oss-sec mailing list archives
Re: SELinux troubles
From: Tomas Hoger <thoger () redhat com>
Date: Tue, 21 Jun 2016 13:41:22 +0200
On Tue, 21 Jun 2016 11:45:01 +0200 Sebastian Krahmer wrote:
1) This bug is mitigated since setroubleshoot that is found on RHEL 7.2, by running it as a dedicated user (untested). Shell injection issue in setroubleshoot/audit_data.py: def _set_tpath(self): [...] if path.startswith("/") == False and inodestr: import subprocess command = "locate -b '\%s'" % path try: output = subprocess.check_output(command, stderr=subprocess.STDOUT, shell=True) [...] taking 'path' off AVC denial messages and constructing a command thats passed to "sh -c". o.O Note that AVC denial messages appear outside of containers, so a setroubleshoot is usually run on the host, processing AVC messages from containers. This allows for an easy breakout. 2) I did not test this, but even though the run_fix() function in SetroubleshootFixit.py is protected by auth_admin polkit rules, it looks like theres good chance to pass XML documents via setroubleshoots RPC/DBUS API that contains evil local_id or analysis_id fields and trick real admins to "fix" AVC denials that inject code: [...] def run_fix(self, local_id, analysis_id): import commands command = "sealert -f %s -P %s" % ( local_id, analysis_id) return commands.getoutput(command) [...] This is not mitigated by the run-as-user, since SetroubleshootFixit.py still runs as root (and probably needs to).
CVE-2016-4989 was assigned to the issues above. There are additional similar problems in setroubleshoot and setroubleshoot-plugins: - CVE-2016-4445, setroubleshoot, affecting 'sealert --fix'. Problem was already fixed in version 3.2.23. https://github.com/fedora-selinux/setroubleshoot/commit/2d12677629ca319310f6263688bb1b7f676c01b7 - CVE-2016-4444, setroubleshoot-plugins, allow_execmod plugin. Also previously fixed in versoin 3.2.23. https://github.com/fedora-selinux/setroubleshoot/commit/5cd60033ea7f5bdf8c19c27b23ea2d773d9b09f5 - CVE-2016-4446, setroubleshoot-plugins, allow_execstack plugin. Similar to the previous one, only using commands.getoutput instead of commands.getstatusoutput. https://github.com/fedora-selinux/setroubleshoot/blob/setroubleshoot-plugins-3.3.4/plugins/src/allow_execstack.py#L29 -- Tomas Hoger / Red Hat Product Security
Current thread:
- SELinux troubles Sebastian Krahmer (Jun 21)
- Re: SELinux troubles Tomas Hoger (Jun 21)