• 1

I think there *may* be a bug here.

I was looking at this but i *think* i can currently go around this:

$ sesearch --allow -SC -s staff_t -t user_home_type -c file -p execute
Found 2 semantic av rules:
allow staff_usertype nsplugin_rw_t : file { ioctl read getattr lock execute execute_no_trans open } ;
ET allow staff_usertype user_home_type : file { ioctl read getattr execute execute_no_trans open } ; [ allow_staff_exec_content ]

So: nsplugin_rw_t seems executable unconditionally.

from nsplugin.te:

type nsplugin_rw_t;

.. This seems weird to me:

$ semanage fcontext -l | grep nsplugin_rw_t
/usr/lib(64)?/mozilla/plugins-wrapped(/.*)? all files system_u:object_r:nsplugin_rw_t:s0

So content in /usr/lib(64)?/mozilla/plugins-wrapped is user_home_content !?

Ok no problem so far (because that makes it conditionally executable), but:

from nplugin.if (nsplugin_role_notrans):

can_exec($2, nsplugin_rw_t)

.. This makes it unconditionally executable.

So how to go around this:

chcon -t nsplugin_rw_t ~/virus

Also i think it should noted that this functionality is limited.
For example, i *think* a perl script could still be executed by running it via the perl executable "perl ~/virus".

I think the problem is nsplugin_rw_t should not be a user_home_type.

I will submit changes to F1[2-5] and RHEL6

how to create new confined user

I don't want to use any existing SELinux users - Is it possible to create new confined user (say myuser_u) and allow him only limited binaries file?

Yes you can write policy for a new confined user. You can use sepolgen or selinux-polgengui to get started writing policy.

Limiting binaries might be more difficult depending on the binaries. Rather then be concerned about the binaries, please state your use case in terms of which files a user can read/write, which network ports then can bind to or connect to.

Being able to execute /bin/cat is not a problem. Being able to /bin/cat /var/lib/TopSecret/Plans is a problem.

  • 1

Log in