• 1

I think there *may* be a bug here.

I was looking at this but i *think* i can currently go around this:

$ sesearch --allow -SC -s staff_t -t user_home_type -c file -p execute
Found 2 semantic av rules:
allow staff_usertype nsplugin_rw_t : file { ioctl read getattr lock execute execute_no_trans open } ;
ET allow staff_usertype user_home_type : file { ioctl read getattr execute execute_no_trans open } ; [ allow_staff_exec_content ]


So: nsplugin_rw_t seems executable unconditionally.

from nsplugin.te:

type nsplugin_rw_t;
files_poly_member(nsplugin_rw_t)
userdom_user_home_content(nsplugin_rw_t)

.. This seems weird to me:

$ semanage fcontext -l | grep nsplugin_rw_t
/usr/lib(64)?/mozilla/plugins-wrapped(/.*)? all files system_u:object_r:nsplugin_rw_t:s0

So content in /usr/lib(64)?/mozilla/plugins-wrapped is user_home_content !?

Ok no problem so far (because that makes it conditionally executable), but:

from nplugin.if (nsplugin_role_notrans):

can_exec($2, nsplugin_rw_t)

.. This makes it unconditionally executable.

So how to go around this:

chcon -t nsplugin_rw_t ~/virus
~/virus

Also i think it should noted that this functionality is limited.
For example, i *think* a perl script could still be executed by running it via the perl executable "perl ~/virus".

  • 1
?

Log in