On Mon, Jul 24, 2006 at 06:09:00PM -0500, Klaus Weidner wrote: > I tested the patch below which treats ranged objects as single level > object (using the lower level) for unprivileged processes.
Unfortunately this doesn't seem to fix the pty exploit I had mentioned earlier, newrole_typescript.py continues working even using the stricter policy: https://www.redhat.com/archives/redhat-lspp/2006-July/msg00024.html Note that after a newrole, the pty slave end is relabeled to the single effective level, but the master end appears to stay at its old level, and the processes using the master and slave ends can communicate even though they are at different levels. Sounds as if this is a separate issue, or I've messed up the new policy. FYI, here are the steps I used to install the patched policy (based on the SPEC file). I'd appreciate tips if there's a simpler way to do this... >From the /usr/src/redhat/BUILD/serefpolicy-*/ directory which you get by installing the source RPM and running "rpmbuild -bp SPECS/selinux-policy.spec": RPM_SOURCE_DIR=/usr/src/redhat/SOURCES Args="NAME=mls TYPE=strict-mls DISTRO=redhat DIRECT_INITRC=n MONOLITHIC=n POLY=y" make $Args bare make $Args conf /bin/cp -f ${RPM_SOURCE_DIR}/modules-mls.conf ./policy/modules.conf /bin/cp -f ${RPM_SOURCE_DIR}/booleans-mls.conf ./policy/booleans.conf make $Args base.pp make $Args modules make $Args install semodule -b /usr/share/selinux/mls/base.pp -Klaus -- redhat-lspp mailing list [email protected] https://www.redhat.com/mailman/listinfo/redhat-lspp
