On 09/25/2014 02:44 PM, Daniel J Walsh wrote:
On 09/25/2014 04:24 PM, Dmitry Makovey wrote:
> On 09/25/2014 02:14 PM, Daniel J Walsh wrote:
> thanks Dan. I've got that part and appreciate what I already got out of
> the box with SELinux, however I was wondering if that containment can be
> furthered, saying that bash invoked in httpd_t should have even stricter
> policy applied? Possibly switch context to something that is very-very
> limited, to avoid things like :
>
>
http://www.reddit.com/r/netsec/comments/2hbxtc/cve20146271_remote_code_ex...
Looking at the example in this redit, httpd_t would be executing a
script labeled httpd_sys_script_exec_t, which would transition to
httpd_sys_script_t.
Which is what was expected.
The httpd_sys_script_t is a somewhat restricted policy. In that most of
apache config, logs /var/lib etc is blocked. By default content in
users homedirs, databases etc is all blocked.
Here are the types of files that httpd_sys_script_t is allowed to open
and read on my rawhide system.
....
Allowed to read /etc/passwd which could be a problem and apache
content,
but a whole lot of stuff is blocked.
thanks Dan, this clarifies a lot without having to go through the
code/transitions manually :)
--
Dmitry Makovey
Web Systems Administrator
Athabasca University
(780) 675-6245
---
Confidence is what you have before you understand the problem
Woody Allen
When in trouble when in doubt run in circles scream and shout
http://www.wordwizard.com/phpbb3/viewtopic.php?f=16&t=19330