Re: Would SELinux prevent that with the current policy?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Sun, 19 Jul 2009, Christoph H?ger wrote:

> > But for those that use the policy defaults i am sorry because they are
> > (more) vulnerable to this issue,
> 
> More? In what way can SELinux make you _more_ vulnerable? LSM are
> stackable, right? So basically all SELinux could do is restrict access
> and not allow access that already is denied by the dummy LSM, or not?

Usually, but in this case, the problem is that SELinux (and this could 
happen to any LSM, really) allowed more access than the configured 
default.

We want to be able to use MAC policy to allow applications to mmap low 
memory.  There does not seem to be a really great solution which avoids 
the problem of then allowing more access than would otherwise be allowed.

Consider, though, that you you wanted to run wine on a standard system, 
you would disable mmap_min_addr entirely for everything on the system.  
Most people will probably not need to do that and have it set at the 
normal value.

Perhaps what we should do is never allow SELinux policy to reduce the 
protection level here, which would mean that if someone wants to allow an 
app to mmap low memory, they have to:

a) disable protection globally via the sysctl
b) then depend entirely on SELinux to enforce it except for domains
   with the mmap_zero permission

So, IOW, the SELinux permission won't have any effect until the admin 
removes the "DAC" control globally.


- James
-- 
James Morris
<jmorris@xxxxxxxxx>

--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list

[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux