Mounting an encrypted volume presents the volume to all users on a machine
Daniel J Walsh
dwalsh at redhat.com
Wed Oct 27 13:07:51 UTC 2010
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 10/27/2010 06:35 AM, Bryn M. Reeves wrote:
> On 10/26/2010 10:39 PM, Bruno Wolff III wrote:
>> On Tue, Oct 26, 2010 at 14:07:53 -0700,
>> Jesse Keating <jkeating at redhat.com> wrote:
>>> -----BEGIN PGP SIGNED MESSAGE-----
>>>
>>> That's only if you give root the right to disable or load new selinux
>>> policy.
>>
>> And the policy is tight enough. You need to not allow root shells or most
>> processes the ability to read the keys out of memory or to write memory
>> that will change how things work. I don't think targeted policy is locked
>> down enough to stop that even if you don't allow root to disble selinux.
>>
>>> Seriously, there are machines on the public Internet with a published
>>> root account. You're welcome to log in and try to do anything with them.
>>
>> Yeah, I know about one guy that offers a root password if you ask. I am
>> not sure what policy he is running on that machine.
>
> It's Russell Coker, access details are available here:
>
> http://www.coker.com.au/selinux/play.html
>
> However the pages haven't been updated in a while and the service seems to be
> down right now.
>
> Regards,
> Bryn.
There are two ways to get root on a system. One is through a login
process. Either login directly as root or login as a user and execute
su/sudo. SELinux by default since F9 and RHEL6 allows you to setup
confined users, but defaults to unconfined_t. If you login to a system
as a user and get unconfined_t user type, and you become root, you can
take over the system. You can setup the root account to login as any
confined user, and show a UID=0 account that can not do much.
SELinux also includes the concept of confined admin. You can setup
accounts that have limited privledged root access. webadm_r:webadm_t
http://magazine.redhat.com/2008/04/17/fedora-9-and-summit-preview-confining-the-user-with-selinux/
Explains this.
On my laptop I run as staff_t and when I run sudo I become webadm_t. If
I run runuser I become unconfined_t. This means you can setup a user
account that can use sudo to do certain admin activities with locked
down privs.
The other way you can become root is to break into the system through a
flaw in a network service. If you are running SELinux and break into
httpd, you would endup with a process labeled httpd_t, and would only be
allowed to do the things the web server is allowed to do, even if your
UID==0.
One caveat in this is, if there is a kernel flaw that allows a account
to manipulate memory in the kernel, the hacker has a chance to turn
SELinux enforcement off, and all bets are off. We try to protect
against this through checks like execmem,execstack,execmod,execheap and
memzero checks. Hopefully more in the future.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
iEYEARECAAYFAkzIJCcACgkQrlYvE4MpobM0TwCggJGaDwUnUrVFsuQa2YSk74X1
MUYAni2CkV2vu1IsUraYtu5W7MNTbsBq
=rLD7
-----END PGP SIGNATURE-----
More information about the devel
mailing list