* Colin Walters <walters@private> [2004-10-27 23:41]: > On Wed, 2004-10-27 at 17:26 -0400, Valdis.Kletnieks@private wrote: > > On Wed, 27 Oct 2004 17:13:53 EDT, Colin Walters said: > > > > > > No - that's a different attack than I'm worried about. I'm looking at > > > > the case of being redirected to stomp on my *own* files that I have the > > > > privs to. You run gcc, gcc creates a tempfile in /tmp, that accidentally > > > > follows a symlink, and your ~/.foo file gets clobbered (yes, they fixed *= > > > that* > > > > bug in gcc a while ago). > > > > > > Who created the symlink in this attack? > > > > The attacker (usually running as 'generic user') > > The attacker's uid is irrelevant to SELinux. [...] > etc. As far as I can see, all of these attacks would be stopped by the > example SELinux policy. But it would still be nice to stop attackers from the same domain. Eg if I have a rogue user in user_t, SELinux will prevent him from messing with other domains. But what if he wants to interfere with another user (also in user_t) who uses a program with exploitable temp races? From an SELinux POV, he can't get additional privileges, but from the user POV it's still not very nice if he loses important files because of a temp race. So I think it makes sense to have stronger DAC protections in addition to MAC, even if they cannot guarantee complete protection. Thomas -- http://www.cip.ifi.lmu.de/~bleher/selinux/ - my SELinux pages GPG-Fingerprint: BC4F BB16 30D6 F253 E3EA D09E C562 2BAE B2F4 ABE7
This archive was generated by hypermail 2.1.3 : Wed Oct 27 2004 - 15:04:26 PDT