On Thu, 2004-10-14 at 14:27 -0400, Stephen Smalley wrote: > On Thu, 2004-10-14 at 13:56, Steve Coleman wrote: > > Colin Walters walters-at-redhat.com |fedora| wrote: > > > >The major threat here is environment variables, right? > > Hmm...didn't get Colin's original message, but I saw this reply. > Anyway, if the question is about domain transitions on scripts, then > there is a fundamental race condition on script execution. Think: > kernel looks up script file and reads header, kernel invokes interpreter > with script file path as argument, interpreter looks up script file. > Caller can run arbitrary code in the new domain. Well, this is only a threat in the case where the caller can do an unlink in the directory that the script is in, correct? I can see that's a fundamental problem, but personally I'm more interested in trying to for example give someone the ability to run /etc/init.d/* in a secure manner. Say we define a type like 'daemon_admin_t' that has permissions to transition to initrc_t; perhaps we'd need to label certain files in /etc/init.d/ instead of allowing general access to initrc_t. Right now though if you tried to do that a malicious attacker could set many environment variables like PATH or IFS which shell scripts would pick up. Cleaning the environment would close that hole.
