科技回声

7 条评论

616c超过 10 年前

I think a lot of people will disparage and mock Dan (FYI he is a core SELinux developer for Fedora if you do not know), but I think he outlines that it does prevent the medium risk stuff which I think no base Linux system (without MAC systems (SELinux, RBAC, AppArmor,etc.), just DAC of Unix file permissions) would let pass easily. All the logs, all the non-root data which hackers would use to build up to move forward in their operation.I guess CGI scripting is convenient and necessarry for most of us (just like bash itself), and SELinux did not prevent Heartbleed either. But that does not mean I will make coloring jokes about its inefficacy.

评论 #8371878 未加载

评论 #8371847 未加载

评论 #8372604 未加载

willvarfar超过 10 年前

I'm a big fan of SELinux, and for many shellshock attacks it will limit exposure, but Dan should know better than invite people to ask him how SELinux helps mitigate a dchp shellshock attack...

mrmondo超过 10 年前

Big fan of SELinux here - it's really saved my ass a few times and the best thing about it is that these days it's so damn easy to configure that you're mad not to use it.

devicenull超过 10 年前

<pre><code> Lets look at what it can read. ... It can read apache static content, like web page data. Well what can't it read? user_home_t - This is where I keep my credit card data *db_t - No database data. </code></pre> So, it can't read database data directly, but presumably your website can already connect to the database. Which means it can read out your database credentials, and just connect to the database?

treed超过 10 年前

There are lots of stories of SELinux saves out there now. This is one I saw just recently:<a href="https://www.reddit.com/r/linux/comments/1xdokz/selinux_saved_our_asses_xpost_rselinux/" rel="nofollow">https://www.reddit.com/r/linux/comments/1xdokz/selinux_saved...</a>I myself have had several SELinux saves. It's definitely proven itself valuable as an additional security control.

qwerta超过 10 年前

It is like asking if it would catch SQL injections. Just sanitize your inputs !

yarrel超过 10 年前

"SELinux does not block the exploit"Of course not. The exploit doesn't come in coloring book form.

评论 #8371632 未加载

7 条评论

616c超过 10 年前

评论 #8371878 未加载

评论 #8371847 未加载

评论 #8372604 未加载

willvarfar超过 10 年前

I'm a big fan of SELinux, and for many shellshock attacks it will limit exposure, but Dan should know better than invite people to ask him how SELinux helps mitigate a dchp shellshock attack...

mrmondo超过 10 年前

Big fan of SELinux here - it's really saved my ass a few times and the best thing about it is that these days it's so damn easy to configure that you're mad not to use it.

devicenull超过 10 年前

treed超过 10 年前

qwerta超过 10 年前

It is like asking if it would catch SQL injections. Just sanitize your inputs !

yarrel超过 10 年前

"SELinux does not block the exploit"Of course not. The exploit doesn't come in coloring book form.

评论 #8371632 未加载

What does SELinux do to contain the the bash exploit?

7 条评论

What does SELinux do to contain the the bash exploit?

7 条评论