Proof is in the pudding
Tristan Santore
tristan.santore at internexusconnect.net
Fri May 17 00:21:18 UTC 2013
On 17/05/13 01:03, Douglas Brown wrote:
> Hi all,
>
> You may have seen this vulnerability talked about recently:
> http://arstechnica.com/security/2013/05/critical-linux-vulnerability-imperils-users-even-after-silent-fix/
>
> After a long time of evangelising about SELinux to my sceptical
> colleagues, this seemed like the perfect opportunity to test it.
>
> We tried the exploit with SELinux in permissive mode and it worked then
> in enforcing and SELinux prevented it! Not that I'm surprised, but it's
> nice to have a real-world exploit to demonstrate.
>
> Cheers,
> Doug
>
>
> --
> selinux mailing list
> selinux at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux
>
That is a misleading statement to make. We tested this in enforcing
mode, and it worked. However, there is Supervisor Mode Execution
Protection (SMEP) support on some Intel CPU, maybe that prevented it.
Weird though that you stated that it was prevented from exploiting with
selinux enabled.
So, the question is, is your normal user confined ?
What cpu model do you have ? And did you test on different machines/cpu ?
It should also be stated, that in the targeted policy model, users are
not confined.
Regards,
Tristan
--
Tristan Santore BSc MBCS
TS4523-RIPE
Network and Infrastructure Operations
InterNexusConnect
Mobile +44-78-55069812
Tristan.Santore at internexusconnect.net
Former Thawte Notary
(Please note: Thawte has closed its WoT programme down,
and I am therefore no longer able to accredit trust)
For Fedora related issues, please email me at:
TSantore at fedoraproject.org
More information about the selinux
mailing list