Mounting an encrypted volume presents the volume to all users on a machine

Daniel J Walsh dwalsh at redhat.com
Wed Oct 27 13:07:51 UTC 2010 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 10/27/2010 06:35 AM, Bryn M. Reeves wrote:
> On 10/26/2010 10:39 PM, Bruno Wolff III wrote:
>> On Tue, Oct 26, 2010 at 14:07:53 -0700,
>>   Jesse Keating <jkeating at redhat.com> wrote:
>>> -----BEGIN PGP SIGNED MESSAGE-----
>>>
>>> That's only if you give root the right to disable or load new selinux
>>> policy.
>>
>> And the policy is tight enough. You need to not allow root shells or most
>> processes the ability to read the keys out of memory or to write memory
>> that will change how things work. I don't think targeted policy is locked
>> down enough to stop that even if you don't allow root to disble selinux.
>>
>>> Seriously, there are machines on the public Internet with a published
>>> root account.  You're welcome to log in and try to do anything with them.
>>
>> Yeah, I know about one guy that offers a root password if you ask. I am
>> not sure what policy he is running on that machine.
> 
> It's Russell Coker, access details are available here:
> 
> http://www.coker.com.au/selinux/play.html
> 
> However the pages haven't been updated in a while and the service seems to be
> down right now.
> 
> Regards,
> Bryn.
There are two ways to get root on a system.  One is through a login
process.  Either login directly as root or login as a user and execute
su/sudo.  SELinux by default since F9 and RHEL6 allows you to setup
confined users, but defaults to unconfined_t.  If you login to a system
as a user and get unconfined_t user type, and you become root, you can
take over the system.   You can setup the root account to login as any
confined user, and show a UID=0 account that can not do much.

SELinux also includes the concept of confined admin.  You can setup
accounts that have limited privledged root access.  webadm_r:webadm_t

http://magazine.redhat.com/2008/04/17/fedora-9-and-summit-preview-confining-the-user-with-selinux/

Explains this.

On my laptop I run as staff_t and when I run sudo I become webadm_t.  If
I run runuser I become unconfined_t.  This means you can setup a user
account that can use sudo to do certain admin activities with locked
down privs.

The other way you can become root is to break into the system through a
flaw in a network service.  If you are running SELinux and break into
httpd, you would endup with a process labeled httpd_t, and would only be
allowed to do the things the web server is allowed to do, even if your
UID==0.

One caveat in this is, if there is a kernel flaw that allows a account
to manipulate memory in the kernel, the hacker has a chance to turn
SELinux enforcement off, and all bets are off.  We try to protect
against this through checks like execmem,execstack,execmod,execheap and
memzero checks.  Hopefully more in the future.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAkzIJCcACgkQrlYvE4MpobM0TwCggJGaDwUnUrVFsuQa2YSk74X1
MUYAni2CkV2vu1IsUraYtu5W7MNTbsBq
=rLD7
-----END PGP SIGNATURE-----

More information about the devel mailing list