On 09/25/2014 02:14 PM, Daniel J Walsh wrote: > > On 09/25/2014 01:37 PM, Dmitry Makovey wrote: >> Hi everybody, >> >> while the whole "bash"-storm is gaining force is it reasonable to >> develop SELinux policy prohibiting bash invocations from daemons' >> contexts to have access to anything but a tiny sandbox? Has anybody >> attempted such thing? >> >> > No SELinux would already block the bash exploit. > > SELinux allows a process to do its stuff based on its type. Just > because I can infect a bash script to attempt to do some > bad access does not mean SELinux will not block it. > > If I have a bash script running as httpd_t or mysqld_t and it gets > hacked it would still only be allowed to do the things that mysqld_t or > httpd_t can do. > > It would block a cgi script launched from httpd_t from reading the > mysqld database even if the mysqld database was world readable. > > This is what SELinux does. thanks Dan. I've got that part and appreciate what I already got out of the box with SELinux, however I was wondering if that containment can be furthered, saying that bash invoked in httpd_t should have even stricter policy applied? Possibly switch context to something that is very-very limited, to avoid things like : http://www.reddit.com/r/netsec/comments/2hbxtc/cve20146271_remote_code_execution_through_bash/ ? -- Dmitry Makovey Web Systems Administrator Athabasca University (780) 675-6245 --- Confidence is what you have before you understand the problem Woody Allen When in trouble when in doubt run in circles scream and shout http://www.wordwizard.com/phpbb3/viewtopic.php?f=16&t=19330
Attachment:
signature.asc
Description: OpenPGP digital signature
-- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
