[ CC-List trimmed a little ] * Colin Walters <walters@private> [2004-10-29 16:46]: > On Wed, 2004-10-27 at 23:23:22 -0100, Thomas Bleher wrote: [ preventing symlink exploits between users in the same role ] > > On idea occurred to me: Could you express this as a constraint based on > the SELinux user identity (rather than the uid, which is untrustworthy). > > Something like this: > > constrain lnk_file read ( t2 != tmpfile or u1 == u2 ); So far this looks all pretty fine to me. I can think of one problem though: When a daemon is started on system boot it will run with user identity system_u. However, if it is later restarted and direct_sysadm_daemon is in effect, it will run in another user identity which is authorized for system_r, most probably root. So, does anyone know of any daemon which puts symlinks under /tmp and expects to read them after a restart? Thomas -- http://www.cip.ifi.lmu.de/~bleher/selinux/ - my SELinux pages GPG-Fingerprint: BC4F BB16 30D6 F253 E3EA D09E C562 2BAE B2F4 ABE7
This archive was generated by hypermail 2.1.3 : Mon Nov 01 2004 - 01:47:00 PST