[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: mdadm policy

To: antoine <antoine@xxxxxxxxxxxxx>
Subject: Re: mdadm policy
From: Ivan Gyurdiev <ivg2@xxxxxxxxxxx>
Date: Fri, 24 Jun 2005 15:05:33 -0400
Cc: Daniel J Walsh <dwalsh@xxxxxxxxxx>, SELinux <selinux@xxxxxxxxxxxxx>, walters@xxxxxxxxxx
In-reply-to: <1119636160.9645.46.camel@localhost>
Organization: Red Hat Inc.
References: <1119569243.9390.77.camel@localhost> <1119577846.20101.26.camel@xxxxxxxxxxxxxxxxxxxxx> <1119605711.9645.28.camel@localhost> <1119627684.30464.8.camel@xxxxxxxxxxxxxxxxxxxxxxxxx> <1119630905.9645.37.camel@localhost> <1119635200.31852.16.camel@xxxxxxxxxxxxxxxxxxxxxxxxx> <1119636160.9645.46.camel@localhost>
Reply-to: ivg2@xxxxxxxxxxx
Sender: owner-selinux@xxxxxxxxxxxxx

> So it looks to me like the transition to sendmail should always be
> included - well actually, ifdef(mta.te).

cc-ed Dan Walsh.
Proposed transition to sendmail from mdadm.te
(so it can send alerts to user).

Re: can_exec({ bin_t, sbin_t }) rule

Antoine, you have to be root/sysadm_t to configure
execution of such programs, right? If you have sysadm_t, you
can disable any and all security. The only protection
from sysadm_t that selinux provides is protection from
inadvertently running hostile code that messes w/ selinux
files - that's why we have a role called secadm_t
(I think this is work in progress).

So, we can't stop an intentional attack like this.
The only question is whether we should stop unintentional
attack (sysadm doesn't know bin_t/sbin_t program is hostile,
sysadm installed it anyway, sysadm doesn't have capability
to write to fixed_disk_device, but mdadm does, and 
gives hostile program desired escalation). 

Don't know..

> > > # RAID block device access
> > > allow mdadm_t fixed_disk_device_t:blk_file create_file_perms;
> > 
> > hmm..yes..
> > 
> > Well, in this case, mdadm_t is the trusted domain,
> > and you *want* to transition it to other domains upon execution
> > of something that you don't trust.
> > 
> > So yes, if  you want want to send mail, you would add 
> > a transition like this:
> > domain_auto_trans(mdadm_t, sendmail_exec_t, sendmail_t (or whatever..))
> > 
> > What is this PROGRAM configurable option - can you describe in more 
> > detail. I don't know anything about mdadm.
> > 
> > > I will tweak my policy to make it run sendmail in
> > > sendmail_t and nothing else. That's safer than mdadm_t.
> > 
> > Perhaps this is something that should be in default policy - it
> > sounds like a good threat model.
> 
> What should be the domain to transition to upon execution of bin/sbin?
> Rather than using can_exec, I believe it should be:
> domain_auto_trans(mdadm_t, bin_t, that_domain_t)
> domain_auto_trans(mdadm_t, sbin_t, that_domain_t)
> But personally, I'll leave that out and rely on the email notification.
> 
> Antoine
> 
> 
> --
> This message was distributed to subscribers of the selinux mailing list.
> If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with
> the words "unsubscribe selinux" without quotes as the message.


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with
the words "unsubscribe selinux" without quotes as the message.

Follow-Ups:
- Re: mdadm policy
  - From: antoine
- Re: mdadm policy
  - From: Stephen Smalley

References:
- mdadm policy
  - From: antoine
- Re: mdadm policy
  - From: Ivan Gyurdiev
- Re: mdadm policy
  - From: antoine
- Re: mdadm policy
  - From: Ivan Gyurdiev
- Re: mdadm policy
  - From: antoine
- Re: mdadm policy
  - From: Ivan Gyurdiev
- Re: mdadm policy
  - From: antoine

Prev by Date: RE: Alternative user management approach
Next by Date: RE: Alternative user management approach
Previous by thread: Re: mdadm policy
Next by thread: Re: mdadm policy
Index(es):
- Date
- Thread

This mailing list archive is a service of Copilot Consulting.