-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 10/27/2010 06:35 AM, Bryn M. Reeves wrote: > On 10/26/2010 10:39 PM, Bruno Wolff III wrote: >> On Tue, Oct 26, 2010 at 14:07:53 -0700, >> Jesse Keating <jkeating@xxxxxxxxxx> wrote: >>> -----BEGIN PGP SIGNED MESSAGE----- >>> >>> That's only if you give root the right to disable or load new selinux >>> policy. >> >> And the policy is tight enough. You need to not allow root shells or most >> processes the ability to read the keys out of memory or to write memory >> that will change how things work. I don't think targeted policy is locked >> down enough to stop that even if you don't allow root to disble selinux. >> >>> Seriously, there are machines on the public Internet with a published >>> root account. You're welcome to log in and try to do anything with them. >> >> Yeah, I know about one guy that offers a root password if you ask. I am >> not sure what policy he is running on that machine. > > It's Russell Coker, access details are available here: > > http://www.coker.com.au/selinux/play.html > > However the pages haven't been updated in a while and the service seems to be > down right now. > > Regards, > Bryn. There are two ways to get root on a system. One is through a login process. Either login directly as root or login as a user and execute su/sudo. SELinux by default since F9 and RHEL6 allows you to setup confined users, but defaults to unconfined_t. If you login to a system as a user and get unconfined_t user type, and you become root, you can take over the system. You can setup the root account to login as any confined user, and show a UID=0 account that can not do much. SELinux also includes the concept of confined admin. You can setup accounts that have limited privledged root access. webadm_r:webadm_t http://magazine.redhat.com/2008/04/17/fedora-9-and-summit-preview-confining-the-user-with-selinux/ Explains this. On my laptop I run as staff_t and when I run sudo I become webadm_t. If I run runuser I become unconfined_t. This means you can setup a user account that can use sudo to do certain admin activities with locked down privs. The other way you can become root is to break into the system through a flaw in a network service. If you are running SELinux and break into httpd, you would endup with a process labeled httpd_t, and would only be allowed to do the things the web server is allowed to do, even if your UID==0. One caveat in this is, if there is a kernel flaw that allows a account to manipulate memory in the kernel, the hacker has a chance to turn SELinux enforcement off, and all bets are off. We try to protect against this through checks like execmem,execstack,execmod,execheap and memzero checks. Hopefully more in the future. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAkzIJCcACgkQrlYvE4MpobM0TwCggJGaDwUnUrVFsuQa2YSk74X1 MUYAni2CkV2vu1IsUraYtu5W7MNTbsBq =rLD7 -----END PGP SIGNATURE----- -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel
