Re: Recent bash vulnerability and SELinux containment

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 09/25/2014 02:44 PM, Daniel J Walsh wrote:
> 
> On 09/25/2014 04:24 PM, Dmitry Makovey wrote:
>> On 09/25/2014 02:14 PM, Daniel J Walsh wrote:
>> thanks Dan. I've got that part and appreciate what I already got out of
>> the box with SELinux, however I was wondering if that containment can be
>> furthered, saying that bash invoked in httpd_t should have even stricter
>> policy applied? Possibly switch context to something that is very-very
>> limited, to avoid things like :
>>
>> http://www.reddit.com/r/netsec/comments/2hbxtc/cve20146271_remote_code_execution_through_bash/
>
> Looking at the example in this redit,  httpd_t would be executing a
> script labeled httpd_sys_script_exec_t, which would transition to
> httpd_sys_script_t.
> 
> Which is what was expected. 
> 
> The httpd_sys_script_t is a somewhat restricted policy.  In that most of
> apache config, logs /var/lib etc is blocked.  By default content in
> users homedirs, databases etc is all blocked.
> 
> Here are the types of files that httpd_sys_script_t is allowed to open
> and read on my rawhide system.
....
> Allowed to read /etc/passwd which could be a problem and apache content,
> but a whole lot of stuff is blocked.

thanks Dan, this clarifies a lot without having to go through the
code/transitions manually :)

-- 
Dmitry Makovey
Web Systems Administrator
Athabasca University
(780) 675-6245
---
Confidence is what you have before you understand the problem
    Woody Allen

When in trouble when in doubt run in circles scream and shout
     http://www.wordwizard.com/phpbb3/viewtopic.php?f=16&t=19330

Attachment: signature.asc
Description: OpenPGP digital signature

--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux

[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux