Re: No semantic av rules displayed by "sesearch -A -s httpd_sys_script_t -p name_bind -C | grep -v ^D"

Daniel J Walsh <dwalsh@xxxxxxxxxx> · Tue, 04 Nov 2014 16:04:31 -0500



    On 10/31/2014 10:57 PM, Shintaro
      Fujiwara wrote:

    
            On my fedora20 box, I tried to check Bash Expoit as Dan
              did on his latest blog post.

              
            What I got is,

            
            [root@xxxx ~]# sesearch -A -s httpd_sys_script_t -p
            name_bind -C | grep -v ^D

            Found 12 semantic av rules:

            
          Though 12 rules caught by sesearch, but none displayed.

          
         Next I typed,

        
            [root@xxxx ~]# sesearch -A -s httpd_sys_script_t -p
              name_connect -C | grep -v ^D

              Found 24 semantic av rules:

                 allow nsswitch_domain dns_port_t : tcp_socket {
              recv_msg send_msg name_connect } ; 

                 allow nsswitch_domain dnssec_port_t : tcp_socket
              name_connect ; 

              ET allow httpd_sys_script_t gds_db_port_t : tcp_socket
              name_connect ; [ httpd_can_network_connect_db ]

              ET allow httpd_sys_script_t mysqld_port_t : tcp_socket {
              recv_msg send_msg name_connect } ; [
              httpd_can_network_connect_db ]

              ET allow nsswitch_domain ocsp_port_t : tcp_socket
              name_connect ; [ kerberos_enabled ]

              ET allow httpd_sys_script_t postgresql_port_t : tcp_socket
              { recv_msg send_msg name_connect } ; [
              httpd_can_network_connect_db ]

              ET allow httpd_sys_script_t oracle_port_t : tcp_socket
              name_connect ; [ httpd_can_network_connect_db ]

              ET allow httpd_sys_script_t mssql_port_t : tcp_socket
              name_connect ; [ httpd_can_network_connect_db ]

              ET allow nsswitch_domain kerberos_port_t : tcp_socket {
              recv_msg send_msg name_connect } ; [ kerberos_enabled ]

              ET allow httpd_sys_script_t port_type : tcp_socket {
              recv_msg send_msg name_connect } ; [ httpd_enable_cgi
              httpd_can_network_connect && ]

              
              This is ok.

                
              What's wrong with name_bind thing?

                
              I use 

                setools-console                   
                x86_64                    3.3.7-41.fc20

                
                -- 

                
                    日本にヘヴィメタル・ハードロックを根付かせるページ

                    
                    http://heavymetalhardrock.no-ip.info/

                    
                      世界中でセキュアＯＳのSELinuxを使いやすくするフリーソフト

                      http://sourceforge.net/projects/segatex/

                    
                      CMS（PHPとPostgreSQLを使ったフリーソフト）

                    
                    http://sourceforge.net/projects/webon/

                    https://github.com/intrajp/irforum_jp

                  
      --
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux
    
    name_bind allows you to listen on a port, which could be used to
    establish a back door for incoming connections.  Since you turned on
    some booleans, you are allowed to connect to more network ports.

    
--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux