All the above was already discussed in the relevant bugzilla entry. and some part of the discussion was written by myself also.and iirc something similar already happened some years ago. Not a selinux, or apparmor, problem however. Best 2013/5/17, Tristan Santore <tristan.santore@xxxxxxxxxxxxxxxxxxxxx>: > On 17/05/13 02:32, Trevor Hemsley wrote: >> On 17/05/13 01:03, Douglas Brown wrote: >>> Hi all, >>> >>> You may have seen this vulnerability talked about >>> recently: >>> http://arstechnica.com/security/2013/05/critical-linux-vulnerability-imperils-users-even-after-silent-fix/ >>> >>> After a long time of evangelising about SELinux to my sceptical >>> colleagues, this seemed like the perfect opportunity to test it. >>> >>> We tried the exploit with SELinux in permissive mode and it worked then >>> in enforcing and SELinux prevented it! Not that I'm surprised, but it's >>> nice to have a real-world exploit to demonstrate. >> >> Unfortunately, whatever you tested was not this. >> >> $ ls -la sem* >> -rwxrwxr-x. 1 trevor trevor 10007 May 14 13:39 semtex >> -rw-rw-r--. 1 trevor trevor 2488 May 14 13:39 semtex.c >> $ getenforce >> Enforcing >> $ uname -a >> Linux hostname 2.6.32-358.6.1.el6.x86_64 #1 SMP Tue Apr 23 19:29:00 UTC >> 2013 x86_64 x86_64 x86_64 GNU/Linux >> $ ./semtex >> 2.6.37-3.x x86_64 >> sd@xxxxxxxxxxxxx 2010 >> -sh-4.1# >> >> Sorry. >> >> Trevor >> -- >> selinux mailing list >> selinux@xxxxxxxxxxxxxxxxxxxxxxx >> https://admin.fedoraproject.org/mailman/listinfo/selinux >> > Trevor, > Are you running targeted policy ? If so, the normal users are > unconfined_u, that is unconfined_u:object_r:user_home_t:s0. > > If you make the user confined, you get something like this, for example: > 2.6.37-3.x x86_64 > sd@xxxxxxxxxxxxx 2010 > -sh: /home/$USER/.profile: Permission denied > -sh-4.1# ^C > -sh-4.1# kill -9 19457 > -sh: kill: (19457) - Operation not permitted > -sh-4.1# init 6 > -sh: init: command not found > -sh-4.1# su > -sh: su: command not found > > But as I said, you could modify the exploit to turn of selinux. > > So, SElinux kind of mitigates the attack, but it is not a fix, just an > obstacle. > > SElinux can never really be a system to implement a 100% secure system, > like many other technologies that do the same. > The golden rule is: There is no 100% secure system. > > However, I think we should all be grateful, that linux has various > mitigation technologies available to it. > > Regards, > Tristan > > -- > Tristan Santore BSc MBCS > TS4523-RIPE > Network and Infrastructure Operations > InterNexusConnect > Mobile +44-78-55069812 > Tristan.Santore@xxxxxxxxxxxxxxxxxxxxx > > Former Thawte Notary > (Please note: Thawte has closed its WoT programme down, > and I am therefore no longer able to accredit trust) > > For Fedora related issues, please email me at: > TSantore@xxxxxxxxxxxxxxxxx > -- > selinux mailing list > selinux@xxxxxxxxxxxxxxxxxxxxxxx > https://admin.fedoraproject.org/mailman/listinfo/selinux -- Inviato dal mio dispositivo mobile -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
