Re: setting files attributes

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Thu, 2004-04-15 at 08:18, Gene Czarcinski wrote:
> What make -C /etc/security/selinux/src/policy/ relabel appears to do is to go 
> through the all mounted filesystems and set the attributes depending on the 
> rules it has.  The question is, does it follow symbolic links or not.  If it 
> does not, then there should not be a problem as long as all of the policy 
> rules always use the actual (non-symbolic-link) path AND make sure we do also 
> if we do something manually.

setfiles does not follow symlinks during the traversal (FTW_PHYS).  It
also attempts to detect multiple hard links to the same file and issue
warnings if they would yield different security contexts.

> However, I can see a problem occurring if it does follow symbolic links 
> because the process likely occurs in sorted order.  Now /tmp is clears (or so 
> it says and, I hope, that means /var/tmp/ also), so I should not be able to 
> rename /usr/X11R6/bin/Xorg.  However, what if I had a symbolic link from my 
> home directory to something in /etc.  Would that get mislabeled?

setfiles doesn't follow symlinks during the traversal, but there is a
legitimate concern about malicious symlinks created during the traversal
after descent.  At present, this is mitigated by policy - setfiles is
not allowed to follow untrustworthy symlinks.

-- 
Stephen Smalley <sds@xxxxxxxxxxxxxx>
National Security Agency


[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux