jmjonesat_private wrote: >On Thu, 24 Jan 2002, Stephen Smalley wrote: > >>On Thu, 24 Jan 2002 jmjonesat_private wrote: >> >>>Wouldn't it be useful for a userspace application that is >>>setuid root to be able to bypass the module's checks. >>> >>Useful for people who want to break into your systems, yes. One of the >>problems with existing Unix systems is that you only need to find a single >>setuid root program or root daemon that has a flaw, and you can take >>control of the entire system. >> >Um, respectfully, I might disagree. What I'm looking for is a way to >install a product on the system that works, rather than a way to bypass >security. > No, Stephen is correct. What you are asking for is a way for someone installing software (root) to bypass mandatory policies enforced by the module. That is equivalent to bypassing security and breaking into the system. Naturally, to change policy, you must talk to the policy engine. That is the module. No, there is no standard way to do that, because the models are all different: * Capabilities: use chmod to make the app setuid root. * SubDomain: edit the files in /etc/subdomain.d to grant the application appropriate permissions. * DTE, SELinux: assign the program to an appropriate type, and/or manage the permissions for the appropriate type. > Perhaps a small application that ASKS for such a access, or >a way for the install code to similarly ask and answer. If this is >well beyond the concept of "security", I understand, but this is the way >that INSTALL scripts have worked in the pass. I'm looking for a new way >to do the same thing. > You could write an application (lets call it LSMClueStick :-) that knows about some shopping list of LSM modules, and exports a "standard" interface that is defined by LSMClueStick. Then your install scripts (say, the shell scripts in the install part of your RPM) call LSMClueStick with the command "Give application Foo God-like powers". LSMClueStick then sniffs the modules currently loaded, and does the appropriate things to manage policy for the appropriate module. Naturally, LSMClueStick will also need God-like powers, which you will have to grant it by hand, because most modules won't let it do it for itself. Similarly, the LSMClueStick application has now become a single point of failure: if anyone ever finds a critical bug in LSMClueStick, then they can use it to totally over-ride all LSM policies (for the policy modules that it knows about). Personally, I would not use LSMClueStick. Your milage may vary. Crispin -- Crispin Cowan, Ph.D. Chief Scientist, WireX Communications, Inc. http://wirex.com Security Hardened Linux Distribution: http://immunix.org Available for purchase: http://wirex.com/Products/Immunix/purchase.html The Olympic Games: A Century of Corruption and Graft _______________________________________________ linux-security-module mailing list linux-security-moduleat_private http://mail.wirex.com/mailman/listinfo/linux-security-module
This archive was generated by hypermail 2b30 : Thu Jan 24 2002 - 13:50:35 PST