[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Lower Process Capabilities



Quoting Stephen Smalley (sds tycho nsa gov):
> On Tue, 2009-07-28 at 17:53 -0400, Bill McGonigle wrote:
> > On 07/28/2009 04:11 PM, Chris Adams wrote:
> > > AFAIK SELinux introduces additional controls and does not replace or
> > > override existing controls.  I'm pretty sure non-root still can't
> > > directly listen on a low-numbered port.
> > 
> > For some reason I thought it was possible with MAC, but I can't find
> > anything to support that.  I might have been thinking of Solaris privileges.
> 
> There was a patch floated on selinux list circa June 2007 that would
> have allowed SELinux to directly grant capabilities.  But it met a
> certain amount of resistance from people concerned about the
> implications of changing the historical position that SELinux only
> further restricts access and about how to handle states like permissive
> mode, selinux-disabled, etc seamlessly.
> 
> http://marc.info/?l=selinux&m=118159187318524&w=2
> http://marc.info/?l=selinux&m=118192327422630&w=2
> http://marc.info/?l=selinux&m=118191791828777&w=2

I suppose the main problem with relying on this for granting privilege
to system processes would be that if the selinux policy wasn't loaded
for some reason, such processes (sshd, login, ...) would fail.

The same thing can happen at the moment with capabilities for an NFS
rootfs, so perhaps the same solution (falling back to classic setuid
if there is no selinux policy loaded) could apply?

-serge


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]