[redhat-lspp] Re: mcstransd question
Paul Moore
paul.moore at hp.com
Thu Sep 28 15:06:40 UTC 2006
Daniel J Walsh wrote:
> Linda Knippers wrote:
>
>>Are only users cleared to SystemHigh supposed to be able to see translated
>>labels?
>>
>>That seems to be the way it works right now with mcstransd. The unix
>>domain socket between libselinux and mcstransd is SystemHigh so while
>>commands (ls -Z) run on behalf of a regular user (default SystemLow)
>>try to translate the labels and can write the request to the socket
>>but the daemon can't send the response.
>>
>>For example, this works:
>>[root at kipper ~]# ls -lZd /bin
>>drwxr-xr-x root root system_u:object_r:bin_t:SystemLow /bin
>>
>>This doesn't:
>>[ljk at kipper ~]$ ls -lZd /bin
>>drwxr-xr-x root root system_u:object_r:bin_t:s0 /bin
>>
>>
>
> This is broken. I am not sure how to handle this? I have changed it
> back to SystemLow-SystemHigh
> which allows it to work properly but I think we need some constraints to
> prevent someone from getting translations at a higher level then they
> are authorized for.
The translation daemon is a trusted program, yes? If so, could we have
it do a getpeercon() call to determine the context of the app requesting
the translation and then do a permissions check to see if the returned
translation is allowed? At first glance this seems easier than some of
the alternatives ...
--
paul moore
linux security @ hp
More information about the redhat-lspp
mailing list