<div dir="ltr">With some quick experimentation and a suid root C program run from a Python WSGI script (under httpd) I have not been able to deactivate selinux via a call to /sbin/setenforce. However, I was also unable to copy /etc/shadow to a httpd-owned and writable directory using the same C program.</div>
<div class="gmail_extra"><br><br><div class="gmail_quote">On Tue, May 14, 2013 at 3:40 PM, Neal Dias <span dir="ltr"><<a href="mailto:roman@ensecure.org" target="_blank">roman@ensecure.org</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div dir="ltr"><div>Rick, <br><br>Thanks for pointing that out...I'll admit I'm referring to the default Targeted policy which is what most shops are running. As you note, "with the right policies", that very, very few shops are running. And the OP didn't note any distinction between whether it was a Targeted mode or MLS/MCS, he just said you could disable SELinux. Even if you are running Targeted (where everything without a policy is unconfined by default) and have created policies to confine targeted processes, unless you've implemented strict or MLS/MCS (where everything is confined by default), if I can get to a root shell, game over. <br>
<span class="HOEnZb"><font color="#888888">
<br></font></span></div><span class="HOEnZb"><font color="#888888">-nd<br></font></span></div><div class="HOEnZb"><div class="h5"><div class="gmail_extra"><br><br><div class="gmail_quote">On Tue, May 14, 2013 at 1:22 PM, Rick Troth <span dir="ltr"><<a href="mailto:rmt@casita.net" target="_blank">rmt@casita.net</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">> Not sure what is interesting about the ability to disable SELinux; you have root, game over.<br>
<br>
With the right profiles, a major selling point of SELinux (as "we" use<br>
it) is that it's *not* game over just because you got root. (There<br>
are other features of SELinux which are more interesting to the NSA<br>
than they are to you and me.)<br>
<br>
I'm not personally a fan, but I'm not using this as an opportunity to<br>
jab at it ... or maybe I am.<br>
<br>
-- R; <><<br>
<br>
<br>
<br>
<br>
On Tue, May 14, 2013 at 1:00 PM, Neal Dias <<a href="mailto:roman@ensecure.org" target="_blank">roman@ensecure.org</a>> wrote:<br>
> Not sure what is interesting about the ability to disable SELinux; you have<br>
> root, game over.<br>
><br>
> RHEL 5 is not affected, RHEL 6 is, updated packages still in-process.<br>
><br>
> <a href="https://access.redhat.com/security/cve/CVE-2013-2094" target="_blank">https://access.redhat.com/security/cve/CVE-2013-2094</a><br>
> <a href="https://bugzilla.redhat.com/show_bug.cgi?id=962792" target="_blank">https://bugzilla.redhat.com/show_bug.cgi?id=962792</a><br>
><br>
> On Tue, May 14, 2013 at 12:33 PM, Joshua Kramer <<a href="mailto:joskra42.list@gmail.com" target="_blank">joskra42.list@gmail.com</a>><br>
> wrote:<br>
>><br>
>> Hello,<br>
>><br>
>> I recently saw this:<br>
>><br>
>> <a href="https://www.centos.org/modules/newbb/viewtopic.php?topic_id=42827&forum=59" target="_blank">https://www.centos.org/modules/newbb/viewtopic.php?topic_id=42827&forum=59</a><br>
>><br>
>> Given a command prompt, download this exploit, compile it, run it... and<br>
>> you suddenly have root. What is interesting about this is, as soon as you<br>
>> have root, you can disable SELinux.<br>
>><br>
>> Apparently it can be mitigated using this kernel module:<br>
>><br>
>> <a href="http://elrepo.org/tiki/kmod-tpe" target="_blank">http://elrepo.org/tiki/kmod-tpe</a><br>
>><br>
>> I spun up a test VM and tested this - it works! What would be interesting<br>
>> is doing some investigation to see if SELinux could prevent damage if this<br>
>> code was run from a malicious web app instead of the command prompt.<br>
>><br>
>> Also, I wonder if this works on Scientific Linux and other RHEL<br>
>> derivatives, or RHEL itself?<br>
>><br>
>> Cheers,<br>
>> -JK<br>
>><br>
>> _______________________________________________<br>
>> colug-432 mailing list<br>
>> <a href="mailto:colug-432@colug.net" target="_blank">colug-432@colug.net</a><br>
>> <a href="http://lists.colug.net/mailman/listinfo/colug-432" target="_blank">http://lists.colug.net/mailman/listinfo/colug-432</a><br>
>><br>
><br>
><br>
> _______________________________________________<br>
> colug-432 mailing list<br>
> <a href="mailto:colug-432@colug.net" target="_blank">colug-432@colug.net</a><br>
> <a href="http://lists.colug.net/mailman/listinfo/colug-432" target="_blank">http://lists.colug.net/mailman/listinfo/colug-432</a><br>
><br>
<span><font color="#888888"><br>
<br>
<br>
--<br>
-- R; <><<br>
_______________________________________________<br>
colug-432 mailing list<br>
<a href="mailto:colug-432@colug.net" target="_blank">colug-432@colug.net</a><br>
<a href="http://lists.colug.net/mailman/listinfo/colug-432" target="_blank">http://lists.colug.net/mailman/listinfo/colug-432</a><br>
</font></span></blockquote></div><br></div>
</div></div><br>_______________________________________________<br>
colug-432 mailing list<br>
<a href="mailto:colug-432@colug.net">colug-432@colug.net</a><br>
<a href="http://lists.colug.net/mailman/listinfo/colug-432" target="_blank">http://lists.colug.net/mailman/listinfo/colug-432</a><br>
<br></blockquote></div><br></div>