Package: libselinux1
Version: 3.1-3
Severity: important
Tags: security
Libselinux by default, since Debian does not specify DISABLE_SETRANS
at compile time, tries to translate security contexts within non-raw
interfaces, e.g. getfilecon(3). The purpose is to translate MCS/MLS
labels into human readable via mcstransd(8). The translation happens
via communication over the public accessible UNIX socket
/var/run/setrans/.setrans-unix, created by mcstransd(8). mcstransd(8)
however is not installed by default, not a dependency of another
package, nor recommended or suggested by one. Thus mcstransd(8) is
probably not running on many (most?) SELinux enabled systems and
thereby the directory /var/run/setrans is not created. This leaves
the opportunity for (compromised) programs to create it and the UNIX
socket to take control of the security context translation. It might
not be prevented by the SELinux policy since most daemons are allowed
to create entries in /var/run and UNIX socket communication between
daemons is common. As a solution the directory /var/run/setrans
should be created at boot by a trusted party with the default context
according to the loaded policy (e.g. setrans_runtime_t), which no
other daemon than mcstransd(8) should have the permission to create
sockets inside. For example Fedora uses the tmpfiles.d(5) snippet:
d /run/setrans 0755 root root
, see
https://src.fedoraproject.org/rpms/libselinux/c/8b8064a26e06c128e2c0374b9039038842f51557.
