On Thu, 8 Apr 2004 09:16, Jesse Keating <jkeating(a)j2solutions.net> wrote:
On Wednesday 07 April 2004 15:27, Richard Hally wrote:
> So you are saying that some one can "own a box" (whatever that means)
> while SELinux is in enforcing mode?
To "own a box" means to obtain illegal administrative access without the
administrator knowing. It usually involves installing a modified login
program, or a daemon that accepts logins on a special port to provide access
to the attacker without changing /etc/passwd or /etc/shadow. Modern "root
kits" include kernel modules to hide processes, files, and open network
sockets.
> And do what? :)
No, but if your SELinux policies are loose enough to allow a rouge rpm
to overwrite /etc/sysconfig/SELinux, then you've got to re-evaluate
your policies.
Currently we have no facility for different privilege levels for RPMs. Every
time you run rpm it runs in the same context which gives it permission to
write to almost every file in the system. There is currently no SE Linux
option to install a hostile rpm without having it do whatever it wants.
If you run rpm with --noscripts and --notriggers then it should be limited in
the damage it can cause. It can still put binaries in the path, so it could
create /usr/kerberos/sbin/ls and wait for the administrator to run it (in my
system /usr/kerberos/sbin is before /bin in the path).
To prevent damage from hostile rpms we need to have a different context for
rpm, no scripts and no triggers as default, and any files that are executed
by a user would have to trigger a domain transition.
Of course even a domain transition isn't really enough to prevent attacks
through ptys.
At the moment if you don't trust someone to provide a good rpm then don't run
their software.
--
http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/ Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/ My home page