A few days ago a vulnerability was reported in the SELinux sandbox user space
utility. The utility is part of the
policycoreutils package. Luckily, Gentoo's
sys-apps/policycoreutils package is not vulnerable - and not because we were
clairvoyant about this issue, but because we don't ship this utility.
If you're a bit following the SELinux development community you will know Dan Walsh, a Red Hat security engineer. Today he blogged about CVE-2015-4495 and SELinux, or why doesn't SELinux confine Firefox. He should've asked why the reference policy or Red Hat/Fedora policy does not confine Firefox, because SELinux is, as I've mentioned before, not the same as its policy.
In effect, Gentoo's SELinux policy does confine Firefox by default. One of the principles we focus on in Gentoo Hardened is to develop desktop policies in order to reduce exposure and information leakage of user documents. We might not have the manpower to confine all desktop applications, but I do think it is worthwhile to at least attempt to do this, even though what Dan Walsh mentioned is also correct: desktops are notoriously difficult to use a mandatory access control system on.
A vulnerability in
policycoreutils, came to light recently (through bug
509896). The issue is
libcap-ng actually, but the specific situation in which the
vulnerability can be exploited is only available in
seunshare is not built by default on Gentoo. You need to define
There has been a few posts already on the local Linux kernel privilege escalation, which has received the CVE-2013-2094 ID. arstechnica has a write-up with links to good resources on the Internet, but I definitely want to point readers to the explanation that Brad Spengler made on the vulnerability.
Gentoo is one of the various distributions which supports SELinux as a Mandatory Access Control system to, amongst other things, mitigate the results of a succesfull exploit against software. So what about the recent PostgreSQL vulnerability?
When correctly configured, the PostgreSQL daemon will run in the
postgresql_t domain. In SELinux-speak …