Drawing lessons from fatal SELinux bug #1054350

Josh Stone jistone at redhat.com
Sun Jan 26 19:55:05 UTC 2014

On 01/25/2014 12:15 PM, Chris Murphy wrote:
> OK, so is the fact it's persistently available the problem? Because
> if I were to have a persistent backup of sysroot mounted, I've got
> the same attack vector available. By default for even an unprivileged
> user gnome-shell mounts with By default, gnome-shell mounts volumes
> with rw,nosuid,nodev,relatime,seclabel,uhelper=udisks2.

Right, it's having a persistent and usable copy of a vulnerability.

> So another possibility is to have a "snapshots" subvolume
> persistently mounted, with noexec, and always place snapshots in that
> subvolume.

That sounds good -- even might be just nosuid on that.


More information about the devel mailing list