` Joshua Brindle
2009-02-17 20:39 ` Daniel J Walsh
2009-02-17 20:40 ` Joshua Brindle
2009-02-17 21:17 ` Daniel J Walsh
2009-02-18 15:47 ` Joshua Brindle
2009-02-18 16:09 ` Daniel J Walsh
2009-02-18 16:20 ` Joshua Brindle
2009-02-18 16:28 ` Daniel J Walsh
2009-02-18 16:57 ` Daniel J Walsh
2009-02-18 19:21 ` Joshua Brindle
2009-02-18 20:09 ` Daniel J Walsh
2009-02-18 20:15 ` Joshua Brindle
2009-02-18 21:25 ` Daniel J Walsh
2009-02-18 21:42 ` Joshua Brindle
2009-02-27 2:22 ` Russell Coker
2009-02-27 22:08 ` Daniel J Walsh [this message]
2009-02-27 23:01 ` Russell Coker
2009-02-28 12:09 ` Dominick Grift
2009-02-28 12:29 ` Daniel J Walsh
2009-02-28 12:39 ` Dominick Grift
2009-02-28 12:17 ` Daniel J Walsh
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=49A8646A.5050604@redhat.com \
--to=dwalsh@redhat.com \
--cc=russell@coker.com.au \
--cc=selinux@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.