On Wed, 27 Oct 2004 13:56:03 EDT, Colin Walters said:
> You can quite easily express "don't allow program to follow untrusted
> symlink" in SELinux by simply not granting it { read } permission for
> <target>:lnk_file.
Good. Now tell me how to coerce the file labelling to set <target> to
some specified value for any symlink in a world-writable directory (taking
care to note that potentially, the dir wasn't writable when the symlink is
created, so we need to relabel all the files at chmod time...).
> By the way, I'm pretty sure your LSM is insufficient in the presence of
> ACLs.
OK.. So the directory *could* be non-world-writable but with an ACL that lets
the victim in. If you get into this state with /tmp or /var/tmp or similar,
then you've got bigger problems anyhow.. ;)
I need to ponder it a bit more - that *should* be dealt with better...
This archive was generated by hypermail 2.1.3 : Wed Oct 27 2004 - 11:11:30 PDT