Re: Firewall rules using SELinux context (Was Re: RFE: FireKit)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Friday 24 July 2009 04:56:51 pm Casey Dahlin wrote:
> > Just because selinux has policy doesn't mean the app is installed.
>
> If the app is not installed nothing is running in its context, so none of
> the rules will ever trigger.

If the attacker can work out the chain of allowed transitions, they can enter 
that context.


> >> The simplest mechanism I can see for doing that is to allow SELinux
> >> context to be referenced in the firewall rules. This prevents either
> >> system from having to be grotesquely modified.
> >>
> >> An example rule might look like this:
> >>
> >> -A INPUT -Z apache_t -j ACCEPT
> >>
> >> Here we tell the firewall to allow incoming traffic that will be
> >> intercepted in userspace by a process in the apache_t context.
> >
> > I don't like this. Its not tying to any port. For example, suppose there
> > is a vulnerability in cups and apache is not running, the cups app could
> > start listening on other ports and the rule would allow connections.
>
> Only if cups were running in the apache_t context.

I don't think I explained it well. I was thinking what if you had this rule:

-A INPUT -Z cups_t -j ACCEPT

and then cups was compromised and started listening on port 80. Since the 
above rule has no port restrictions and cups is allowed to accept connections, 
would cups now be able to start serving web pages?

-Steve

-- 
fedora-devel-list mailing list
fedora-devel-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-devel-list

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]
  Powered by Linux