Linux 2.6.30 exploit posted

Posted Jul 17, 2009 15:37 UTC (Fri) by kjp (guest, #39639)
Parent article: Linux 2.6.30 exploit posted

Lol:

" if SELinux is enabled, it allows pulseaudio to map at 0
UPDATE: not just that, SELinux lets any user in unconfined_t map at
0, overriding the mmap_min_addr restriction! pulseaudio is not
needed at all! Having SELinux enabled actually *WEAKENS* system
security for these kinds of exploits!
"

SELinux policy issue

Posted Jul 17, 2009 22:41 UTC (Fri) by jamesmrh (guest, #31622) [Link]

Yes, there was a mistake in the SELinux policy, which allowed the unconfined user to bypass the mmap_min_addr check, which otherwise would have been enforced if the check was enabled (many disable it to get wine etc. working, btw, google "disable mmap_min_addr"). This is being fixed in the policy.

The lesson learned here is that more careful review of policy changes needs to happen, and to ask the question as to whether the policy is capable of weakening default security.

The LSM interface is theoretically designed to only allow further restriction of access, but this is a special case, where we are applying policy to a kernel compilation option which can also have its value set via a sysctl. It's not a typical "access this resource or not?" decision.