From: Daniel J Walsh <dwalsh@redhat.com>
To: Yuichi Nakamura <himainu-ynakam@miomio.jp>
Cc: selinux@tycho.nsa.gov
Subject: Re: Disabling SELinux by kernel vulnerability
Date: Tue, 12 Feb 2008 09:59:12 -0500 [thread overview]
Message-ID: <47B1B440.7030701@redhat.com> (raw)
In-Reply-To: <20080212234339.40551955.himainu-ynakam@miomio.jp>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Yuichi Nakamura wrote:
> Hi.
>
> I saw an article on slashdot.
> http://it.slashdot.org/article.pl?sid=08/02/10/2011257
>
> Local exploit code for Linux kernel exists,
> exploit code is also disclosed in http://www.milw0rm.com/exploits/5092.
>
> In the exploit code, only uid is changed to 0.
> So, SELinux is not affected.
>
> However, SELinux can be disabled by overwriting selinux_enforcing to 0.
> The address of selinux_enforcing can be seen in /proc/kallsyms,
> and I've set the value on the address to 0.
>
> I tried that on Fedora 8,
> and I could disable SELinux(set selinux as permissive) from xguest_t
> domain.
>
> I want to make it more difficult
> for attackers to disable SELinux by kernel exploit.
>
> I think not exporting selinux_enforcing(and selinux_disable) to
> /proc/kallsyms is useful.
> And /proc/kallsyms is visible from many processes because it is proc_t,
> assigning /proc/kallsyms label such as proc_ksym_t may be also useful.
> Are they really useful?
> Or any idea??
>
> --
> Yuichi Nakamura
>
> --
> This message was distributed to subscribers of the selinux mailing list.
> If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
> the words "unsubscribe selinux" without quotes as the message.
So this exploit, don't you neet to write to /proc? xguest_t should not
be allowed to do this?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
iEYEARECAAYFAkextEAACgkQrlYvE4MpobNWWgCg6acsickGQTXcl0xj3YyBYoRn
NGUAnR45m3M0yM15igKtZzh6ORQ9CYTQ
=64qb
-----END PGP SIGNATURE-----
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
next prev parent reply other threads:[~2008-02-12 14:59 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2008-02-12 14:43 Disabling SELinux by kernel vulnerability Yuichi Nakamura
2008-02-12 14:59 ` Daniel J Walsh [this message]
2008-02-12 15:45 ` Todd Miller
2008-02-13 13:19 ` Yuichi Nakamura
2008-02-12 18:45 ` Stephen Smalley
2008-02-13 12:06 ` Waide, Ronan
2008-02-13 14:22 ` Stephen Smalley
2008-02-13 13:47 ` Yuichi Nakamura
2008-02-13 14:47 ` Stephen Smalley
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=47B1B440.7030701@redhat.com \
--to=dwalsh@redhat.com \
--cc=himainu-ynakam@miomio.jp \
--cc=selinux@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.