On Thu, Sep 02, 2004 at 10:15:20PM +1000, Russell Coker wrote: > > Compare that to this thread, where we are talking about atomic vs. > > non-atomic restoration of context for udev-mounted temp file systems. > > Shudder. This seems to be begging for an exploit to be discovered. > > Are we sure that SELinux is really on the right track here? > > The original udev implementation had the device nodes relabelled after > creation. As of recent times (since 2002) the default SE Linux policy has > denied almost all domains (only two system domains) access to device nodes > labelled as device_t. This means that there is no window of opportunity for > an attacker to access a device before it is correctly labelled. > > The worst race condition attack would be a DOS attack, cause an access at the > wrong time and have it be denied when otherwise it would be permitted. This > is the least serious of all possible problems related to device labelling. ... and with the use of matchpathcon() followed by setfscreatecon(), it isn't even that: inode, symlink and directory creation-plus-filecontext-setting are done as an atomic operation. problem goes away. the _old_ selinux udev support (0.024), on the other hand, suffered from the big-deal-DOS-attack that russell describes above. l.
