Re: No semantic av rules displayed by "sesearch -A -s httpd_sys_script_t -p name_bind -C | grep -v ^D"

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 




On 10/31/2014 10:57 PM, Shintaro Fujiwara wrote:
On my fedora20 box, I tried to check Bash Expoit as Dan did on his latest blog post.

What I got is,

[root@xxxx ~]# sesearch -A -s httpd_sys_script_t -p name_bind -C | grep -v ^D
Found 12 semantic av rules:

Though 12 rules caught by sesearch, but none displayed.

 Next I typed,


[root@xxxx ~]# sesearch -A -s httpd_sys_script_t -p name_connect -C | grep -v ^D
Found 24 semantic av rules:
   allow nsswitch_domain dns_port_t : tcp_socket { recv_msg send_msg name_connect } ;
   allow nsswitch_domain dnssec_port_t : tcp_socket name_connect ;
ET allow httpd_sys_script_t gds_db_port_t : tcp_socket name_connect ; [ httpd_can_network_connect_db ]
ET allow httpd_sys_script_t mysqld_port_t : tcp_socket { recv_msg send_msg name_connect } ; [ httpd_can_network_connect_db ]
ET allow nsswitch_domain ocsp_port_t : tcp_socket name_connect ; [ kerberos_enabled ]
ET allow httpd_sys_script_t postgresql_port_t : tcp_socket { recv_msg send_msg name_connect } ; [ httpd_can_network_connect_db ]
ET allow httpd_sys_script_t oracle_port_t : tcp_socket name_connect ; [ httpd_can_network_connect_db ]
ET allow httpd_sys_script_t mssql_port_t : tcp_socket name_connect ; [ httpd_can_network_connect_db ]
ET allow nsswitch_domain kerberos_port_t : tcp_socket { recv_msg send_msg name_connect } ; [ kerberos_enabled ]
ET allow httpd_sys_script_t port_type : tcp_socket { recv_msg send_msg name_connect } ; [ httpd_enable_cgi httpd_can_network_connect && ]

This is ok.

What's wrong with name_bind thing?

I use
setools-console                    x86_64                    3.3.7-41.fc20

--
日本にヘヴィメタル・ハードロックを根付かせるページ

世界中でセキュアOSのSELinuxを使いやすくするフリーソフト
http://sourceforge.net/projects/segatex/

CMS(PHPとPostgreSQLを使ったフリーソフト)
http://sourceforge.net/projects/webon/
https://github.com/intrajp/irforum_jp


--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux
name_bind allows you to listen on a port, which could be used to establish a back door for incoming connections.  Since you turned on some booleans, you are allowed to connect to more network ports.

--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux

[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux