SUID question

Richard Troy rtroy at ScienceTools.com
Tue Oct 7 19:21:32 UTC 2008 

Hello All,

As it's my first post here, I want to say I'm glad this list exists as I'm
pretty sure there are folks who can point me in the right directions, as
needed...

I've been using unix since the 1970s, so I'm pretty familliar with it, and
I've been using Linux - and Red-Hat / Fedora since their early days, too,
so in general terms, I'm no novice. However, I've been ignoring SELINUX.
When I first tried it, it was a huge disaster and I haven't given it
another look, but the time has finally come, primarily because I simply
_must_ resolve a problem I strongly suspect is caused by SELINUX, and
secondarily because I've got a system that runs on just about everything
_but_ selinux and provides compute server (think "grid computing") and
sophisticated archival services, and it's to the point where it's time
that it work on SELINUX systems, too.

So, the more immediate problem: On a Fedora host, a "C" based program that
launches all the server functionality (including archiving) has its suid
bit set (and gid, too) so it runs as the server installation's owner. It's
actually pretty smart by validating its environment hasn't been hacked,
etc, and then gets to business. This code has somehow broken during a
couple of upgrades of Fedora - I didn't notice it at first because as the
developer, I always run it as the development installation's owner and as
a fluke apparently others haven't experienced this problem or haven't
reported it. Recently, however, someone else went to play with it and it
refused.  Some simple checks indicated that the SUID bit wasn't being
honored. The system has SELINUX installed but disabled - the kernel is
2.6.21-1.3194.fc7. It's trivially easy to prove the suid bit is ignored
but _why?_

...There's no known (to me!) reason this should fail! Any pointers GREATLY
appreciated.

The less immediate issue is really a quest for pointers to the most
appropriate source packages so I can see how other programs solve similar
SELINUX related issues. Ideally, this code can both archive and restore
any file on the system. In addition, it currently - ignoring SELINUX for a
moment - tracks all meta-data changes - ownership and permissions, the
various dates associated with a file, etc, in addition to file data, so it
has the handy trait of both providing an audit trail and an ability to
restore data or meta-data as needed. As such it needs to be able to
discover what the security context details are so it can record them, in
addition to the obvious need to update SELINUX security details on a per
file basis.... I don't even know how to do that from the command line,
much less write a program to do it! ...However, I'm sure somewhere these
things have been already addressed, such as with tar, etc.

Please point me to what you think are appropriate models / code that can
be examined, etc. And, if there's a well written tutorial intended for
people who are already "up to speed" on everything but SELINUX, it would
be greatly appreciated.

Thank you,
Richard

-- 
Richard Troy, Chief Scientist
Science Tools Corporation
510-717-6942
rtroy at ScienceTools.com, http://ScienceTools.com/

More information about the selinux mailing list