Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-hardened

From: Aleksander Kamil Modzelewski <aleander@×××××.com>
To: gentoo-hardened@l.g.o
Subject: Re: [gentoo-hardened] Vconfig on a selinux box
Date: Sat, 14 May 2005 17:52:08
Message-Id: 42863AB9.1070605@gmail.com
In Reply to: Re: [gentoo-hardened] Vconfig on a selinux box by Chris PeBenito
1 Chris PeBenito wrote:
2 >>I am trying to set up vlans (and several other things) on a hardened gentoo
3 >>box. I found out, that moving the vconfig to ifconfig_exec_t makes it almost
4 >>done, and I have seen that done with tc and ip, _but_ I'd like to just feel
5 >>sure that this is the right way.
6 > Here are a few questions to try to help you answer your question.
7 >
8 > 1. How conceptually similar is vconfig to ifconfig in terms of
9 > functionality?
10 I consider it logically grouped with it, and it appeared to me that the
11 policy applied to other tools working "along" ifconfig (like tc or mii-tool,
12 for example).
13
14 > 2. By running vconfig in ifconfig_t and adding permissions to ifconfig_t
15 > to make vconfig work, will this give ifconfig permissions that it
16 > doesn't need that could be exploited? For example, giving ifconfig_t
17 > sys_admin capability or raw disk access, or reading shadow_t, or even
18 > something simple like writing to etc_t.
19 Well, it _does_ need read access to sysfs_t. But nothing more.
20
21
22 > If you answered "very similar" for #1 and "no" for #2, you've probably
23 > made the right decision. If you say "very similar" for #1, and "yes"
24 > for #2, you should probably copy the ifconfig.te to vconfig.te and
25 > rename the types in vconfig.te (s/ifconfig/vconfig/g), and add your
26 > policy there. If you say "not very similar" for #1, then .you probably
27 > made the wrong decision.
28 Well, strictly, it would be "no + rather no". Well, anyway, I have decided
29 that giving the ifconfig additional permissions to make a tool from another
30 package work is inelegant. So, I made what You suggest, added
31 r_dir_file(vconfig_t, sysfs_t) and removed some parts which seemed clearly
32 unnecessary.
33
34 > I can't say for sure what the right course of action is until you show
35 > us the policy you've added. :)
36 I attach it now. Only file labeled as vconfig_exec_t is /sbin/vconfig.
37
38 Regards,
39 Aleksander Kamil Modzelewski

Attachments

File name MIME type
vconfig.te text/plain
vconfig.fc text/plain
smime.p7s application/x-pkcs7-signature
Report Message
Find on MARC Find on Google Groups