• 1

should runcon/chcon be priviledged commands ?

I'm a bit surprised that an unconfined normal user is allower to use runcon/chcon this way. I would expect these to be priviledged commands only available to root.. Shouldn't they be?

Re: should runcon/chcon be priviledged commands ?

runcon and chcon do not add any priv they just execute the libselinux api. The kernel is responsible for checking whether on not a type is able to change the context from one context to another.

Similary, the kernel/policy will control whether one process can transition to another process.

From an SELinux point of view running as UID=0 means NOTHING. There is no concept of Privledged in the DAC sense.

Re: should runcon/chcon be priviledged commands ?

Alternatively .. shouldn't modifying the file security context be a priviledged operation ? I've never had a use for letting non-admins modify these labels, and always assumed they were managed by the central file_context policy..

Re: should runcon/chcon be priviledged commands ?

Well the type enforcement rules are controling what labels they can relabel from and what labels they can relabel to.

So a user_t user might be allowed to relabelfrom user_home_t to httpd_user_content_t to allow them to make content available to apache from within their home dir.

This is very different then the way traditional MLS machines worked. So they are not changing the sensitivity level of data, they are just labeling data from one type they control to another.

unconfined == root?

If I understand you correctly, the unconfined user can always relabel his apps into whatever domain is convenient for him. So in essence he has the capabilities of all of them. So we arrive back at the idea of the all-powerful root, aka the guy who holds all the keys.

The NULL pointer exploit thing is big and flashy, but I have a hunch that there are other ways to escalate from unconfined --> root. I think you are going to have to forbid non-root users from running as "unconfined."

Anyway, in spite of all the difficulties, I'm glad you guys are working on selinux. Capability-based security is definitely an idea whose time has come...


  • 1

Log in