|
On 09/25/2014 01:37 PM, Dmitry Makovey
wrote:
No SELinux would already block the bash exploit.Hi everybody, while the whole "bash"-storm is gaining force is it reasonable to develop SELinux policy prohibiting bash invocations from daemons' contexts to have access to anything but a tiny sandbox? Has anybody attempted such thing? SELinux allows a process to do its stuff based on its type. Just because I can infect a bash script to attempt to do some bad access does not mean SELinux will not block it. If I have a bash script running as httpd_t or mysqld_t and it gets hacked it would still only be allowed to do the things that mysqld_t or httpd_t can do. It would block a cgi script launched from httpd_t from reading the mysqld database even if the mysqld database was world readable. This is what SELinux does.
|
-- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
