Re: Legitimate Question

From: Valdis.Kletnieksat_private
Date: Mon Jan 28 2002 - 11:15:45 PST

  • Next message: Stephen Smalley: "Re: Legitimate Question"

    On Mon, 28 Jan 2002 00:16:00 +1100, Russell Coker said:
    > On Sat, 26 Jan 2002 14:17, Valdis.Kletnieksat_private wrote:
    
    > > Try that with an NTP RPM, and let me know how well it works when the LSM
    > > you have loaded refuses to allow the process to set the system clock. ;)
    > 
    > There are only two problems with that:
    > 
    > 1)  There has been no chsid/relabel operation done after the files were put 
    > in place to give them the correct security settings.
    > 2)  The standard RPM package of NTP undoubtably doesn't use run_init.
    > 
    > For Debian we are currently discussing ways of solving 1.  One suggestion 
    > that can be immidiately supported is to unpack a package, search it's file 
    > list and match it on /etc/flask/file_contexts, and apply SIDs appropriates.  
    > Then continue with the package configuration.  I could possibly even divert 
    > dpkg to a wrapper which does this.
    
    However, this implies that you've *already* told your LSM package about NTP.
    If it's a *new* package, you won't have entries in /etc/flask.  You also
    won't be able to use the /etc/flask data if you are using some other LSM
    that doesn't speak flask.
     
    > These things are solvable!
    
    The statement as originally made: "You can just build the RPM on a non-LSM
    machine and it will Just Work" is *not* solvable.
    
    There seem to be 2,004 RPMs on the RedHat Rawhide.  *Every Single One* was
    built on a non-LSM machine.  How many will roll over and die if run on a
    system that has an LSM of some sort running that restricts what processes
    can/cannot do?
    
    And handwaving about "just put it in /etc/flask" is just that - handwaving.
    Even if you go through and create flask entries for all those RPMs that
    need them, you will *still* have to go back and add new entries when
    somebody releases Foo-Gronk 0.9.5.
    
    /Valdis
    
    
    

    _______________________________________________ linux-security-module mailing list linux-security-moduleat_private http://mail.wirex.com/mailman/listinfo/linux-security-module



    This archive was generated by hypermail 2b30 : Mon Jan 28 2002 - 11:17:25 PST