On Saturday 01 March 2008 06:46:50 wolf2k5 wrote: > > You need to break the links to get restorecon working without complaint. > > I see ... > Since this issue seems to affect all my RHEL5.1 new installations, > should it be filed as a bug?
No, this behavior is intentional. The problem is that a non-root attacker could hardlink against a file (depending on how you partion your system and setup directory permissions). Assuming that we allowed restorecond to relabel without any sanity checks, restorecond will go ahead and set the extended attributes with the correct label. At some point the file gets overwritten which breaks the link. Now the attacker has a copy of the file with the xttr set with the label of the original file. They could then modify the file and use it for attacking whatever reads it. Of course, you might be able to do some analysis with policy sources to figure out if ultimately its safe to go ahead and allow the relabel. This is difficult, error prone, and time consuming. Restorecond is in a race with whatever reads the file to get its label corrected as fast as possible before you get an avc denial. So, the simplest thing to do is just not allow relabelling files that have a link number greater than one. Its rare that anyone has this problem. What you really want to do is figure out what is linking to the file. Can you tell what that is? Does it really need to be hardlinking to the file? -Steve _______________________________________________ rhelv5-list mailing list [email protected] https://www.redhat.com/mailman/listinfo/rhelv5-list
