[prev in list] [next in list] [prev in thread] [next in thread]
List: fedora-selinux-list
Subject: Re: Recent bash vulnerability and SELinux containment
From: Dmitry Makovey <dmitry () athabascau ! ca>
Date: 2014-09-29 18:16:43
Message-ID: 5429A20B.8060103 () athabascau ! ca
[Download RAW message or body]
[Attachment #2 (multipart/signed)]
On 09/25/2014 02:44 PM, Daniel J Walsh wrote:
>
> On 09/25/2014 04:24 PM, Dmitry Makovey wrote:
>> On 09/25/2014 02:14 PM, Daniel J Walsh wrote:
>> thanks Dan. I've got that part and appreciate what I already got out of
>> the box with SELinux, however I was wondering if that containment can be
>> furthered, saying that bash invoked in httpd_t should have even stricter
>> policy applied? Possibly switch context to something that is very-very
>> limited, to avoid things like :
>>
>> http://www.reddit.com/r/netsec/comments/2hbxtc/cve20146271_remote_code_execution_through_bash/
>
> Looking at the example in this redit, httpd_t would be executing a
> script labeled httpd_sys_script_exec_t, which would transition to
> httpd_sys_script_t.
>
> Which is what was expected.
>
> The httpd_sys_script_t is a somewhat restricted policy. In that most of
> apache config, logs /var/lib etc is blocked. By default content in
> users homedirs, databases etc is all blocked.
>
> Here are the types of files that httpd_sys_script_t is allowed to open
> and read on my rawhide system.
....
> Allowed to read /etc/passwd which could be a problem and apache content,
> but a whole lot of stuff is blocked.
thanks Dan, this clarifies a lot without having to go through the
code/transitions manually :)
--
Dmitry Makovey
Web Systems Administrator
Athabasca University
(780) 675-6245
---
Confidence is what you have before you understand the problem
Woody Allen
When in trouble when in doubt run in circles scream and shout
http://www.wordwizard.com/phpbb3/viewtopic.php?f=16&t=19330
["signature.asc" (application/pgp-signature)]
[Attachment #6 (text/plain)]
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic