Recent bash vulnerability and SELinux containment

On 09/25/2014 01:37 PM, Dmitry Makovey wrote: > Hi everybody, > > while the whole "bash"-storm is gaining force is it reasonable to > develop SELinux policy prohibiting bash invocations from daemons' > contexts to have access to anything but a tiny sandbox? Has anybody > attempted such thing? > > No SELinux would already block the bash exploit. SELinux allows a process to do its stuff based on its type. Just because I can infect a bash script to attempt to do some bad access does not mean SELinux will not block it. If I have a bash script running as httpd_t or mysqld_t and it gets hacked it would still only be allowed to do the things that mysqld_t or httpd_t can do. It would block a cgi script launched from httpd_t from reading the mysqld database even if the mysqld database was world readable. This is what SELinux does. > > -- > selinux mailing list > selinux at lists.fedoraproject.org > https://admin.fedoraproject.org/mailman/listinfo/selinux -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.fedoraproject.org/pipermail/selinux/attachments/20140925/438790fb/attachment.html>