From: Daniel J Walsh <dwalsh@redhat.com>
To: selinux@tycho.nsa.gov
Subject: Re: [PATCH] SELINUX: new permission controlling the ability to set suid
Date: Mon, 26 Apr 2010 08:52:11 -0400 [thread overview]
Message-ID: <4BD58C7B.1000507@redhat.com> (raw)
In-Reply-To: <20100426061848.GS21894@myhost.felk.cvut.cz>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 04/26/2010 02:18 AM, Michal Svoboda wrote:
> Daniel J Walsh wrote:
>> One possible use case would be. I want to allow a user to login as
>> unconfined_t and only be able to become root as webadm_t through sudo.
>>
>> If webadm_t has setattr on /var/www, he can cp /bin/sh /var/www/sh,
>> chcon 4755 /var/www/sh, exit webadm_t and as unconfined_t become root
>> using /var/www/sh.
>
> Isn't this just a side effect of the 'unconfined' philosophy? I've
> always been taught (and taught others) that with proper MAC controls you
> can have as many setuid shells as you like.
>
> You already give all your trust to the user by giving him unconfined.
> Placing setuid controls in place is curing only (one of many) symptoms,
> not the cause.
>
> Michal Svoboda
>
First my example was sort of a gross oversimplification. It would not
only effect unconfined_t but any other domain that could use the setuid
bit to gain additional privs.
unconfined_t to a user means, give him all the power of a normal user
with SELinux disabled. You are still protected by DAC. I would argue
that you want to make sure there are limited setuid apps around when
running with unconfined_t. But if you give him unconfined_t and "chcon
4755" as a confined user running as root, then you make it easy for him
to become unconfined_t running as UID=0.
If we want people to experiment with confined admins, allow unconfined_t
- -> sudo_exec_t -> confined_admin_t is a good thing.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.14 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
iEYEARECAAYFAkvVjHsACgkQrlYvE4MpobOm9ACfZfmZfoTmD2In2wSC5+asiQUU
AmEAnjgC7RlRt2xtdUAm/t7gzYHMqBG9
=miW8
-----END PGP SIGNATURE-----
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
next prev parent reply other threads:[~2010-04-26 12:52 UTC|newest]
Thread overview: 19+ messages / expand[flat|nested] mbox.gz Atom feed top
2010-04-22 20:46 [PATCH] SELINUX: new permission controlling the ability to set suid Eric Paris
2010-04-22 21:35 ` Stephen Smalley
2010-04-23 12:03 ` Daniel J Walsh
2010-04-23 13:51 ` Stephen Smalley
2010-04-26 6:18 ` Michal Svoboda
2010-04-26 12:52 ` Daniel J Walsh [this message]
2010-04-26 14:39 ` Michal Svoboda
2010-04-26 15:19 ` Daniel J Walsh
2010-04-28 14:32 ` Karl MacMillan
2010-04-28 15:39 ` Daniel J Walsh
2010-04-28 17:57 ` Karl MacMillan
2010-04-28 18:07 ` Stephen Smalley
2010-04-28 18:31 ` Karl MacMillan
2010-04-28 18:41 ` Daniel J Walsh
2010-04-28 18:45 ` Stephen Smalley
2010-04-28 16:18 ` Michal Svoboda
2010-04-28 17:32 ` Daniel J Walsh
2010-04-28 18:54 ` Michal Svoboda
2010-04-28 19:02 ` Daniel J Walsh
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4BD58C7B.1000507@redhat.com \
--to=dwalsh@redhat.com \
--cc=selinux@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.