So does SELInux really stop any attacks?

Tresys corporation is tracking some of the known vulnerabilities in the past that SELinux has thwarted.

You can read about them at

http://tresys.com/selinux/

One key feature of SELinux is the confinement of executable memory. This tops applications from having memory that is both executable and writable at the same time. A lot of attacks on computer software involve a coding mistake in code that allows the writing of memory beyond the end of an allocated buffer, called a buffer overflow. So a cracker find a piece of code that allocates less space then the code can write. The cracker tricks the application to writing his data into the overflowed buffer. Finally he attempts to get the application to execute the buffer that he has just written. SELinux executable memory checks in the kernel prevent this.

While we have attempted to turn these checks on for the unconfined user in the past, we have had missed success, because of badly written applications breaking. But for almost all confined applications these checks are turned on. So if a vulnerability exists in a confined application that involves a buffer overflow, most likely SELinux will prevent it.

( 4 comments — Leave a comment )

not selinux

(Anonymous)

2008-04-05 02:28 pm (UTC)

thats the pax/exec shield feature (which is usually used as the same time as selinux but also other solutions like grsec, rsbac, etc..)

Re: not selinux

2008-04-05 02:45 pm (UTC)

In reply to the anonymous poster above, the execmem, execheap, and execstack perms are not the same as the pax/execshield.... plenty of information available via Google regarding the difference between the two.

2008-04-05 05:04 pm (UTC)

Thanks for directing me to that list. I see my Linux Journal article on Mambo on the list.