No semantic av rules displayed by "sesearch -A -s httpd_sys_script_t -p name_bind -C | grep -v ^D"
Shintaro Fujiwara
shintaro.fujiwara at gmail.com
Tue Nov 4 21:08:39 UTC 2014
Thanks, Dan.
I will re-think on boolean permission on my server.
And thank you on your blog post.
2014-11-05 6:04 GMT+09:00 Daniel J Walsh <dwalsh at redhat.com>:
>
> On 10/31/2014 10:57 PM, Shintaro Fujiwara wrote:
>
> On my fedora20 box, I tried to check Bash Expoit as Dan did on his
> latest blog post.
>
> What I got is,
>
> [root at xxxx ~]# sesearch -A -s httpd_sys_script_t -p name_bind -C | grep
> -v ^D
> Found 12 semantic av rules:
>
> Though 12 rules caught by sesearch, but none displayed.
>
> Next I typed,
>
>
> [root at xxxx ~]# sesearch -A -s httpd_sys_script_t -p name_connect -C |
> grep -v ^D
> Found 24 semantic av rules:
> allow nsswitch_domain dns_port_t : tcp_socket { recv_msg send_msg
> name_connect } ;
> allow nsswitch_domain dnssec_port_t : tcp_socket name_connect ;
> ET allow httpd_sys_script_t gds_db_port_t : tcp_socket name_connect ; [
> httpd_can_network_connect_db ]
> ET allow httpd_sys_script_t mysqld_port_t : tcp_socket { recv_msg send_msg
> name_connect } ; [ httpd_can_network_connect_db ]
> ET allow nsswitch_domain ocsp_port_t : tcp_socket name_connect ; [
> kerberos_enabled ]
> ET allow httpd_sys_script_t postgresql_port_t : tcp_socket { recv_msg
> send_msg name_connect } ; [ httpd_can_network_connect_db ]
> ET allow httpd_sys_script_t oracle_port_t : tcp_socket name_connect ; [
> httpd_can_network_connect_db ]
> ET allow httpd_sys_script_t mssql_port_t : tcp_socket name_connect ; [
> httpd_can_network_connect_db ]
> ET allow nsswitch_domain kerberos_port_t : tcp_socket { recv_msg send_msg
> name_connect } ; [ kerberos_enabled ]
> ET allow httpd_sys_script_t port_type : tcp_socket { recv_msg send_msg
> name_connect } ; [ httpd_enable_cgi httpd_can_network_connect && ]
>
> This is ok.
>
> What's wrong with name_bind thing?
>
> I use
> setools-console x86_64 3.3.7-41.fc20
>
> --
> 日本にヘヴィメタル・ハードロックを根付かせるページ
> http://heavymetalhardrock.no-ip.info/
>
> 世界中でセキュアOSのSELinuxを使いやすくするフリーソフト
> http://sourceforge.net/projects/segatex/
>
> CMS(PHPとPostgreSQLを使ったフリーソフト)
> http://sourceforge.net/projects/webon/
> https://github.com/intrajp/irforum_jp
>
>
> --
> selinux mailing listselinux at lists.fedoraproject.orghttps://admin.fedoraproject.org/mailman/listinfo/selinux
>
> name_bind allows you to listen on a port, which could be used to
> establish a back door for incoming connections. Since you turned on some
> booleans, you are allowed to connect to more network ports.
>
>
--
日本にヘヴィメタル・ハードロックを根付かせるページ
http://heavymetalhardrock.no-ip.info/
世界中でセキュアOSのSELinuxを使いやすくするフリーソフト
http://sourceforge.net/projects/segatex/
CMS(PHPとPostgreSQLを使ったフリーソフト)
http://sourceforge.net/projects/webon/
https://github.com/intrajp/irforum_jp
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.fedoraproject.org/pipermail/selinux/attachments/20141105/2520db28/attachment.html>
More information about the selinux
mailing list