On Sat, 28 Feb 2009, Daniel J Walsh <dwalsh@xxxxxxxxxx> wrote:
> > We should not be allowing confined daemons to write to /root.
>
> There is potential to allow confine domains to write to subdirs of
> /root. or at least read it.
>
> sshd_t needs to be able to read /root/.ssh/*
Well if you have the boolean set to allow sysadm_t logins then sshd can
entirely break your security anyway.
> Others like xauth_t need to be able to write but this is more a confined
> helper app then a real confined app.
>
> In current targeted policy I see the following
>
> # sesearch --allow -t admin_home_t -c dir | grep write | awk '{ print
> $2 " " $3 }'
> sysadm_t admin_home_t
> rpm_t admin_home_t
> rpm_script_t admin_home_t
> xauth_t admin_home_t
> nfsd_t admin_home_t
> nmbd_t admin_home_t
> smbd_t admin_home_t
> ftpd_t admin_home_t
> kernel_t admin_home_t
>
> Where these are either an unconfined_domain or have a boolean that
> allows them to write anywhere.
Those cases all have genuine reasons for accessing /root (at least in certain
configurations based on boolean settings).
I recall that at one time the RHGB used to write files under /root because the
library code was too complex to allow them to do otherwise. While RHGB was
unlikely to break your system, other programs with similar design would be a
risk.
--
russell@xxxxxxxxxxxx
http://etbe.coker.com.au/ My Main Blog
http://doc.coker.com.au/ My Documents Blog
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with
the words "unsubscribe selinux" without quotes as the message.
