Proof is in the pudding
Douglas Brown
d46.brown at student.qut.edu.au
Fri May 17 01:06:35 UTC 2013
On 17/05/13 10:21 AM, "Tristan Santore"
<tristan.santore at internexusconnect.net> wrote:
>On 17/05/13 01:03, Douglas Brown wrote:
>> Hi all,
>>
>> You may have seen this vulnerability talked about recently:
>>
>>http://arstechnica.com/security/2013/05/critical-linux-vulnerability-impe
>>rils-users-even-after-silent-fix/
>>
>> After a long time of evangelising about SELinux to my sceptical
>> colleagues, this seemed like the perfect opportunity to test it.
>>
>> We tried the exploit with SELinux in permissive mode and it worked then
>> in enforcing and SELinux prevented it! Not that I'm surprised, but it's
>> nice to have a real-world exploit to demonstrate.
>>
>> Cheers,
>> Doug
>>
>>
>> --
>> selinux mailing list
>> selinux at lists.fedoraproject.org
>> https://admin.fedoraproject.org/mailman/listinfo/selinux
>>
>That is a misleading statement to make. We tested this in enforcing
>mode, and it worked. However, there is Supervisor Mode Execution
>Protection (SMEP) support on some Intel CPU, maybe that prevented it.
>Weird though that you stated that it was prevented from exploiting with
>selinux enabled.
>
>So, the question is, is your normal user confined ?
Yep, the pre-defined user_u:user_r...
>What cpu model do you have ? And did you test on different machines/cpu ?
No sure; the machine is virtual and on an ESX cluster so it may have
vMotioned already...
>It should also be stated, that in the targeted policy model, users are
>not confined.
I'm talking about SELinux proving its worth in general as a useful
technology that shouldn't just be 'turned off' at the first opportunity.
Cheers,
Doug
More information about the selinux
mailing list