Bug 218500
Summary: | LSPP: tkill and tgkill are allowed to kill lower level processes | ||||||
---|---|---|---|---|---|---|---|
Product: | Red Hat Enterprise Linux 5 | Reporter: | Kylene J Hall <kylene> | ||||
Component: | selinux-policy-strict | Assignee: | Daniel Walsh <dwalsh> | ||||
Status: | CLOSED NOTABUG | QA Contact: | |||||
Severity: | medium | Docs Contact: | |||||
Priority: | medium | ||||||
Version: | 5.0 | CC: | dwalsh, iboverma, linda.knippers, sdsmall, sgrubb | ||||
Target Milestone: | --- | ||||||
Target Release: | --- | ||||||
Hardware: | All | ||||||
OS: | Linux | ||||||
Whiteboard: | |||||||
Fixed In Version: | Doc Type: | Bug Fix | |||||
Doc Text: | Story Points: | --- | |||||
Clone Of: | Environment: | ||||||
Last Closed: | 2006-12-06 18:53:52 UTC | Type: | --- | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Attachments: |
|
Description
Kylene J Hall
2006-12-05 19:26:51 UTC
Created attachment 142880 [details]
Testcase
This request was evaluated by Red Hat Product Management for inclusion in a Red Hat Enterprise Linux major release. Product Management has requested further review of this request by Red Hat Engineering, for potential inclusion in a Red Hat Enterprise Linux Major release. This request is not yet committed for inclusion. Not a bug as far as I can see. You created a shell process at s1 via newrole. Then you ran your test program (stays in s1). The test program forks and exec's test.sh (stays in s1 - the level of a file does not influence the level of the running process, although naturally the process must be able to read/execute the file). The parent process of the test program tries to kill the child process (both in s1). You need to start test.sh from the s0 shell, then newrole to s1 and invoke kill with the pid of the test.sh process. For reference, see the sigkill test in the selinux testsuite, although that naturally differs in that it deals with domains (types) rather than levels and it uses runcon rather than newrole (which might not be feasible without a more permissive policy for testing). BTW, if MLS/BLP worked the way the testcase seems to think it does (i.e. that a s0 file triggers a transition to s0 for the running process), then the mere ability to exec test.sh from the s1 process would be a violation of MLS/BLP, because that would be a s1->s0 information flow. Fortunately, that isn't how MLS/BLP works. As far as MLS is concerned, the only question is whether the s1 process can read the s0 script, which of course it can (read down is fine). I agree with this explanation that the bug is in my testcase. |