On Mon, 24 Apr 2006 10:14:34 +0200, Lars Marowsky-Bree said:
> On 2006-04-21T10:24:37, Stephen Smalley <sds@tycho.nsa.gov> wrote:
> 
> > > (With AppArmor, of course, you never lose labels at all, because there
> > > aren't any.)
> > But you do lose preservation of security properties, e.g. renaming a
> > file suddenly moves it under different protection.  Same end result.
> 
> This is not correct, as far as I understand. As the app can only rename
> in it has access to both the old and the new path.

People seem to have a blind spot for this sort of thing.  Given *two* processes,
one of which can be convinced to do a rename, and another that can be convinced
to write a file, you can subvert everything (quite possibly in opposite order -
if you can get process A to write /etc/foobar, and process B to rename foobar
to passwd, you've won).

Those who think that 2 processes can't be subverted should consider that symlink
attacks have been around for a quarter of a century - and in that time, it's
*always* been "one process to create the symlink, another to follow it to disaster".