Re: bind-chroot obsolete due to SElinux?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 




Yes

There's no protection provided by bind-chroot that is not provided by running
named with SELinux in Enforcing mode.
I have my doubts about that.

A chroot jail allows you to easily see what bind can and cannot do.
SElinux requires analysis of policy to accomplish the same thing.
It likely does have a lot more privileges than when jailed.

For example,
files_read_etc_files(named_t) allows named to read all files marked etc_t. Those are usually configuration files, shouldn't be any secrets there.... What if it turns out there is a secret file mislabeled by mistake? Why is named interested in configuration of other programs anyway?

I also see named can interact with NetworkManager, mount(??), dbus domain over sockets and pipes.
Is this possible in a chroot jail?

To be sure the application does exactly what it should, it's necessary to:
1) look at the generated policy, and search for dangerous domain interactions.
2) ensure labeling is working properly

I would advise people working on bind-chroot to audit the selinux policy and make sure it does what it should, before assuming it provides the same level of confinement as a chroot jail. SElinux does aim for minimum privilege - but to what degree it accomplishes that is highly variable depending on which policy you're looking at. That's probably why SELinux runs after DAC, and not by itself.

--
fedora-devel-list mailing list
fedora-devel-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-devel-list

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]
  Powered by Linux