On Fri, 2005-06-24 at 15:05 -0400, Ivan Gyurdiev wrote:
So it looks to me like the transition to sendmail should always be
included - well actually, ifdef(mta.te).
cc-ed Dan Walsh.
Proposed transition to sendmail from mdadm.te
(so it can send alerts to user).
Re: can_exec({ bin_t, sbin_t }) rule
Antoine, you have to be root/sysadm_t to configure
execution of such programs, right? If you have sysadm_t, you
can disable any and all security. The only protection
from sysadm_t that selinux provides is protection from
inadvertently running hostile code that messes w/ selinux
files - that's why we have a role called secadm_t
(I think this is work in progress).
I admit the threat is minimal, but I just don't like the idea of running
things as mdadm_t when it isn't necessary.
You would need to know what is run by mdadm (as mdadm.conf is not
readable by non root/sysadm_t) *and* find a flaw in it *and* trigger the
mdadm error condition. Very slim indeed.
On the other hand, any flaw in one of the bin_t/sbin_t programs run by
mdadm would lead to a full compromise (using raw disks). And there has
been more than one flaw found in sendmail/postfix/... And since it is
avoidable, why not remove access to raw disks before launching the
program. (I think the transition to sendmail_t is the minimum)
So, we can't stop an intentional attack like this.
The only question is whether we should stop unintentional
attack (sysadm doesn't know bin_t/sbin_t program is hostile,
sysadm installed it anyway, sysadm doesn't have capability
to write to fixed_disk_device, but mdadm does, and
gives hostile program desired escalation).
Hostile program *or* shell script with insecure privileges/files, etc.
Antoine