On 09/03/2015 12:29 PM, Tom Rivers wrote: > On 9/2/2015 17:25, Jason L Tibbitts III wrote >> TR> If that is the case, then my question is this: why is SELinux >> TR> blaming pyzor for something abrt is doing? >> >> Because it all happens in the context of the script. abrt basically >> hooks into the backtrace generation logic and runs some extra code. >> This doesn't happen in a separate process. > > It's the whole "abrt basically hooks into the backtrace generation > logic" thing that I find particularly interesting. Your explanation > makes it sound as if a separate program is able to gain access to an > existing process and hide its true identity. I must be > misunderstanding the nuts and bolts of this because malware does the > exact same thing. > > It makes sense to me that if a running process invokes an external > program then that request will be under the context of the running > process because it is what is making the request. However, a program > that has the ability to take on the guise of some other process and > make a request under a context that is not its own means it can hide. > I don't see how that is a good thing especially with respect to > programs like SELinux who must be able to clearly identify who is > doing what in order to perform its role effectively. > > > Tom > -- > selinux mailing list > selinux@xxxxxxxxxxxxxxxxxxxxxxx > https://admin.fedoraproject.org/mailman/listinfo/selinux SELinux does will not prevent a process with the proper rights from taking over another policy. unconfined_t or kernel_t are both allowed to do pretty much anything they want from an SELinux point of view. A confined process would obviously be blocked from doing this. -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
