danwalsh


Dan Walsh's Blog

Got SELinux?


Previous Entry Share Next Entry
xguest blocks word document from executing temporary files...
danwalsh
I belong to a Condo association and they sent out an Email with a .doc attachment to all owners.  My wife downloaded the document onto her machine and called me to tell me that she was not able to read it.  I saw the same document, and was able to read it so I suspected there was a problem with xguest.  When I arrived home, I looked at the audit.log file and sure enough OpenOffice was being blocked by xguest policy.

I saw an avc that said, xguest_mozilla_t (firefox/openoffice) was not able to execute xguest_home_t or xguest_tmp_t.   I thought this is strange, so I looked further.  Turns out the doc file contained some kind of macros (I am guessing that is what they were) that OpenOffice gladly extracted into a tmp file and tried to execute.  Now I have no idea what these macros were supposed to do, or what they did on my machine.  But a tightly confined machine like xguest blocked the execution.  It makes you step back and think about potential problems that can arise when a random Word Document can cause temporary files on your home dir to be executed.

You can toggle this behavior though the use of the boolean, allow_xguest_exec_content.

setsebool -P allow_xguest_exec_content=1

will allow xguest users to execute programs in thier home directories or on /tmp.

This is turned off by default.

That is why there is a boolean option to turn this off

danwalsh

2008-02-21 01:41 pm (UTC)

You also have the option of writing policy for XMonad, so that it would be able to do it's thing, via a transition. The point being that SELinux gives us the ability to decide what gets to be executed in the Home Dir, and prevent some of the problems/vulnerabilities that have plagued that other desktop Operating System.

You are viewing danwalsh