Recent bash vulnerability and SELinux containment
Dmitry Makovey
dmitry at athabascau.ca
Thu Sep 25 20:24:18 UTC 2014
On 09/25/2014 02:14 PM, Daniel J Walsh wrote:
>
> On 09/25/2014 01:37 PM, Dmitry Makovey wrote:
>> Hi everybody,
>>
>> while the whole "bash"-storm is gaining force is it reasonable to
>> develop SELinux policy prohibiting bash invocations from daemons'
>> contexts to have access to anything but a tiny sandbox? Has anybody
>> attempted such thing?
>>
>>
> No SELinux would already block the bash exploit.
>
> SELinux allows a process to do its stuff based on its type. Just
> because I can infect a bash script to attempt to do some
> bad access does not mean SELinux will not block it.
>
> If I have a bash script running as httpd_t or mysqld_t and it gets
> hacked it would still only be allowed to do the things that mysqld_t or
> httpd_t can do.
>
> It would block a cgi script launched from httpd_t from reading the
> mysqld database even if the mysqld database was world readable.
>
> This is what SELinux does.
thanks Dan. I've got that part and appreciate what I already got out of
the box with SELinux, however I was wondering if that containment can be
furthered, saying that bash invoked in httpd_t should have even stricter
policy applied? Possibly switch context to something that is very-very
limited, to avoid things like :
http://www.reddit.com/r/netsec/comments/2hbxtc/cve20146271_remote_code_execution_through_bash/
?
--
Dmitry Makovey
Web Systems Administrator
Athabasca University
(780) 675-6245
---
Confidence is what you have before you understand the problem
Woody Allen
When in trouble when in doubt run in circles scream and shout
http://www.wordwizard.com/phpbb3/viewtopic.php?f=16&t=19330
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 173 bytes
Desc: OpenPGP digital signature
URL: <http://lists.fedoraproject.org/pipermail/selinux/attachments/20140925/9d7f3790/attachment.sig>
More information about the selinux
mailing list