Re: mdadm policy

[antoine <antoine@xxxxxxxxxxxxx>]

> > I guess it allows execution of /bin and /sbin for the "PROGRAM" user
> > defined action, so I could keep it more restricted by only allowing
> > execution of sendmail_exec_t for my use.
> 
> Perhaps...
> 
> Note that the execution occurs without a transition (execute_no_trans),
> which means that while executing the sub-program, it runs in
> the same confined domain.
Well that's no comfort at all, mdadm_t domain has the ability to access
raw disks and send mail... That's worrying enough.

# RAID block device access
allow mdadm_t fixed_disk_device_t:blk_file create_file_perms;

> >  Since this is the only
> > statement in the policy that allows execution of external code, it feels
> > like the most important place to put restrictions on.
> 
> See above - execution of external code isn't so much of a problem
> as long as it occurs in the same domain. If the external code
> does anything undesirable, it will be done in the mdadm domain.
True as long as the domain is sufficiently constrained, which is not the
case for mdadm. I will tweak my policy to make it run sendmail in
sendmail_t and nothing else. That's safer than mdadm_t.

Antoine


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with
the words "unsubscribe selinux" without quotes as the message.