On 09/25/2014 02:44 PM, Daniel J Walsh wrote: > > On 09/25/2014 04:24 PM, Dmitry Makovey wrote: >> On 09/25/2014 02:14 PM, Daniel J Walsh wrote: >> thanks Dan. I've got that part and appreciate what I already got out of >> the box with SELinux, however I was wondering if that containment can be >> furthered, saying that bash invoked in httpd_t should have even stricter >> policy applied? Possibly switch context to something that is very-very >> limited, to avoid things like : >> >> http://www.reddit.com/r/netsec/comments/2hbxtc/cve20146271_remote_code_execution_through_bash/ > > Looking at the example in this redit, httpd_t would be executing a > script labeled httpd_sys_script_exec_t, which would transition to > httpd_sys_script_t. > > Which is what was expected. > > The httpd_sys_script_t is a somewhat restricted policy. In that most of > apache config, logs /var/lib etc is blocked. By default content in > users homedirs, databases etc is all blocked. > > Here are the types of files that httpd_sys_script_t is allowed to open > and read on my rawhide system. .... > Allowed to read /etc/passwd which could be a problem and apache content, > but a whole lot of stuff is blocked. thanks Dan, this clarifies a lot without having to go through the code/transitions manually :) -- Dmitry Makovey Web Systems Administrator Athabasca University (780) 675-6245 --- Confidence is what you have before you understand the problem Woody Allen When in trouble when in doubt run in circles scream and shout http://www.wordwizard.com/phpbb3/viewtopic.php?f=16&t=19330
Attachment:
signature.asc
Description: OpenPGP digital signature
-- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
