

SELinux root exploit - Aissen
https://github.com/stealth/troubleshooter

======
Aissen
There are at least two bugs involved here. One is the fact that you can breach
into the setroubleshootd_t domain because of the shell parsing error. The
second is a policy one: the setroubleshootd_t allows you to create a file with
any attribute (here the suid bit), making it possible to elevate privileges.

The point Sebastian (stealth) is making is fairly balanced: SELinux is very
useful, but it's not the catch-all solution to containing root exploits; it
even has bugs in its implementations and policies, like all software.

------
c-rack
Summary: SELinux executes untrusted input without sanitization

"The setroubleshootd daemon which runs as root, activated by its DBUS
activation file when sedispatch was forwarding its AVC denial message,
straight passes the pathname to a shell without further sanitization."

