On 01/18/2017 12:05 AM, 面和毅 wrote: > Dear Sir, > > I'm member of Japan-SOSS SIG(Secure OSS Special > Interest Group). > We love SELinux(12years user) and we are promoting SELinux in Japan. > > >From technical interesting(we are promoting Docker > with SELinux), we did PoC for CVE-2016-9962 on Fedora25. > > Then we found current SELinux(maybe policy) does not > mitigate that vulnerability. > > We could reproduce that vulnerability with > - add CAP_SYS_PTRACE to container > - modified runc because there’s not so much race window on runc. > then we think it's not so easy in usual situation. > Also we couldn't reproduce it on CentOS7(latest). > > We posted that PoC result on our community blog. > https://jsosug.github.io/post/omok-selinux-docker-20170118/ > > Also we wish to argue how can we protect this kind of > vulnerability by using SELinux. > > Kind Regards, > > OMO Attempt to cat /etc/shadow in your test to see the blockage. Here is a blog I wrote on the topic. http://rhelblog.redhat.com/2017/01/13/selinux-mitigates-container-vulnerability/ _______________________________________________ Selinux mailing list Selinux@xxxxxxxxxxxxx To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
