Security context, how to change?

Daniel J Walsh dwalsh at redhat.com
Thu Oct 13 13:16:48 UTC 2005 

Ivan Gyurdiev wrote:
> Valdis.Kletnieks at vt.edu wrote:
>> On Thu, 13 Oct 2005 07:42:48 +0200, Tomas Larsson said:
>>  
>>> How do I change the security context automatically.
>>> I.e if I am moving one file from one folder, is it possible to 
>>> automatically
>>> to
>>> Put the context for the new directory on the file.
>>> For example, if I move a file from the FTP-upload folder to HTTPD 
>>> download
>>> folder.
>>>     
> If you're talking about moving things via shell commands, then using 
> the cp command will automatically change the context, if you have 
> sufficient rights to do so (read the old context, write the new 
> context, write to the folder...etc).
>> It may make more sense to create a new context 'user_uploaded_t' or some
>> such, and give the FTP server the access needed to write it, and the 
>> httpd
>> the needed read access.  That way, it gets "sandboxed" and even if it's
>> malicious code, nothing else can accidentally read/execute it, so your
>> system integrity is enhanced.
>>  
public_content_rw_t (Formerly ftpd_anon_rw_t) has this characteristic.  
You can set booleans on whether http or ftp and write to it.  All 
sharing apps can read it.  (httpd, ftp, samba, rsync)

> A type to taint untrusted content already exists (in strict policy 
> anyway, not sure about targeted) - it is called 
> $1_untrusted_content_t. This type does not "guard" the content within, 
> so you wouldn't use it to target information to be used by a specific 
> program (like, if you wanted the information to be available to httpd 
> only, but nothing else). Instead, it controls access by all content 
> consumers, based on global boolean (read_untrusted_content). 
> Currently, this is used mostly by desktop programs, for things like... 
> gpg (signing content), mplayer (playing movies), lpr (print stuff), 
> mail programs (upload stuff), mozilla client (upload stuff).
>
> Those applications currently use a macro called read_content() to 
> access all "trusted" data in /tmp, /home (not what you want), and 
> "untrusted" data, if you choose so. You can disable access to reading 
> "untrusted" data globally by setting the boolean. In any event, $1_t 
> has { relabelto relabelfrom } rights for this type.
>
> My point here is that an appropriate data type exists, IMHO. It might 
> have macros for it, designed for a different purpose in mind, but the 
> goal of the type is essentially the same (taint malicious data). It's 
> also customizable, so the taint persists after restorecon.
>
> I think a lot of this desktop stuff could be further refined to be 
> relevant to servers. If we can solve the desktop problem, then the 
> server problem becomes easy (desktop is a lot more complicated).
>> Depending on your paranoia level, you may or may not want to allow some
>> way for a process running in some user_t to un-sandbox the file.  It 
>> may be
>> sufficient to allow user_t to read it, as there probably shouldn't be 
>> any
>> automated processes running as user_t - with the implicit "the user 
>> is taking
>> responsibility for this"...
>>   
> user_t has { relabelto relabelfrom } rights to the type I was discussing.
> Note that you can still revoke user_t's rights to read such content, 
> to prevent accidental opening of dangerous files.
> user_t keeps { getattr and unlink }.
>
> -- 
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list


--

More information about the selinux mailing list