Recent bash vulnerability and SELinux containment
Dmitry Makovey
dmitry at athabascau.ca
Mon Sep 29 18:16:43 UTC 2014
On 09/25/2014 02:44 PM, Daniel J Walsh wrote:
>
> On 09/25/2014 04:24 PM, Dmitry Makovey wrote:
>> On 09/25/2014 02:14 PM, Daniel J Walsh wrote:
>> thanks Dan. I've got that part and appreciate what I already got out of
>> the box with SELinux, however I was wondering if that containment can be
>> furthered, saying that bash invoked in httpd_t should have even stricter
>> policy applied? Possibly switch context to something that is very-very
>> limited, to avoid things like :
>>
>> http://www.reddit.com/r/netsec/comments/2hbxtc/cve20146271_remote_code_execution_through_bash/
>
> Looking at the example in this redit, httpd_t would be executing a
> script labeled httpd_sys_script_exec_t, which would transition to
> httpd_sys_script_t.
>
> Which is what was expected.
>
> The httpd_sys_script_t is a somewhat restricted policy. In that most of
> apache config, logs /var/lib etc is blocked. By default content in
> users homedirs, databases etc is all blocked.
>
> Here are the types of files that httpd_sys_script_t is allowed to open
> and read on my rawhide system.
....
> Allowed to read /etc/passwd which could be a problem and apache content,
> but a whole lot of stuff is blocked.
thanks Dan, this clarifies a lot without having to go through the
code/transitions manually :)
--
Dmitry Makovey
Web Systems Administrator
Athabasca University
(780) 675-6245
---
Confidence is what you have before you understand the problem
Woody Allen
When in trouble when in doubt run in circles scream and shout
http://www.wordwizard.com/phpbb3/viewtopic.php?f=16&t=19330
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 173 bytes
Desc: OpenPGP digital signature
URL: <http://lists.fedoraproject.org/pipermail/selinux/attachments/20140929/e925d8c4/attachment.sig>
More information about the selinux
mailing list