Hacker News new | past | comments | ask | show | jobs | submit login

The article is about how SELinux helps in mitigating or even blocking paths that would lead to a working exploit.

The article explicitly states the CVE number and the fact that updated packages are available.

The article IMHO doesn't attack nor provoke Docker and its people. Yet the first comment posted here DOES contain direct accusations against Red Hat. I don't think that's helpful nor needed. That's all.

I still think that SELinux and Docker are a good combination and this article helps in understanding why.




The title of the article is "Docker 0-Day Stopped Cold by SELinux." The title strongly implies that SELinux would have prevented the issue in the CVE even without the fixes Docker provides.

Then the text of the article states:

"This CVE reports that if you exec'd into a running container, the processes inside of the container could attack the process that just entered the container. If this process had open file descriptors, the processes inside of the container could ptrace the new process and gain access to those file descriptors and read/write them, even potentially get access to the host network, or execute commands on the host. ... It could do that, if you aren’t using SELinux in enforcing mode."

So, not only does the title make this suggestion, but the text of the article downright says it.

If the claim is wrong, then Docker's security team is right to correct it. However, I think they should do so in a forum other than in the comments of a HN post, be thorough in their explanation, and maintain a professional, polished tone in any communications.

And, of course, Red Hat should correct and/or clarify the post as well.




Applications are open for YC Winter 2020

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: