On 09/07/2015 01:44 PM, Daniel J Walsh wrote: > > > On 09/03/2015 12:29 PM, Tom Rivers wrote: >> On 9/2/2015 17:25, Jason L Tibbitts III wrote >>> TR> If that is the case, then my question is this: why is SELinux >>> TR> blaming pyzor for something abrt is doing? >>> >>> Because it all happens in the context of the script. abrt basically >>> hooks into the backtrace generation logic and runs some extra code. >>> This doesn't happen in a separate process. >> >> It's the whole "abrt basically hooks into the backtrace generation >> logic" thing that I find particularly interesting. Your explanation >> makes it sound as if a separate program is able to gain access to an >> existing process and hide its true identity. I must be >> misunderstanding the nuts and bolts of this because malware does the >> exact same thing. >> >> It makes sense to me that if a running process invokes an external >> program then that request will be under the context of the running >> process because it is what is making the request. However, a program >> that has the ability to take on the guise of some other process and >> make a request under a context that is not its own means it can hide. >> I don't see how that is a good thing especially with respect to >> programs like SELinux who must be able to clearly identify who is >> doing what in order to perform its role effectively. >> >> >> Tom >> -- >> selinux mailing list >> selinux@xxxxxxxxxxxxxxxxxxxxxxx >> https://admin.fedoraproject.org/mailman/listinfo/selinux > SELinux does will not prevent a process with the proper rights from > taking over another policy. unconfined_t or kernel_t are both allowed > to do pretty much anything they want from an SELinux point of view. A > confined process would obviously be blocked from doing this. > -- > selinux mailing list > selinux@xxxxxxxxxxxxxxxxxxxxxxx > https://admin.fedoraproject.org/mailman/listinfo/selinux > I believe there fixes in the latest Fedoras (F23/Rawhide). I would open a new bug and discuss it also with ABRT folks. Thank you. -- Miroslav Grepl Senior Software Engineer, SELinux Solutions Red Hat, Inc. -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
