Recent bash vulnerability and SELinux containment

Thu Sep 25 20:24:18 UTC 2014

On 09/25/2014 02:14 PM, Daniel J Walsh wrote:
> 
> On 09/25/2014 01:37 PM, Dmitry Makovey wrote:
>> Hi everybody,
>>
>> while the whole "bash"-storm is gaining force is it reasonable to
>> develop SELinux policy prohibiting bash invocations from daemons'
>> contexts to have access to anything but a tiny sandbox? Has anybody
>> attempted such thing?
>>
>>
> No SELinux would already block the bash exploit.
> 
> SELinux allows a process to do its stuff based on its type.   Just
> because I can infect a bash script to attempt to do some
> bad access does not mean SELinux will not block it.
> 
> If I have a bash script running as httpd_t or mysqld_t and it gets
> hacked it would still only be allowed to do the things that mysqld_t or
> httpd_t can do.
> 
> It would block a cgi script launched from httpd_t from reading the
> mysqld database even if the mysqld database was world readable.
> 
> This is what SELinux does.

thanks Dan. I've got that part and appreciate what I already got out of
the box with SELinux, however I was wondering if that containment can be
furthered, saying that bash invoked in httpd_t should have even stricter
policy applied? Possibly switch context to something that is very-very
limited, to avoid things like :

http://www.reddit.com/r/netsec/comments/2hbxtc/cve20146271_remote_code_execution_through_bash/

?

-- 
Dmitry Makovey
Web Systems Administrator
Athabasca University
(780) 675-6245
---
Confidence is what you have before you understand the problem
    Woody Allen

When in trouble when in doubt run in circles scream and shout
     http://www.wordwizard.com/phpbb3/viewtopic.php?f=16&t=19330

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 173 bytes
Desc: OpenPGP digital signature
URL: <http://lists.fedoraproject.org/pipermail/selinux/attachments/20140925/9d7f3790/attachment.sig>