Comment 0 for bug 876994

Dear All,

I think there might be a problem with the startup script /etc/init.d/selinux that allows an unprivileged user to create a file in any directory. I am copying a message I sent to Jamie Strandboge -

In my Ubuntu 11.10 (Oneiric), the script /etc/init.d/selinux contains:

statusfile=/.autorelabel
...
lockfile=/var/lock/selinux-relabel
...
# Start only creates the lock
start() {
        log_daemon_msg "Starting SELinux autorelabel"
        if [ -e $statusfile ]; then
                log_warning_msg "A relabel has already been requested. Please reboot to finish relabeling your system."
                log_end_msg 0
        else
                /usr/bin/touch $lockfile
                log_end_msg 0
        fi
}

As /var/lock is world writable, a user could presumably create a file in any location by making this a symlink. Admittedly, /var/lock does not persist across reboots (tmpfs), and once selinux-relabel has been created by root it cannot be changed, but if the administrator for example restarts the daemon, in this gap, the user could create the file. I confirmed this to be the case on my machine. Or, if selinux is installed for the first time, then too shall a link be followed if it is pre-created.

Please let me know if further details are required.

Thanks,
Hayawardh Vijayakumar.

Details:
# lsb_release -rd
Description: Ubuntu 11.10
Release: 11.10

# apt-cache policy selinux
Installed: 1:0.9
Candidate: 1:0.9
Version table:
*** 1:0.9 0
500 http://us.archive.ubuntu.com/ubuntu/ lucid/universe Packages
100 /var/lib/dpkg/status

To exploit:
When SELinux is not installed or the autorelabel daemon is stopped through e.g., /etc/init.d/selinux stop
unpriv-user$ ln -s /etc/file_to_create /var/lock/selinux-relabel

When /etc/init.d/selinux start happens,
# ls -l /etc/file_to_create
-rw-r--r--. 1 root root 0 2011-10-17 20:29 /etc/file_to_create