On Wed, 2006-10-25 at 09:59 -0400, Stephen Smalley wrote: > On Wed, 2006-10-25 at 09:50 -0400, James Antill wrote: > > My understanding is that while security_check_context() allows it, the > > setexeccon() will fail. Which seemed to be good enough. > > No, it won't. Suppose that I have two Linux users A and B, with A > authorized for category c0 and B authorized for category c2 in seusers, > but both A and B are mapped to SELinux user U who is authorized for all > categories in the kernel policy. The login-style programs are naturally > going to be authorized to transition to any of those contexts since they > have to deal with user logins at any level, so the setexeccon() will > succeed. The SELinux security context will have U as the user identity, > so it will always be valid. You need an explicit check.
Ok, I had assumed that "U" would always be different in this case. I think this update to the patch solves the problem ... it gets the list of valid roles/levels from get_ordered_context_list() (which I think is complete, but I'm not 100%) and compares what is entered against that. I'm not 100% sure this is right (it means there would be huge lists returned for MCS, no?), but I don't see what else I can call that would validate the role/level-range for a specific login. -- James Antill - <[EMAIL PROTECTED]> setsockopt(fd, IPPROTO_TCP, TCP_CONGESTION, ...); setsockopt(fd, IPPROTO_TCP, TCP_DEFER_ACCEPT, ...); setsockopt(fd, SOL_SOCKET, SO_ATTACH_FILTER, ...);
signature.asc
Description: This is a digitally signed message part
-- redhat-lspp mailing list [email protected] https://www.redhat.com/mailman/listinfo/redhat-lspp
