On 09/25/2014 01:37 PM, Dmitry Makovey wrote:
Hi everybody,
while the whole "bash"-storm is gaining force is it reasonable to
develop SELinux policy prohibiting bash invocations from daemons'
contexts to have access to anything but a tiny sandbox? Has anybody
attempted such thing?
No SELinux would already block the bash exploit.
SELinux allows a process to do its stuff based on its type. Just
because I can infect a bash script to attempt to do some
bad access does not mean SELinux will not block it.
If I have a bash script running as httpd_t or mysqld_t and it gets
hacked it would still only be allowed to do the things that mysqld_t or
httpd_t can do.
It would block a cgi script launched from httpd_t from reading the
mysqld database even if the mysqld database was world readable.
This is what SELinux does.
--
selinux mailing list
selinux(a)lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux