danwalsh


Dan Walsh's Blog

Got SELinux?


Previous Entry Add to Memories Share Next Entry
xguest blocks word document from executing temporary files...
danwalsh
I belong to a Condo association and they sent out an Email with a .doc attachment to all owners.  My wife downloaded the document onto her machine and called me to tell me that she was not able to read it.  I saw the same document, and was able to read it so I suspected there was a problem with xguest.  When I arrived home, I looked at the audit.log file and sure enough OpenOffice was being blocked by xguest policy.

I saw an avc that said, xguest_mozilla_t (firefox/openoffice) was not able to execute xguest_home_t or xguest_tmp_t.   I thought this is strange, so I looked further.  Turns out the doc file contained some kind of macros (I am guessing that is what they were) that OpenOffice gladly extracted into a tmp file and tried to execute.  Now I have no idea what these macros were supposed to do, or what they did on my machine.  But a tightly confined machine like xguest blocked the execution.  It makes you step back and think about potential problems that can arise when a random Word Document can cause temporary files on your home dir to be executed.

You can toggle this behavior though the use of the boolean, allow_xguest_exec_content.

setsebool -P allow_xguest_exec_content=1

will allow xguest users to execute programs in thier home directories or on /tmp.

This is turned off by default.

XMonad actually compiles your configuration file, (which is nothing more than a haskell source file), and turns that into a custom window manager. I suppose the sysadmin that sets up xmonad for all the lucky users will probably know to precompile it, and direct xmonad to find it somewhere better. Even so, it seems that certain classes of programs have a very strong use case for being able to import new code to execute, and may do it inside /home.

Rather than just saying no to these sorts of programs, it would be great if we can look at what kind of code these programs might execute, and how to do it so it is restricted to certain levels.

-Yaakov

You are viewing danwalsh