Docker 0-Day Stopped Cold by SELinux
A new CVE, (CVE-2016-9962), for the docker container runtime and runc were recently released. Fixed packages have been prepared and shipped for RHEL as well as Fedora and Centos. This CVE reports that if you execd into a running container, the processes inside of the container could attack the process that just entered the container.
If this process had open file descriptors, the processes inside of the container could ptrace the new process and gain access to those file descriptors and read/write them, even potentially get access to the host network, or execute commands on the host.
Stopping 0-Days with SELinux
It could do that, if you aren’t using SELinux in enforcing mode. If you are, though, SELinux is a great tool for protecting systems from 0 Day vulnerabilities.
Read the entire article here, Docker 0-Day Stopped Cold by SELinux – Red Hat Enterprise Linux Blog
via the fine folks at Red Hat.