-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Dominick Grift wrote:
> On Sat, 2009-02-28 at 10:01 +1100, Russell Coker wrote:
>> On Sat, 28 Feb 2009, Daniel J Walsh <dwalsh@xxxxxxxxxx> wrote:
>>>> We should not be allowing confined daemons to write to /root.
>>> There is potential to allow confine domains to write to subdirs of
>>> /root. or at least read it.
>>>
>>> sshd_t needs to be able to read /root/.ssh/*
>> Well if you have the boolean set to allow sysadm_t logins then sshd can
>> entirely break your security anyway.
>
> A bit offtopic but on Fedora that boolean does not seem to work
> (completely):
>
> sh-4.0# getsebool -a | grep sysadm
> allow_sysadm_exec_content --> on
> ssh_sysadm_login --> off
> xdm_sysadm_login --> off
>
> [dgrift@notebook1 ~]$ ssh dgrift/sysadm_r@localhost
> WARNING!!! You have accessed a private network.
> UNAUTHORIZED ACCESS IS PROHIBITED BY LAW
> Violators may be prosecuted to the full extend of the law.
> Your access to this network may be monitored and recorded for quality
> assurance, security, performance, and maintenance purposes.
> dgrift/sysadm_r@localhost's password:
> Last login: Fri Feb 27 13:35:33 2009 from localhost.localdomain
> [dgrift@notebook1 ~]$ id -Z
> dgrift:sysadm_r:sysadm_t:SystemLow-SystemHigh
> [dgrift@notebook1 ~]$
>
>>> Others like xauth_t need to be able to write but this is more a confined
>>> helper app then a real confined app.
>>>
>>> In current targeted policy I see the following
>>>
>>> # sesearch --allow -t admin_home_t -c dir | grep write | awk '{ print
>>> $2 " " $3 }'
>>> sysadm_t admin_home_t
>>> rpm_t admin_home_t
>>> rpm_script_t admin_home_t
>>> xauth_t admin_home_t
>>> nfsd_t admin_home_t
>>> nmbd_t admin_home_t
>>> smbd_t admin_home_t
>>> ftpd_t admin_home_t
>>> kernel_t admin_home_t
>>>
>>> Where these are either an unconfined_domain or have a boolean that
>>> allows them to write anywhere.
>> Those cases all have genuine reasons for accessing /root (at least in certain
>> configurations based on boolean settings).
>>
>> I recall that at one time the RHGB used to write files under /root because the
>> library code was too complex to allow them to do otherwise. While RHGB was
>> unlikely to break your system, other programs with similar design would be a
>> risk.
>>
>
>
> --
> This message was distributed to subscribers of the selinux mailing list.
> If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with
> the words "unsubscribe selinux" without quotes as the message.
Dominick can you open a bugzilla.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
iEYEARECAAYFAkmpLjAACgkQrlYvE4MpobPwiQCgm2+ElFC98W7KnYtysngi4Wih
P3EAn3wwB11nR7pOpBz3Q98nThrncBvS
=5ADb
-----END PGP SIGNATURE-----
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with
the words "unsubscribe selinux" without quotes as the message.
