-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Yuichi Nakamura wrote: > Hi. > > I saw an article on slashdot. > http://it.slashdot.org/article.pl?sid=08/02/10/2011257 > > Local exploit code for Linux kernel exists, > exploit code is also disclosed in http://www.milw0rm.com/exploits/5092. > > In the exploit code, only uid is changed to 0. > So, SELinux is not affected. > > However, SELinux can be disabled by overwriting selinux_enforcing to 0. > The address of selinux_enforcing can be seen in /proc/kallsyms, > and I've set the value on the address to 0. > > I tried that on Fedora 8, > and I could disable SELinux(set selinux as permissive) from xguest_t > domain. > > I want to make it more difficult > for attackers to disable SELinux by kernel exploit. > > I think not exporting selinux_enforcing(and selinux_disable) to > /proc/kallsyms is useful. > And /proc/kallsyms is visible from many processes because it is proc_t, > assigning /proc/kallsyms label such as proc_ksym_t may be also useful. > Are they really useful? > Or any idea?? > > -- > Yuichi Nakamura > > -- > This message was distributed to subscribers of the selinux mailing list. > If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with > the words "unsubscribe selinux" without quotes as the message. So this exploit, don't you neet to write to /proc? xguest_t should not be allowed to do this? -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.8 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkextEAACgkQrlYvE4MpobNWWgCg6acsickGQTXcl0xj3YyBYoRn NGUAnR45m3M0yM15igKtZzh6ORQ9CYTQ =64qb -----END PGP SIGNATURE----- -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
