selinux policy allows apache access to type shadow_t
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
refpolicy (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
Binary package hint: selinux-
I've been teaching selinux under RHEL for several months and just got it set up under Ubuntu, here is an observation:
root@guapuraT61
SELinux status: enabled
SELinuxfs mount: /selinux
Current mode: enforcing
Mode from config file: enforcing
Policy version: 21
Policy from config file: refpolicy
<in case you don't believe me, here's some more output...>
root@guapuraT61
Enforcing
root@guapuraT61
allow_execheap --> on
allow_execmem --> on
allow_execmod --> on
allow_execstack --> on
allow_mount_anyfile --> on
allow_polyinsta
allow_ptrace --> off
allow_ssh_keysign --> off
allow_user_
allow_user_
allow_write_xshm --> off
allow_ypbind --> off
global_ssp --> off
mail_read_content --> off
nfs_export_all_ro --> off
nfs_export_all_rw --> off
read_default_t --> on
read_untrusted_
secure_mode --> off
secure_mode_insmod --> off
secure_
ssh_sysadm_login --> off
use_lpd_server --> off
use_nfs_home_dirs --> off
use_samba_home_dirs --> off
user_direct_mouse --> off
user_dmesg --> off
user_rw_
user_tcp_server --> off
user_ttyfile_stat --> off
write_untrusted
xdm_sysadm_login --> off
As far as I can tell, apache isn't protected. Here's why this is a problem:
root@guapuraT61
system_
root@guapuraT61
root:
daemon:
sys:
games:
lp:*:13801:0:99999:7::: mail:*:
news:*:
(yes, this would be the same output that'd you'd get through a web browser, local or remote)
More info:
root@guapuraT61
DISTRIB_ID=Ubuntu
DISTRIB_
DISTRIB_
DISTRIB_
root@guapuraT61:~# apt-cache policy selinux-
selinux-
Installed: 0.0.20071214-
Candidate: 0.0.20071214-
Version table:
*** 0.0.20071214-
500 http://
100 /var/lib/
Changed in refpolicy: | |
status: | New → Confirmed |
security vulnerability: | yes → no |
At this time apache is not protected, but we would like it to be ;o} Essentially the policy for apache from refpolicy needs to be adjusted to work on Ubuntu, tested, and packaged.