user_t more restrictive than sshd_t (e.g.)?

All of lore.kernel.org
 help / color / mirror / Atom feed

From: dE <de.techno@gmail.com>
To: selinux@tycho.nsa.gov
Subject: user_t more restrictive than sshd_t (e.g.)?
Date: Fri, 23 May 2014 11:18:43 +0530	[thread overview]
Message-ID: <537EE13B.7090603@gmail.com> (raw)

As we know, the user_r does not allow many processes to have high 
privilege types (system_t for e.g. which's tailored for a single program 
named X), if such a process is executed, it'll have a type of user_t.

However system_t specifies restrictions on the program exactly as per 
X's specifications -- it wont allow the program to do anything outside 
what's it supposed to do.

But that's not the same for user_t -- this type is generic and there are 
many things that user_t allows which system_t does not.

This may form a security vector; a vulnerable program which should run 
as system_t but is not run cause user_r does not allow that type, this 
allows the program to do many things which it's not designed to do; so 
basically this bypasses SELinux restrictions as put on by system_t.

So, is there any way to prevent this form happening -- or can we specify 
in the policy what type to run the program as when it's run by a user 
with role user_r or any other user which is not allowed system_t?

As an e.g. we may see systemctl.

next             reply	other threads:[~2014-05-23  5:51 UTC|newest]

Thread overview: 6+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2014-05-23  5:48 dE [this message]
2014-05-27  7:42 ` user_t more restrictive than sshd_t (e.g.)? dE
2014-05-27 13:32   ` Christopher J. PeBenito
2014-05-27 13:32     ` [refpolicy] " Christopher J. PeBenito
2014-05-27 13:35     ` Christopher J. PeBenito
2014-05-31  5:25       ` dE

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=537EE13B.7090603@gmail.com \
    --to=de.techno@gmail.com \
    --cc=selinux@tycho.nsa.gov \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.