SELinux and the Desktop
Colin Walters
walters at redhat.com
Thu Oct 14 18:51:47 UTC 2004
On Thu, 2004-10-14 at 14:27 -0400, Stephen Smalley wrote:
> On Thu, 2004-10-14 at 13:56, Steve Coleman wrote:
> > Colin Walters walters-at-redhat.com |fedora| wrote:
> >
> >The major threat here is environment variables, right?
>
> Hmm...didn't get Colin's original message, but I saw this reply.
> Anyway, if the question is about domain transitions on scripts, then
> there is a fundamental race condition on script execution. Think:
> kernel looks up script file and reads header, kernel invokes interpreter
> with script file path as argument, interpreter looks up script file.
> Caller can run arbitrary code in the new domain.
Well, this is only a threat in the case where the caller can do an
unlink in the directory that the script is in, correct? I can see
that's a fundamental problem, but personally I'm more interested in
trying to for example give someone the ability to run /etc/init.d/* in a
secure manner. Say we define a type like 'daemon_admin_t' that has
permissions to transition to initrc_t; perhaps we'd need to label
certain files in /etc/init.d/ instead of allowing general access to
initrc_t. Right now though if you tried to do that a malicious attacker
could set many environment variables like PATH or IFS which shell
scripts would pick up. Cleaning the environment would close that hole.
More information about the fedora-selinux-list
mailing list