[CentOS] Odd failure of smbd to start from init.d - CentOS 5.4 - it's that fine SELinux

Gordon Messmer yinyang at eburg.com
Wed May 26 05:34:53 UTC 2010


On 05/25/2010 08:09 PM, Whit Blauvelt wrote:
>
> So with selinux, in general any script that selinux would stop from running
> due to the script's own extra selinux file tags can be run if Evil Intruder
> simply invokes the same script with its shell first - sh or perl or python
> or whatever? That counts as security? Through what? The obscurity of this
> devious workaround?

Similarly, suppose I have a script (/usr/local/bin/example) with 
permission 0700.  Now, if Evil Intruder simply copies the script 
elsewhere and changes its permissions, he can read and execute the script!

Similarly, if I have Firefox running as userA, then userB cannot read 
its memory.  However, if userB runs Firefox, he can read that process' 
memory!

You're being silly.  SELinux confines the daemons that the administrator 
starts so that they don't take actions that aren't allowed by policy. 
If an attacker gains access to the system with a higher set of 
privileges than the confined daemon, OF COURSE he can run the daemon 
with higher privileges.  That doesn't negate the value of YOUR ability 
to DECREASE the privileges available to the daemons that run on your 
systems.



More information about the CentOS mailing list