| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 12 Dec 2011 19:19:20 -0500 (EST) From: Ramon de C Valle <rcvalle@...hat.com> To: Valdis Kletnieks <Valdis.Kletnieks@...edu> Cc: isowarez isowarez isowarez <isowarez.isowarez.isowarez@...glemail.com>, dwalsh@...hat.com, full-disclosure@...ts.grok.org.uk Subject: Re: Fwd: VSFTPD Remote Heap Overrun (low severity) > If you're trying to do it with SELinux policy, that would require > opening the > locale file before the chroot, then changing the selinux context to > something > that can't open locale_t and then doing the chroot. Unfortunately, > that's fast > approaching "cure is worse than the disease", because it means the > initial > context has to have the ability to change its context (in the > standard selinux > policy, that's restricted to only 2 or 3 binaries like 'newrole'). Actually, this is has no relation with binaries. Transitions are defined per domain in SELinux policy. For additional information, refer to: http://danwalsh.livejournal.com/23944.html > > We're lucky nobody has looked into what should happen on an > MLS-enabled system :) I don't think sensitivity levels would make any difference in this case in the current SELinux MLS policy. -- Ramon de C Valle / Red Hat Security Response Team _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists