Re: [RFC] [PATCH] Replace security fields with hashtable

From: Colin Walters (walters@private)
Date: Wed Oct 27 2004 - 14:41:07 PDT

On Wed, 2004-10-27 at 17:26 -0400, Valdis.Kletnieks@private wrote:
> On Wed, 27 Oct 2004 17:13:53 EDT, Colin Walters said:
> > > No - that's a different attack than I'm worried about.  I'm looking at
> > > the case of being redirected to stomp on my *own* files that I have the
> > > privs to.  You run gcc, gcc creates a tempfile in /tmp, that accidentally
> > > follows a symlink, and your ~/.foo file gets clobbered (yes, they fixed *=
> > that*
> > > bug in gcc a while ago).
> > 
> > Who created the symlink in this attack?
> The attacker (usually running as 'generic user')

The attacker's uid is irrelevant to SELinux.

For example:

Here the makewhatis script will run as the system_crond_t, which doesn't
have permission to read e.g. user_tmp_t, according to apol.  Thus an
exploit is prevented.

And here, sudo doesn't (AFAICS) run in a separate domain with SELinux,
and thus no extra privileges can be gained by an attacker.

This one is the same as makewhatis, assuming you run tripwire from cron:

etc.  As far as I can see, all of these attacks would be stopped by the
example SELinux policy.

This archive was generated by hypermail 2.1.3 : Wed Oct 27 2004 - 14:40:58 PDT