Hi. I saw an article on slashdot. http://it.slashdot.org/article.pl?sid=08/02/10/2011257 Local exploit code for Linux kernel exists, exploit code is also disclosed in http://www.milw0rm.com/exploits/5092. In the exploit code, only uid is changed to 0. So, SELinux is not affected. However, SELinux can be disabled by overwriting selinux_enforcing to 0. The address of selinux_enforcing can be seen in /proc/kallsyms, and I've set the value on the address to 0. I tried that on Fedora 8, and I could disable SELinux(set selinux as permissive) from xguest_t domain. I want to make it more difficult for attackers to disable SELinux by kernel exploit. I think not exporting selinux_enforcing(and selinux_disable) to /proc/kallsyms is useful. And /proc/kallsyms is visible from many processes because it is proc_t, assigning /proc/kallsyms label such as proc_ksym_t may be also useful. Are they really useful? Or any idea?? -- Yuichi Nakamura -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
