On Wed, 2012-02-29 at 16:22 -0500, Stephen Smalley wrote: > On Wed, 2012-02-29 at 15:47 -0500, Daniel J Walsh wrote: > > -----BEGIN PGP SIGNED MESSAGE----- > > Hash: SHA1 > > > > One of the oldest bugs/wacki things about SELinux is what happens when > > a login program can not calculate a login context. > > > > Right now we have an open bug on confined users. Basically if you > > setup a confined user guest_u and attempt to login to that user via > > xdm_t, you get a context of guest_u:guest_r:oddjob_mkhomedir_t:s0 > > > > selinuxdefcon pwalsh system_u:system_r:xdm_t:s0 > > guest_u:guest_r:oddjob_mkhomedir_t:s0 > > > > Yech. > > > > This could be considered a security hole, but it is definitely broken. > > I have been looking at the libselinux code but this is actually > > expected behavior, and I am not eager to fix it, since it might break > > peoples expectations. > > > > Eric suggested that we might want to move the problem out of > > libselinux and make this a login program problem. Make the login > > programs pam_selinux a userspace manager. > > > > After libselinux returns a context to pam_selinux it would check for > > the following allow rule. > > > > allow logindomain userdomain:login entrypoint; > > > > Then pam_namespace would check if xdm_t is allowed a login entry point > > into oddjob_mkhomedir_t, if no, blow up the login. > > > > Comments? > > Last time we discussed this, I thought we agreed to migrate away from > the current usage of security_compute_user (/selinux/user) altogether > within libselinux, and replace it with a simpler userspace configuration > and logic for determining user roles and levels. I don't think we want to introduce greater complexity and more possible failures causes into the mix for determining user contexts. Simplest option would be to change get_ordered_context_list() to return the empty list / fail in that case rather than return the full reachable list from security_compute_user. But I'd like to get rid of / replace security_compute_user with a solution that is mostly userspace, at most getting the user's authorized roles and default level information from selinuxfs but not asking the kernel to compute reachability. -- Stephen Smalley National Security Agency -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.