-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 10/27/2010 06:35 AM, Bryn M. Reeves wrote:
On 10/26/2010 10:39 PM, Bruno Wolff III wrote:
On Tue, Oct 26, 2010 at 14:07:53 -0700, Jesse Keating jkeating@redhat.com wrote:
-----BEGIN PGP SIGNED MESSAGE-----
That's only if you give root the right to disable or load new selinux policy.
And the policy is tight enough. You need to not allow root shells or most processes the ability to read the keys out of memory or to write memory that will change how things work. I don't think targeted policy is locked down enough to stop that even if you don't allow root to disble selinux.
Seriously, there are machines on the public Internet with a published root account. You're welcome to log in and try to do anything with them.
Yeah, I know about one guy that offers a root password if you ask. I am not sure what policy he is running on that machine.
It's Russell Coker, access details are available here:
http://www.coker.com.au/selinux/play.html
However the pages haven't been updated in a while and the service seems to be down right now.
Regards, Bryn.
There are two ways to get root on a system. One is through a login process. Either login directly as root or login as a user and execute su/sudo. SELinux by default since F9 and RHEL6 allows you to setup confined users, but defaults to unconfined_t. If you login to a system as a user and get unconfined_t user type, and you become root, you can take over the system. You can setup the root account to login as any confined user, and show a UID=0 account that can not do much.
SELinux also includes the concept of confined admin. You can setup accounts that have limited privledged root access. webadm_r:webadm_t
http://magazine.redhat.com/2008/04/17/fedora-9-and-summit-preview-confining-...
Explains this.
On my laptop I run as staff_t and when I run sudo I become webadm_t. If I run runuser I become unconfined_t. This means you can setup a user account that can use sudo to do certain admin activities with locked down privs.
The other way you can become root is to break into the system through a flaw in a network service. If you are running SELinux and break into httpd, you would endup with a process labeled httpd_t, and would only be allowed to do the things the web server is allowed to do, even if your UID==0.
One caveat in this is, if there is a kernel flaw that allows a account to manipulate memory in the kernel, the hacker has a chance to turn SELinux enforcement off, and all bets are off. We try to protect against this through checks like execmem,execstack,execmod,execheap and memzero checks. Hopefully more in the future.