-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 02/29/2012 04:34 PM, Stephen Smalley wrote: > On Wed, 2012-02-29 at 16:22 -0500, Stephen Smalley wrote: >> On Wed, 2012-02-29 at 15:47 -0500, Daniel J Walsh wrote: >>> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 >>> >>> One of the oldest bugs/wacki things about SELinux is what >>> happens when a login program can not calculate a login >>> context. >>> >>> Right now we have an open bug on confined users. Basically if >>> you setup a confined user guest_u and attempt to login to that >>> user via xdm_t, you get a context of >>> guest_u:guest_r:oddjob_mkhomedir_t:s0 >>> >>> selinuxdefcon pwalsh system_u:system_r:xdm_t:s0 >>> guest_u:guest_r:oddjob_mkhomedir_t:s0 >>> >>> Yech. >>> >>> This could be considered a security hole, but it is definitely >>> broken. I have been looking at the libselinux code but this is >>> actually expected behavior, and I am not eager to fix it, since >>> it might break peoples expectations. >>> >>> Eric suggested that we might want to move the problem out of >>> libselinux and make this a login program problem. Make the >>> login programs pam_selinux a userspace manager. >>> >>> After libselinux returns a context to pam_selinux it would >>> check for the following allow rule. >>> >>> allow logindomain userdomain:login entrypoint; >>> >>> Then pam_namespace would check if xdm_t is allowed a login >>> entry point into oddjob_mkhomedir_t, if no, blow up the login. >>> >>> Comments? >> >> Last time we discussed this, I thought we agreed to migrate away >> from the current usage of security_compute_user (/selinux/user) >> altogether within libselinux, and replace it with a simpler >> userspace configuration and logic for determining user roles and >> levels. > > I don't think we want to introduce greater complexity and more > possible failures causes into the mix for determining user > contexts. Simplest option would be to change > get_ordered_context_list() to return the empty list / fail in that > case rather than return the full reachable list from > security_compute_user. But I'd like to get rid of / replace > security_compute_user with a solution that is mostly userspace, at > most getting the user's authorized roles and default level > information from selinuxfs but not asking the kernel to compute > reachability. > Meaning we should read the contents of /etc/selinux/TYPE/contexts/users/SELINUXUSER and get the types from there that match the type of the login program. If that file does not exist, then fall back to /etc/selinux/TYPE/contexts/default_context and get the type from there. Then just check with the kernel if LOGINTYPE_T can transition to USERTYPE_T and choose that context. Else go to the next context. If no context is available to transition return failure. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk9PiugACgkQrlYvE4MpobP2CQCePPk7/VDAYemrbiajTY1O5FRa XPIAoJS1JhIQAKF+cfDI/TiUt60m5+Nc =Oejr -----END PGP SIGNATURE----- -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
