Re: mdadm policy

[antoine <antoine@xxxxxxxxxxxxx>]

On Fri, 2005-06-24 at 15:05 -0400, Ivan Gyurdiev wrote:
> > So it looks to me like the transition to sendmail should always be
> > included - well actually, ifdef(mta.te).
> 
> cc-ed Dan Walsh.
> Proposed transition to sendmail from mdadm.te
> (so it can send alerts to user).
> 
> Re: can_exec({ bin_t, sbin_t }) rule
> 
> Antoine, you have to be root/sysadm_t to configure
> execution of such programs, right? If you have sysadm_t, you
> can disable any and all security. The only protection
> from sysadm_t that selinux provides is protection from
> inadvertently running hostile code that messes w/ selinux
> files - that's why we have a role called secadm_t
> (I think this is work in progress).
I admit the threat is minimal, but I just don't like the idea of running
things as mdadm_t when it isn't necessary.
You would need to know what is run by mdadm (as mdadm.conf is not
readable by non root/sysadm_t) *and* find a flaw in it *and* trigger the
mdadm error condition. Very slim indeed.
On the other hand, any flaw in one of the bin_t/sbin_t programs run by
mdadm would lead to a full compromise (using raw disks). And there has
been more than one flaw found in sendmail/postfix/... And since it is
avoidable, why not remove access to raw disks before launching the
program. (I think the transition to sendmail_t is the minimum)

> So, we can't stop an intentional attack like this.
> The only question is whether we should stop unintentional
> attack (sysadm doesn't know bin_t/sbin_t program is hostile,
> sysadm installed it anyway, sysadm doesn't have capability
> to write to fixed_disk_device, but mdadm does, and 
> gives hostile program desired escalation). 
Hostile program  *or* shell script with insecure privileges/files, etc.

Antoine


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with
the words "unsubscribe selinux" without quotes as the message.