[Date Prev][Date Next] [Thread Prev][Thread Next]
[Thread Index]
[Date Index]
[Author Index]
Re: how does rpm work under Selinux
- From: Ivan Gyurdiev <ivg2 cornell edu>
- To: Rudi Chiarito <nutello sweetness com>
- Cc: Mike Hearn <mike navi cx>, fedora-selinux-list redhat com
- Subject: Re: how does rpm work under Selinux
- Date: Tue, 31 May 2005 22:20:46 -0400
On Wed, 2005-06-01 at 04:01 +0200, Rudi Chiarito wrote:
>
> No matter how tempting, that also sounds like a perfect way for a
> rogue
> package to subvert the whole SELinux scheme, overriding the
> preinstalled policy, right?
Actually, I think all a rogue package has to do to subvert the SELinux
scheme is to install itself where the regexps expect, and it will get
labeled as a privileged process.
It's certainly possible to restrict rpm on a SELinux system. I believe
the current policy prevents it from writing to /etc/shadow, unless a
tunable is on.
On the other hand I am suspicious whether this protection works at all -
it probably allows the rpm to install an executable over an auth_write
binary, at which point it can just install a hostile executable there,
and the battle is lost.
I could be wrong though - I hadn't looked at the rpm policy until now...
--
Ivan Gyurdiev <ivg2 cornell edu>
Cornell University
[Date Prev][Date Next] [Thread Prev][Thread Next]
[Thread Index]
[Date Index]
[Author Index]