On Thu, Sep 02, 2004 at 10:15:20PM +1000, Russell Coker wrote:
> Compare that to this thread, where we are talking about atomic
vs.
> non-atomic restoration of context for udev-mounted temp file systems.
> Shudder. This seems to be begging for an exploit to be discovered.
> Are we sure that SELinux is really on the right track here?
The original udev implementation had the device nodes relabelled after
creation. As of recent times (since 2002) the default SE Linux policy has
denied almost all domains (only two system domains) access to device nodes
labelled as device_t. This means that there is no window of opportunity for
an attacker to access a device before it is correctly labelled.
The worst race condition attack would be a DOS attack, cause an access at the
wrong time and have it be denied when otherwise it would be permitted. This
is the least serious of all possible problems related to device labelling.
... and with the use of matchpathcon() followed by setfscreatecon(),
it isn't even that: inode, symlink and directory
creation-plus-filecontext-setting are done as an atomic operation.
problem goes away.
the _old_ selinux udev support (0.024), on the other hand, suffered
from the big-deal-DOS-attack that russell describes above.
l.