* Thomas Bleher <bleher@xxxxxxxxxxxxxxxxxxxxxxxxxx> [2004-06-11 16:32]:
> You should note that every uid==0 process can change its uid to anything
> else, SELinux doesn't restrict this at all.
> You can test this as root and user_r with the following perl command:
> $ perl -MPOSIX -e 'POSIX::setuid(1000);system("id");'
I thought about this a bit more and think that my previous posting was
incorrect. (I'm not sure and can't test ATM, so it would be nice if
someone could correct me if I'm wrong).
Setting the uid in a program should be covered by the setuid capability,
so this is controllable by SELinux policy. What is not covered (IIRC)
are setuid executables.
Thomas
--
http://www.cip.ifi.lmu.de/~bleher/selinux/ - my SELinux pages
GPG-Fingerprint: BC4F BB16 30D6 F253 E3EA D09E C562 2BAE B2F4 ABE7
Attachment:
signature.asc
Description: Digital signature
