On 17/05/13 10:21 AM, "Tristan Santore" <tristan.santore@xxxxxxxxxxxxxxxxxxxxx> wrote: >On 17/05/13 01:03, Douglas Brown wrote: >> Hi all, >> >> You may have seen this vulnerability talked about recently: >> >>http://arstechnica.com/security/2013/05/critical-linux-vulnerability-impe >>rils-users-even-after-silent-fix/ >> >> After a long time of evangelising about SELinux to my sceptical >> colleagues, this seemed like the perfect opportunity to test it. >> >> We tried the exploit with SELinux in permissive mode and it worked then >> in enforcing and SELinux prevented it! Not that I'm surprised, but it's >> nice to have a real-world exploit to demonstrate. >> >> Cheers, >> Doug >> >> >> -- >> selinux mailing list >> selinux@xxxxxxxxxxxxxxxxxxxxxxx >> https://admin.fedoraproject.org/mailman/listinfo/selinux >> >That is a misleading statement to make. We tested this in enforcing >mode, and it worked. However, there is Supervisor Mode Execution >Protection (SMEP) support on some Intel CPU, maybe that prevented it. >Weird though that you stated that it was prevented from exploiting with >selinux enabled. > >So, the question is, is your normal user confined ? Yep, the pre-defined user_u:user_r... >What cpu model do you have ? And did you test on different machines/cpu ? No sure; the machine is virtual and on an ESX cluster so it may have vMotioned already... >It should also be stated, that in the targeted policy model, users are >not confined. I'm talking about SELinux proving its worth in general as a useful technology that shouldn't just be 'turned off' at the first opportunity. Cheers, Doug -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
