SELinux and the Desktop
Colin Walters
walters at redhat.com
Thu Oct 14 18:51:47 UTC 2004
On Thu, 2004-10-14 at 14:27 -0400, Stephen Smalley wrote:
> On Thu, 2004-10-14 at 13:56, Steve Coleman wrote:
> > Colin Walters walters-at-redhat.com |fedora| wrote:
> >
> >The major threat here is environment variables, right?
>
> Hmm...didn't get Colin's original message, but I saw this reply.
> Anyway, if the question is about domain transitions on scripts, then
> there is a fundamental race condition on script execution. Think:
> kernel looks up script file and reads header, kernel invokes interpreter
> with script file path as argument, interpreter looks up script file.
> Caller can run arbitrary code in the new domain.
Well, this is only a threat in the case where the caller can do an
unlink in the directory that the script is in, correct? I can see
that's a fundamental problem, but personally I'm more interested in
trying to for example give someone the ability to run /etc/init.d/* in a
secure manner. Say we define a type like 'daemon_admin_t' that has
permissions to transition to initrc_t; perhaps we'd need to label
certain files in /etc/init.d/ instead of allowing general access to
initrc_t. Right now though if you tried to do that a malicious attacker
could set many environment variables like PATH or IFS which shell
scripts would pick up. Cleaning the environment would close that hole.
More information about the selinux
mailing list