Re: Proof is in the pudding
On 17/05/13 10:21 AM, "Tristan Santore"
<tristan.santore(a)internexusconnect.net> wrote:
On 17/05/13 01:03, Douglas Brown wrote:
> Hi all,
>
> You may have seen this vulnerability talked about recently:
>
>http://arstechnica.com/security/2013/05/critical-linux-vulnerability-impe
>rils-users-even-after-silent-fix/
>
> After a long time of evangelising about SELinux to my sceptical
> colleagues, this seemed like the perfect opportunity to test it.
>
> We tried the exploit with SELinux in permissive mode and it worked then
> in enforcing and SELinux prevented it! Not that I'm surprised, but it's
> nice to have a real-world exploit to demonstrate.
>
> Cheers,
> Doug
>
>
> --
> selinux mailing list
> selinux(a)lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux
>
That is a misleading statement to make. We tested this in enforcing
mode, and it worked. However, there is Supervisor Mode Execution
Protection (SMEP) support on some Intel CPU, maybe that prevented it.
Weird though that you stated that it was prevented from exploiting with
selinux enabled.
So, the question is, is your normal user confined ?
Yep, the pre-defined user_u:user_r...
What cpu model do you have ? And did you test on different
machines/cpu ?
No sure; the machine is virtual and on an ESX cluster so it may have
vMotioned already...
It should also be stated, that in the targeted policy model, users
are
not confined.
I'm talking about SELinux proving its worth in general as a useful
technology that shouldn't just be 'turned off' at the first opportunity.
Cheers,
Doug