Stephen Smalley wrote: >>>>This is broken. I am not sure how to handle this? I have changed it >>>>back to SystemLow-SystemHigh >>>>which allows it to work properly but I think we need some constraints to >>>>prevent someone from getting translations at a higher level then they >>>>are authorized for. >>> >>> >>>The translation daemon is a trusted program, yes? If so, could we have >>>it do a getpeercon() call to determine the context of the app requesting >>>the translation and then do a permissions check to see if the returned >>>translation is allowed? At first glance this seems easier than some of >>>the alternatives ... >>> >> >>I was looking at that too. I think the daemon already gets that information >>(it has a get_peer_con() function) so perhaps all that's missing is the >>permission check. > > > Yes, and that would just be an avc_has_perm() call on the pair of > contexts.
Its a little more complicated than that because avc_has_perm() takes you down a path where it wants to translate a context. avc_had_perm() calls avc_has_perm_noaudit() and if the avc_lookup() fails, it calls security_compute_av(), which needs a raw context so it calls back into the translation functions. I think I can make it work by calling security_compute_av_raw() instead but then it doesn't get cached, right? Any other ideas? > > BTW, as I've previously noted, it should be using getpeercon(3), not > getpidcon(3). > -- redhat-lspp mailing list [email protected] https://www.redhat.com/mailman/listinfo/redhat-lspp
