You are not testing with SELinux if it can read /etc/shadow. The process should be running as container_t or svirt_lxc_net_t if it is an older version. We currently label runc as container_runtime_exec_t. dnf reinstall container-selinux ls -lZ /usr/sbin/runc On 01/19/2017 02:56 AM, 面和毅 wrote: > Dear Sir, > > Thanks. I was checking can we cat /etc/shadow in my testing environment. > It seems that is protected because that file's permission is set to "000". > > Here is my test result; > -------------------------------------------------------------- > ----------. 1 root root system_u:object_r:shadow_t:s0 > 1268 Oct 13 07:55 /etc/shadow > > SELinux Enforcing -> Permission Denied > SELinux Permissive -> Permission Denied > SELinux Disabled -> Permission Denied > > When I changed that permission to "755"; > > SELinux Enforcing -> Could cat /etc/shadow > SELinux Permissive -> Could cat /etc/shadow > SELinux Disabled -> Could cat /etc/shadow > > Then in this case that escaped user could > have read access to shadow_t label. > -------------------------------------------------------------- > > That "runc" process seems to be working as unconfined_t domain; > > [root@fedora25 ~]# ps axZ|grep runc > unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 1578 pts/0 Sl+ > 0:00 runc run ctr > > So, I'm not sure but I guess we would better to assign > other domain to "runc" program (no unconfined_t). > > Let me check if we will run "runc" in other domain. > > Kind Regards, > > OMO > > 2017-01-18 23:14 GMT+09:00 Daniel J Walsh <dwalsh@xxxxxxxxxx>: >> >> On 01/18/2017 12:05 AM, 面和毅 wrote: >>> Dear Sir, >>> >>> I'm member of Japan-SOSS SIG(Secure OSS Special >>> Interest Group). >>> We love SELinux(12years user) and we are promoting SELinux in Japan. >>> >>> >From technical interesting(we are promoting Docker >>> with SELinux), we did PoC for CVE-2016-9962 on Fedora25. >>> >>> Then we found current SELinux(maybe policy) does not >>> mitigate that vulnerability. >>> >>> We could reproduce that vulnerability with >>> - add CAP_SYS_PTRACE to container >>> - modified runc because there’s not so much race window on runc. >>> then we think it's not so easy in usual situation. >>> Also we couldn't reproduce it on CentOS7(latest). >>> >>> We posted that PoC result on our community blog. >>> https://jsosug.github.io/post/omok-selinux-docker-20170118/ >>> >>> Also we wish to argue how can we protect this kind of >>> vulnerability by using SELinux. >>> >>> Kind Regards, >>> >>> OMO >> Attempt to cat /etc/shadow in your test to see the blockage. >> >> Here is a blog I wrote on the topic. >> >> http://rhelblog.redhat.com/2017/01/13/selinux-mitigates-container-vulnerability/ >> > > _______________________________________________ Selinux mailing list Selinux@xxxxxxxxxxxxx To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
