-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 04/26/2010 02:18 AM, Michal Svoboda wrote: > Daniel J Walsh wrote: >> One possible use case would be. I want to allow a user to login as >> unconfined_t and only be able to become root as webadm_t through sudo. >> >> If webadm_t has setattr on /var/www, he can cp /bin/sh /var/www/sh, >> chcon 4755 /var/www/sh, exit webadm_t and as unconfined_t become root >> using /var/www/sh. > > Isn't this just a side effect of the 'unconfined' philosophy? I've > always been taught (and taught others) that with proper MAC controls you > can have as many setuid shells as you like. > > You already give all your trust to the user by giving him unconfined. > Placing setuid controls in place is curing only (one of many) symptoms, > not the cause. > > Michal Svoboda > First my example was sort of a gross oversimplification. It would not only effect unconfined_t but any other domain that could use the setuid bit to gain additional privs. unconfined_t to a user means, give him all the power of a normal user with SELinux disabled. You are still protected by DAC. I would argue that you want to make sure there are limited setuid apps around when running with unconfined_t. But if you give him unconfined_t and "chcon 4755" as a confined user running as root, then you make it easy for him to become unconfined_t running as UID=0. If we want people to experiment with confined admins, allow unconfined_t - -> sudo_exec_t -> confined_admin_t is a good thing. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.14 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAkvVjHsACgkQrlYvE4MpobOm9ACfZfmZfoTmD2In2wSC5+asiQUU AmEAnjgC7RlRt2xtdUAm/t7gzYHMqBG9 =miW8 -----END PGP SIGNATURE----- -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
