[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Firewall rules using SELinux context (Was Re: RFE: FireKit)

On Friday 24 July 2009 04:56:51 pm Casey Dahlin wrote:
> > Just because selinux has policy doesn't mean the app is installed.
> If the app is not installed nothing is running in its context, so none of
> the rules will ever trigger.

If the attacker can work out the chain of allowed transitions, they can enter 
that context.

> >> The simplest mechanism I can see for doing that is to allow SELinux
> >> context to be referenced in the firewall rules. This prevents either
> >> system from having to be grotesquely modified.
> >>
> >> An example rule might look like this:
> >>
> >> -A INPUT -Z apache_t -j ACCEPT
> >>
> >> Here we tell the firewall to allow incoming traffic that will be
> >> intercepted in userspace by a process in the apache_t context.
> >
> > I don't like this. Its not tying to any port. For example, suppose there
> > is a vulnerability in cups and apache is not running, the cups app could
> > start listening on other ports and the rule would allow connections.
> Only if cups were running in the apache_t context.

I don't think I explained it well. I was thinking what if you had this rule:

-A INPUT -Z cups_t -j ACCEPT

and then cups was compromised and started listening on port 80. Since the 
above rule has no port restrictions and cups is allowed to accept connections, 
would cups now be able to start serving web pages?


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]