Daniel J Walsh wrote: > Linda Knippers wrote: > >>Are only users cleared to SystemHigh supposed to be able to see translated >>labels? >> >>That seems to be the way it works right now with mcstransd. The unix >>domain socket between libselinux and mcstransd is SystemHigh so while >>commands (ls -Z) run on behalf of a regular user (default SystemLow) >>try to translate the labels and can write the request to the socket >>but the daemon can't send the response. >> >>For example, this works: >>[EMAIL PROTECTED] ~]# ls -lZd /bin >>drwxr-xr-x root root system_u:object_r:bin_t:SystemLow /bin >> >>This doesn't: >>[EMAIL PROTECTED] ~]$ ls -lZd /bin >>drwxr-xr-x root root system_u:object_r:bin_t:s0 /bin >> >> > > This is broken. I am not sure how to handle this? I have changed it > back to SystemLow-SystemHigh > which allows it to work properly but I think we need some constraints to > prevent someone from getting translations at a higher level then they > are authorized for.
The translation daemon is a trusted program, yes? If so, could we have it do a getpeercon() call to determine the context of the app requesting the translation and then do a permissions check to see if the returned translation is allowed? At first glance this seems easier than some of the alternatives ... -- paul moore linux security @ hp -- redhat-lspp mailing list [email protected] https://www.redhat.com/mailman/listinfo/redhat-lspp
