[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]

Re: /sbin/restorecon and hard links

From: Stephen Smalley <sds tycho nsa gov>
To: Erik Sjölund <erik sjolund gmail com>
Cc: fedora-selinux-list redhat com
Subject: Re: /sbin/restorecon and hard links
Date: Wed, 15 Feb 2006 09:01:32 -0500

On Wed, 2006-02-15 at 14:19 +0100, Erik Sjölund wrote:
> [root e /]# cat /etc/redhat-release
> Fedora Core release 4 (Stentz)
> [root e /]# adduser erik
> [root e /]# su - erik
> [erik e ~]$ ln /etc/passwd .
> [erik e ~]$ exit
> [root e /]#  ls -lZ /etc/passwd
> -rw-r--r--  root     root   system_u:object_r:etc_t          /etc/passwd
> [root e /]# restorecon -R /home
> [root e /]# ls -lZ /etc/passwd
> -rw-r--r--  root     root   user_u:object_r:user_home_t      /etc/passwd
> 
> Should it be like that?
> 
> /sbin/restorecon -R /home
> 
> might lead to strange security contexts for files belonging to root.

Yes, running restorecon on /home by root considered harmful,
particularly under targeted policy.  Under strict policy, a user can't
create hard links to system files (controlled by the 'link' permission),
which helps avoid the problem, and restorecon and setfiles aren't
allowed to follow untrustworthy symlinks by the policy.  setfiles also
contains code to check for multiple hard links with conflicting matches,
so if you run setfiles on /, it should complain about the discrepancy,
but restorecon doesn't do that and even if it did it naturally can't
tell that when it is just run on /home.

-- 
Stephen Smalley
National Security Agency

Follow-Ups:
- Re: /sbin/restorecon and hard links
  - From: Stephen Smalley
- Re: /sbin/restorecon and hard links
  - From: Chuck Anderson
- Re: /sbin/restorecon and hard links
  - From: Stephen Smalley

References:
- /sbin/restorecon and hard links
  - From: Erik Sjölund

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]