[Date Prev][Date Next] [Thread Prev][Thread Next]
[Thread Index]
[Date Index]
[Author Index]
Re: [redhat-lspp] Getting rid of multilevel objects
- From: Klaus Weidner <klaus atsec com>
- To: lspp-list <redhat-lspp redhat com>
- Subject: Re: [redhat-lspp] Getting rid of multilevel objects
- Date: Mon, 24 Jul 2006 18:41:48 -0500
On Mon, Jul 24, 2006 at 06:09:00PM -0500, Klaus Weidner wrote:
> I tested the patch below which treats ranged objects as single level
> object (using the lower level) for unprivileged processes.
Unfortunately this doesn't seem to fix the pty exploit I had mentioned
earlier, newrole_typescript.py continues working even using the stricter
policy:
https://www.redhat.com/archives/redhat-lspp/2006-July/msg00024.html
Note that after a newrole, the pty slave end is relabeled to the single
effective level, but the master end appears to stay at its old level, and
the processes using the master and slave ends can communicate even though
they are at different levels. Sounds as if this is a separate issue, or
I've messed up the new policy.
FYI, here are the steps I used to install the patched policy (based on
the SPEC file). I'd appreciate tips if there's a simpler way to do
this...
>From the /usr/src/redhat/BUILD/serefpolicy-*/ directory which you get by
installing the source RPM and running "rpmbuild -bp SPECS/selinux-policy.spec":
RPM_SOURCE_DIR=/usr/src/redhat/SOURCES
Args="NAME=mls TYPE=strict-mls DISTRO=redhat DIRECT_INITRC=n MONOLITHIC=n POLY=y"
make $Args bare
make $Args conf
/bin/cp -f ${RPM_SOURCE_DIR}/modules-mls.conf ./policy/modules.conf
/bin/cp -f ${RPM_SOURCE_DIR}/booleans-mls.conf ./policy/booleans.conf
make $Args base.pp
make $Args modules
make $Args install
semodule -b /usr/share/selinux/mls/base.pp
-Klaus
[Date Prev][Date Next] [Thread Prev][Thread Next]
[Thread Index]
[Date Index]
[Author Index]