<html>
<head>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<br>
<div class="moz-cite-prefix">On 10/31/2014 10:57 PM, Shintaro
Fujiwara wrote:<br>
</div>
<blockquote
cite="mid:CAPhFHN_bgpKaxFJKEtNDL0ZCz7A=iybr51FDOOs518AaRLkzXQ@mail.gmail.com"
type="cite">
<div dir="ltr">
<div>
<div>
<div>On my fedora20 box, I tried to check Bash Expoit as Dan
did on his latest blog post.<br>
<br>
</div>
What I got is,<br>
<br>
[root@xxxx ~]# sesearch -A -s httpd_sys_script_t -p
name_bind -C | grep -v ^D<br>
Found 12 semantic av rules:<br>
<br>
</div>
Though 12 rules caught by sesearch, but none displayed.<br>
<br>
</div>
Next I typed,<br>
<br>
<br>
<div>
<div>
<div>[root@xxxx ~]# sesearch -A -s httpd_sys_script_t -p
name_connect -C | grep -v ^D<br>
Found 24 semantic av rules:<br>
allow nsswitch_domain dns_port_t : tcp_socket {
recv_msg send_msg name_connect } ; <br>
allow nsswitch_domain dnssec_port_t : tcp_socket
name_connect ; <br>
ET allow httpd_sys_script_t gds_db_port_t : tcp_socket
name_connect ; [ httpd_can_network_connect_db ]<br>
ET allow httpd_sys_script_t mysqld_port_t : tcp_socket {
recv_msg send_msg name_connect } ; [
httpd_can_network_connect_db ]<br>
ET allow nsswitch_domain ocsp_port_t : tcp_socket
name_connect ; [ kerberos_enabled ]<br>
ET allow httpd_sys_script_t postgresql_port_t : tcp_socket
{ recv_msg send_msg name_connect } ; [
httpd_can_network_connect_db ]<br>
ET allow httpd_sys_script_t oracle_port_t : tcp_socket
name_connect ; [ httpd_can_network_connect_db ]<br>
ET allow httpd_sys_script_t mssql_port_t : tcp_socket
name_connect ; [ httpd_can_network_connect_db ]<br>
ET allow nsswitch_domain kerberos_port_t : tcp_socket {
recv_msg send_msg name_connect } ; [ kerberos_enabled ]<br>
ET allow httpd_sys_script_t port_type : tcp_socket {
recv_msg send_msg name_connect } ; [ httpd_enable_cgi
httpd_can_network_connect && ]<br>
<br>
<div>This is ok.<br>
<br>
</div>
<div>What's wrong with name_bind thing?<br>
<br>
</div>
<div>I use <br>
setools-console
x86_64 3.3.7-41.fc20<br clear="all">
<br>
-- <br>
<div class="gmail_signature">
<div dir="ltr">
<div>日本にヘヴィメタル・ハードロックを根付かせるページ<br>
</div>
<div><a moz-do-not-send="true"
href="http://heavymetalhardrock.no-ip.info/"
target="_blank">http://heavymetalhardrock.no-ip.info/</a><br>
</div>
<div><br>
世界中でセキュアOSのSELinuxを使いやすくするフリーソフト<br>
<a moz-do-not-send="true"
href="http://sourceforge.net/projects/segatex/"
target="_blank">http://sourceforge.net/projects/segatex/</a><br>
</div>
<div><br>
CMS(PHPとPostgreSQLを使ったフリーソフト)<br>
</div>
<a moz-do-not-send="true"
href="http://sourceforge.net/projects/webon/"
target="_blank">http://sourceforge.net/projects/webon/</a><br>
<a moz-do-not-send="true"
href="https://github.com/intrajp/irforum_jp"
target="_blank">https://github.com/intrajp/irforum_jp</a><br>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">--
selinux mailing list
<a class="moz-txt-link-abbreviated" href="mailto:selinux@lists.fedoraproject.org">selinux@lists.fedoraproject.org</a>
<a class="moz-txt-link-freetext" href="https://admin.fedoraproject.org/mailman/listinfo/selinux">https://admin.fedoraproject.org/mailman/listinfo/selinux</a></pre>
</blockquote>
name_bind allows you to listen on a port, which could be used to
establish a back door for incoming connections. Since you turned on
some booleans, you are allowed to connect to more network ports.<br>
<br>
</body>
</html>