Sponsored link
Vyatta –
Linux & Open Source
Alternative to Cisco –
Advanced Routing,
Firewall, VPN, QoS..
Free Download ->
| |||||||||||
Civilizing SELinuxCivilizing SELinuxPosted Nov 26, 2004 4:47 UTC (Fri) by etbe (subscriber, #17516)In reply to: Civilizing SELinux by Method Parent article: Civilizing SELinux One point that should be mentioned when discussing policy generation is the bugs in applications that are discovered when writing policy.
ifdef(`hide_broken_symptoms', `
dontaudit ifconfig_t dhcpc_t:{ packet_socket udp_socket } { read write };
dontaudit ifconfig_t dhcpc_state_t:file { read write };
')dnl end broken symptoms
The above policy from dhcpc.te is to cover the bugs in the dhcpd which
allow inheriting open file handles when inappropriate. The file handles
in question should be explicitely closed before exec or set to
close-on-exec by fcntl. This is only a minor bug and doesn't seem
exploitable so we just put in dontaudit rules, eventually the dhcpd bugs
will be fixed.
Another example was a kernel bug that allowed init to inherit file handles to the initrd. I believe that I was the first person to discover that bug as it showed up in my log files on boot in an obvious manner. It is possible that someone else found the bug first (AFAIK no-one reported it first), that bug was not particularly difficult to find (it showed up in lsof), but it was a lot more obvious when running SE Linux. These are just two examples of how SE Linux policy when written correctly will expose bugs. If the policy was written in a manner of "let's run it once and allow everything it tries to do" then such bugs would be obscured. Finally there are many situations in which programs have to be permitted access that they don't normally request. Every daemon must be granted syslog access even though some daemons do not use syslog when things work well.
(Log in to post comments)
|
|||||||||||