Hacker News new | ask | show | jobs
by runesoerensen 3442 days ago
> the benefits of having SELinux in no way means you shouldn't update

Where is this explicitly mentioned in the post?

I got the opposite impression reading this story titled "Docker 0-Day Stopped Cold by SELinux", with the closing statement "When we heard about this vulnerability we were glad to see that our customers were safe".

I'm sure your customers are glad to hear that as well, but it sounds like the Docker folks have reason to believe SELinux doesn't fully mitigate this vulnerability.
1 comments
jwildeboer 3442 days ago
When a 0day hits, you first assess the impact, define your solution and start to work.

FTA

"Fixed packages have been prepared and shipped for RHEL as well as Fedora and Centos."

So updates were made, tested and made available. Our customers typically implement these security related updates very fast.

with that out of the way, the article explains how SELinux can mitigate this and similar issues.

And I am 100% sure that we coordinated the update and changes with Docker because that's how Open Source works.

link
runesoerensen 3438 days ago
> When a 0day hits, you first assess the impact, define your solution and start to work.

That sounds like a sensible approach and very much related to why I raised concerns about the original title and closing statement earlier. Someone could easily have assessed that there was zero impact (based on the first revision* of your marketing material) if SELinux was enabled and, consequently, find no need to "define a solution and start to work" - why would you update when your OS vendor explicitly says you're safe?

It would have been extremely easy to recommend your customers to install the updated packages, but you didn't do that initially - despite from such a recommendation being quite standard, and despite being notified by the people who found and fixed this vulnerability warning that customers should still update.

Instead you seem to have used this as an marketing opportunity at the expense of your own customers' security. As it turns out, SELinux did in fact not fully mitigate the issue (by Red Hat's own admission in the updated blog post and CVE).

---

* I'm referring to the first revision because the post and CVE have since been updated several times (as pointed out elsewhere in this discussion). A recap of some of the changes that are relevant to this exchange and the phrasing I mentioned earlier:

1. The title "Docker 0-Day Stopped Cold by SELinux" has been renamed to "SELinux Mitigates container Vulnerability" -- accurately reflecting the fact that it was not:

  a) a Docker (it was runc)
  b) 0-Day (patches were released for runc afaik)
  c) Stopped Cold (it was mitigated but still leaking information)
2. The closing statement "When we heard about this vulnerability we were glad to see that our customers were safe" has been changed to the slightly more long-winded, less catchy (but fortunately also less misleading): "When we heard about this vulnerability we were glad to see that our customers were safer if running containers with setenforce 1. Even with SELinux in enforcement, select information could be leaked, so it is recommended that users patch to fully remediate the issue."

3. The sentence you referred to "Fixed packages have been prepared and shipped for RHEL as well as Fedora and Centos." has been changed to "Fixed packages are being prepared and shipped for RHEL as well as Fedora and CentOS.". Honestly haven't looked into whether the packages were actually released at the time this post was published (?), but I'll assume Red Hat didn't change the wording here for no reason - there's quite a difference between updates that "are being prepared" rather than "have been prepared".

link