Re: Recent bash vulnerability and SELinux containment

On 09/25/2014 04:24 PM, Dmitry Makovey wrote: > On 09/25/2014 02:14 PM, Daniel J Walsh wrote: > thanks Dan. I've got that part and appreciate what I already got out of > the box with SELinux, however I was wondering if that containment can be > furthered, saying that bash invoked in httpd_t should have even stricter > policy applied? Possibly switch context to something that is very-very > limited, to avoid things like : > > http://www.reddit.com/r/netsec/comments/2hbxtc/cve20146271_remote_code_ex... Looking at the example in this redit, httpd_t would be executing a script labeled httpd_sys_script_exec_t, which would transition to httpd_sys_script_t. Which is what was expected. The httpd_sys_script_t is a somewhat restricted policy. In that most of apache config, logs /var/lib etc is blocked. By default content in users homedirs, databases etc is all blocked. Here are the types of files that httpd_sys_script_t is allowed to open and read on my rawhide system.

Allowed to read /etc/passwd which could be a problem and apache content, but a whole lot of stuff is blocked.