FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora SELinux Support

 
 
LinkBack Thread Tools
 
Old 01-14-2008, 09:32 AM
Christoph Höger
 
Default Is 'search' on home_root_t always bad?

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,

currently I encounter a denial for openvpn which tries to "search"
home_root_t. Is that generally a bad idea (and openvpn should be fixed)
or should it be allowed?

regards

christoph
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iD8DBQFHizokhMBO4cVSGS8RAks+AKCcEkPPdz76HvYj/4IQoDcX1ZRaGQCgnhVP
BaGsILyaQZcZ+pF9TbYTdc8=
=blai
-----END PGP SIGNATURE-----

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 01-14-2008, 02:52 PM
Daniel J Walsh
 
Default Is 'search' on home_root_t always bad?

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Christoph Höger wrote:
> Hi,
>
> currently I encounter a denial for openvpn which tries to "search"
> home_root_t. Is that generally a bad idea (and openvpn should be fixed)
> or should it be allowed?
>
> regards
>
> christoph

- --
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list

home_root_t is the label of /home and potentially other parent directory
of user homedirectories.

So if I had my homedirs in /users/dwalsh /users would be labeled
home_root_t and /users/dwalsh would be labeled user_home_dir_t.


So searching of the home_root_t usually means that a domain is trying to
look at something in the home directory. If a domain has no reason to
look in the home directory, this could indicate a problem.

If I was a cracker and I broken into your machine, I would want to
attack home directories to grab secrets like stored password and credit
card data.

Now that being said, it is fairly easy to generate this type of avc.
When you start up a daemon, it often checs out it's current working
directory, So if you su to root and then "service openvpn restart" you
could generate this avc. Also openvpn might have a legitimate reason to
read the users homedir, and we don't allow it in policy, which could be
a bug.

Dan


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkeLhSYACgkQrlYvE4MpobPJyACdGB8r+kAkpd tncpn/Hvaltw8Q
N7EAoIoQPbbzcMvhFEJ6ShSrOTaCypF0
=LMrI
-----END PGP SIGNATURE-----

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 

Thread Tools




All times are GMT. The time now is 10:59 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright ©2007 - 2008, www.linux-archive.org