<div dir="ltr">"<span style="font-family:arial,sans-serif;font-size:13px">With the right profiles, a major selling point of SELinux (as "we" use</span><br style="font-family:arial,sans-serif;font-size:13px">
<span style="font-family:arial,sans-serif;font-size:13px">it) is that it's *not* game over just because you got root."</span><div><span style="font-family:arial,sans-serif;font-size:13px"><br></span></div><div style>
<span style="font-family:arial,sans-serif;font-size:13px">In theory it shouldn't be. Running processes have contexts attached to them; this article I wrote a few years ago explains:</span></div><div style><span style="font-family:arial,sans-serif;font-size:13px"><br>
</span></div><div style><a href="http://www.packtpub.com/article/selinux-secured-web-hosting-python-based-web-applications">http://www.packtpub.com/article/selinux-secured-web-hosting-python-based-web-applications</a><span style="font-family:arial,sans-serif;font-size:13px"><br>
</span></div><div style><br></div><div style>Essentially, each running process has a context attached to it. Even if the process elevates to root privilege (i.e. running a SUID executable, having exploit code such as we see here, etc.), the OS sees that the process has a certain context and denies permission for stuff it shouldn't have. In the example I used in the article, a SUID root executable copies /etc/shadow when it is run from a website that has ostensibly been cracked. When SELinux is disabled, this works. When SELinux is enabled, the OS says, "Hey HTTPD, I don't care if you say you're root, you can't touch /etc/shadow!" I never thought to attempt to set /selinux/enforcing to 0 and then attempt that... but I'd hope that the OS would say, "Hey HTTPD, I don't care if you say you're root, you can't touch /selinux/enforcing!"</div>
<div style><br></div></div><div class="gmail_extra"><br><br><div class="gmail_quote">On Tue, May 14, 2013 at 1:22 PM, Rick Troth <span dir="ltr"><<a href="mailto:rmt@casita.net" target="_blank">rmt@casita.net</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">> Not sure what is interesting about the ability to disable SELinux; you have root, game over.<br>
<br>
With the right profiles, a major selling point of SELinux (as "we" use<br>
it) is that it's *not* game over just because you got root. (There<br>
are other features of SELinux which are more interesting to the NSA<br>
than they are to you and me.)<br>
<br>
I'm not personally a fan, but I'm not using this as an opportunity to<br>
jab at it ... or maybe I am.<br>
<br>
-- R; <><<br>
<br>
<br>
<br>
<br>
On Tue, May 14, 2013 at 1:00 PM, Neal Dias <<a href="mailto:roman@ensecure.org">roman@ensecure.org</a>> wrote:<br>
> Not sure what is interesting about the ability to disable SELinux; you have<br>
> root, game over.<br>
><br>
> RHEL 5 is not affected, RHEL 6 is, updated packages still in-process.<br>
><br>
> <a href="https://access.redhat.com/security/cve/CVE-2013-2094" target="_blank">https://access.redhat.com/security/cve/CVE-2013-2094</a><br>
> <a href="https://bugzilla.redhat.com/show_bug.cgi?id=962792" target="_blank">https://bugzilla.redhat.com/show_bug.cgi?id=962792</a><br>
<div class="im HOEnZb">><br>
> On Tue, May 14, 2013 at 12:33 PM, Joshua Kramer <<a href="mailto:joskra42.list@gmail.com">joskra42.list@gmail.com</a>><br>
> wrote:<br>
>><br>
</div><div class="HOEnZb"><div class="h5">>> Hello,<br>
>><br>
>> I recently saw this:<br>
>><br>
>> <a href="https://www.centos.org/modules/newbb/viewtopic.php?topic_id=42827&forum=59" target="_blank">https://www.centos.org/modules/newbb/viewtopic.php?topic_id=42827&forum=59</a><br>
>><br>
>> Given a command prompt, download this exploit, compile it, run it... and<br>
>> you suddenly have root. What is interesting about this is, as soon as you<br>
>> have root, you can disable SELinux.<br>
>><br>
>> Apparently it can be mitigated using this kernel module:<br>
>><br>
>> <a href="http://elrepo.org/tiki/kmod-tpe" target="_blank">http://elrepo.org/tiki/kmod-tpe</a><br>
>><br>
>> I spun up a test VM and tested this - it works! What would be interesting<br>
>> is doing some investigation to see if SELinux could prevent damage if this<br>
>> code was run from a malicious web app instead of the command prompt.<br>
>><br>
>> Also, I wonder if this works on Scientific Linux and other RHEL<br>
>> derivatives, or RHEL itself?<br>
>><br>
>> Cheers,<br>
>> -JK<br>
>><br>
</div></div><div class="im HOEnZb">>> _______________________________________________<br>
>> colug-432 mailing list<br>
>> <a href="mailto:colug-432@colug.net">colug-432@colug.net</a><br>
>> <a href="http://lists.colug.net/mailman/listinfo/colug-432" target="_blank">http://lists.colug.net/mailman/listinfo/colug-432</a><br>
>><br>
><br>
><br>
> _______________________________________________<br>
> colug-432 mailing list<br>
> <a href="mailto:colug-432@colug.net">colug-432@colug.net</a><br>
> <a href="http://lists.colug.net/mailman/listinfo/colug-432" target="_blank">http://lists.colug.net/mailman/listinfo/colug-432</a><br>
><br>
<br>
<br>
<br>
--<br>
</div><span class="HOEnZb"><font color="#888888">-- R; <><<br>
</font></span><div class="HOEnZb"><div class="h5">_______________________________________________<br>
colug-432 mailing list<br>
<a href="mailto:colug-432@colug.net">colug-432@colug.net</a><br>
<a href="http://lists.colug.net/mailman/listinfo/colug-432" target="_blank">http://lists.colug.net/mailman/listinfo/colug-432</a><br>
</div></div></blockquote></div><br></div>