On Tue, 2009-07-21 at 16:38 +0100, Alan Cox wrote:
> > turns it off for the whole system when you install WINE. This patch
> > doesn't change that fact. All it does is add that requirement to
> > SELinux systems that already exists on non-selinux systems.
>
> Prior to this an SELinux system could implement sensible security.

Sadly, it couldn't reasonably :(

> > > Am I missing something here, this "solution" sounds completely brain
> > > dead ?
> >
> > Well, with patch 2/2 you still get your SELinux protections (only for 1
> > page) even if you disable it for the whole system. So in the end, you
> > have better protection than you have today with this series....
>
> We know one page isn't sufficient. That has been seen from some exploit
> cases.

Yet another tunable is easy, and what I mentioned yesterday, i'd probably put it in /selinux since it would be an selinux only thing. This just seemed reasonable, since the Kconfig default is 4096 that's what most people have anyway right?

> So this looks to me like a regression in features, that makes the system
> less secure and doesn't solve anything at all.
>
> Whereas if you just set the default SELinux user confinement to allow
> everything but mapping low pages you wouldn't actually need to mess up
> the kernel ?

Herein lies the problem. It sounds easy to do, but isn't. Sure I can remove mmap_zero from unconfined_t (and actually it should be that way in rawhide by default by now) but like I said, it's not even a speed bump to be that broad.

runcon -t wine_t [my exploit]
win.

So now I have to stop allowing unconfined_t to specifically run things as wine_t. Easy enough to get around

chcon -t wine_exec_t [my exploit]
win.

Well crap, now I have to stop letting unconfined_t label things wine_exec_t. Easy enough to get around if you can load it as an rpm (ok, this step is probably harder)

and hell, how do I know I can't just get wine some windows program to get win to map the page for me?

Finding all of the contortions that an unconfined user can do is nearly impossible. It's one of the reasons a lot of selinux people argued against the unconfined domain to begin with. There are some analysis tools used in high security environments to prove security goals but unconfined is such a monstrosity it's too hard to get a handle on. Make everyone log in as user_t (man semanage) and you will be better (but I haven't proven it is safe...)

> Currently I have low page protection and I don't have to run wine as
> CAP_SYS_RAWIO (which comes in the "sucidial ideas") category. I consider
> the loss of that ability a regression.

and you still could. Just set mmap_min_addr = 0 and you get SELinux protection for confined domains. I'll gladly add an selinux tunable if people like it so SELinux users who don't want to enforce the uid=0 rule can do exactly everything they can do today.

Someone on this list has to know a wine guru. Seems to me there has to be a way that we can give wine CAP_SYS_RAWIO just long enough to map the page so non-SELinux users aren't left in the lurch they are today.

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.