LinuxSecurity.com
Share your story
The central voice for Linux and Open Source security news
Home News Topics Advisories HOWTOs Features Newsletters About Register

Welcome!
Sign up!
EnGarde Community
Login
Polls
What is the most important Linux security technology?
 
Advisories
Community
Linux Events
Linux User Groups
Link to Us
Security Center
Book Reviews
Security Dictionary
Security Tips
SELinux
White Papers
Featured Blogs
All About Linux
DanWalsh LiveJournal
Securitydistro
Latest Newsletters
Linux Advisory Watch: September 26th, 2014
Linux Security Week: September 22nd, 2014
Subscribe
LinuxSecurity Newsletters
E-mail:
Choose Lists:
About our Newsletters
RSS Feeds
Get the LinuxSecurity news you want faster with RSS
Powered By

  
Linux Advisory Watch: November 11th 2005 Print E-mail
User Rating:      How can I rate this item?
Source: LinuxSecurity.com Contributors - Posted by Benjamin D. Thomas   
Linux Advisory Watch This week, advisories were released OpenSSL, httpd, Horde3, OpenVPN, chmlib, ClamAV, libungif4, gpsdrive, awstats, kdelibs, giflib, fetchmail, ImageMagick, scim-qtimm, e2fsprogs, drakxtools, emacs, w3c-libwww, libungif, and flash-plugin. The distributors include Debian, Gentoo, Mandriva, and Red Hat.


Earn an NSA recognized IA Masters Online

The NSA has designated Norwich University a center of Academic Excellence in Information Security. Our program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Using interactive e-Learning technology, you can earn this esteemed degree, without disrupting your career or home life.

http://www.msia.norwich.edu/linsec


SELinux Administration
Pax Dickinson

Hi, and welcome to the third in a series of articles on Security Enhanced Linux. My first SELinux article detailed the background of SELinux, while my second article in the series discussed how SELinux makes access decisions. This week, I'll talk about how an SELinux system differs from a standard Linux system in terms of administration. Most of what you already know about Linux system administration will still apply to an SELinux system, but there are some additions and changes that are critical to understand when using SELinux.

Permissive mode vs. Enforcing mode

There will be times when you have run into difficulty and need to determine whether your problem stems from SELinux or not. For just this eventuality, SELinux includes the capability of setting its mode from enforcing to permissive and back again. Enforcing mode is just what it sounds like, a mode that allows SELinux to enforce policy access decisions. This is the standard operating mode of SELinux. Permissive mode, on the other hand, is a mode designed for development and troubleshooting. It will still check the security policy to see whether an attempted operation should be allowed, and log denials to the system logs, but it will not actually deny any operation.

To change into permissive mode, be sure you are logged in to the sysadm_r role (see my previous article for details). Issuing a setenforce 0 command will put the system into permissive mode, while a setenforce 1 command will return you to enforcing mode. To determine the current SELinux mode, use the getenforce command.

If you want to completely disable SELinux, you can pass selinux=0 to the kernel command line at startup, but this is not advisable since it disables SELinux entirely and any new files will not be labeled with the correct file context, forcing you to relabel when you re-enable SELinux. It's better to use permissive mode, and you can set your system to always start up in permissive mode by editing your /etc/selinux/config file.

File Context Labeling

SELinux file types are attched to each file on your SELinux system using extended file attributes. The use of these attributes is integral and required by SELinux, and has some system administration ramifications you should be aware of.

When formatting a new filesystem for use with SELinux, you must use a filesystem that supports these extended attributes. The ext2 and ext3 filesystems support extended attributes, and the xfs filesystem also is known to work, but reiserfs does not currently include extended attribute support.

When backing up files on an SELinux system, you need to use a backup method that is aware of and backs up these extended attributes. For example, the standard tar command will not back them up, so you need to use star as a substitute. star is an extension of the tar command, so you shouldn't run into serious problems here, but this could have ramifications with any backup scripts you may have written that call the tar command.

A common cause of SELinux problems is caused by mislabeled files. If you run into strange errors or see files that are mislabeled, the best, most reliable way of fixing them is to issue a touch /.autorelabel command followed by a reboot. This will trigger a relabel upon startup of the system, before files are opened and services are started. The restorecon command can also be used to restore files to their proper context, but it won't change the running context of processes that were launched by a mislabeled binary, so you may still run into problems.

The chcon command can be used to change the context of a file, but if the file has a default context set in the policy it will be reset to that default if the entire filesystem is relabeled. chcon is most useful for testing new file contexts before making a change permanent in the policy, if your system depends on contexts set using chcon you may run into trouble if you ever need to perform a global relabeling.

Finally, it is important to be aware of the differences between copying and moving files using the cp or mv commands. When moving a file using mv, the destination file will retain its original context. When copying a file using cp, the file will inherit a new context based on the destination directory it was copied to. This is an important distinction that can result in trouble if it is overlooked.

Read Entire Article:
http://www.linuxsecurity.com/content/view/120700/49/


LinuxSecurity.com Feature Extras:

Linux File & Directory Permissions Mistakes - One common mistake Linux administrators make is having file and directory permissions that are far too liberal and allow access beyond that which is needed for proper system operations. A full explanation of unix file permissions is beyond the scope of this article, so I'll assume you are familiar with the usage of such tools as chmod, chown, and chgrp. If you'd like a refresher, one is available right here on linuxsecurity.com.

Introduction: Buffer Overflow Vulnerabilities - Buffer overflows are a leading type of security vulnerability. This paper explains what a buffer overflow is, how it can be exploited, and what countermeasures can be taken to prevent the use of buffer overflow vulnerabilities.

Getting to Know Linux Security: File Permissions - Welcome to the first tutorial in the 'Getting to Know Linux Security' series. The topic explored is Linux file permissions. It offers an easy to follow explanation of how to read permissions, and how to set them using chmod. This guide is intended for users new to Linux security, therefore very simple. If the feedback is good, I'll consider creating more complex guides for advanced users. Please let us know what you think and how these can be improved.

 

Take advantage of our Linux Security discussion list! This mailing list is for general security-related questions and comments. To subscribe send an e-mail to security-discuss-request@linuxsecurity.com with "subscribe" as the subject.

Thank you for reading the LinuxSecurity.com weekly security newsletter. The purpose of this document is to provide our readers with a quick summary of each week's most relevant Linux security headline.


   Debian
  Debian: New OpenSSL 0.9.6 packages fix cryptographic weakness
  4th, November, 2005

Updated package.

http://www.linuxsecurity.com/content/view/120726
 
  Debian: New OpenSSL packages fix cryptographic weakness
  4th, November, 2005

Updated package.

http://www.linuxsecurity.com/content/view/120728
 
  Debian: New thttpd packages fix insecure temporary file
  4th, November, 2005

Updated package.

http://www.linuxsecurity.com/content/view/120731
 
  Debian: New Horde3 packages fix insecure default installation
  7th, November, 2005

Updated package.

http://www.linuxsecurity.com/content/view/120741
 
  Debian: New OpenVPN packages fix several vulnerabilities
  7th, November, 2005

Updated package.

http://www.linuxsecurity.com/content/view/120742
 
  Debian: New squid packages fix regression
  7th, November, 2005

Updated package.

http://www.linuxsecurity.com/content/view/120743
 
  Debian: New chmlib packages fix several vulnerabilities
  7th, November, 2005

Updated package.

http://www.linuxsecurity.com/content/view/120746
 
  Debian: New ClamAV packages fix several vulnerabilities
  7th, November, 2005

Updated package.

http://www.linuxsecurity.com/content/view/120747
 
  Debian: New OpenSSL packages fix cryptographic weakness
  7th, November, 2005

Updated package.

http://www.linuxsecurity.com/content/view/120748
 
  Debian: New enigmail packages fix information disclosure
  8th, November, 2005

Updated package.

http://www.linuxsecurity.com/content/view/120751
 
  Debian: New libungif4 packages fix several vulnerabilities
  9th, November, 2005

Updated package.

http://www.linuxsecurity.com/content/view/120761
 
  Debian: New gpsdrive packages fix arbitrary code execution
  9th, November, 2005

Updated package.

http://www.linuxsecurity.com/content/view/120762
 
  Debian: New awstats packages fix arbitrary command execution
  10th, November, 2005

Updated package.

http://www.linuxsecurity.com/content/view/120778
 
  Debian: New kdelibs packages fix backup file information leak
  10th, November, 2005

Updated package.

http://www.linuxsecurity.com/content/view/120779
 
   Gentoo
  Gentoo: giflib Multiple vulnerabilities
  4th, November, 2005

giflib may dereference NULL or write out of bounds when processing malformed images, potentially resulting in Denial of Service or arbitrary code execution.

http://www.linuxsecurity.com/content/view/120727
 
  Gentoo: ClamAV Multiple vulnerabilities
  6th, November, 2005

ClamAV has many security flaws which make it vulnerable to remote execution of arbitrary code and a Denial of Service.

http://www.linuxsecurity.com/content/view/120732
 
  Gentoo: GNUMP3d Directory traversal and XSS vulnerabilities
  6th, November, 2005

GNUMP3d is vulnerable to directory traversal and cross-site scripting attacks that may result in information disclosure or the compromise of a browser.

http://www.linuxsecurity.com/content/view/120733
 
  Gentoo: fetchmail Password exposure in fetchmailconf
  6th, November, 2005

fetchmailconf fails to properly handle file permissions, temporarily exposing sensitive information to other local users.

http://www.linuxsecurity.com/content/view/120734
 
  Gentoo: OpenVPN Multiple vulnerabilities
  6th, November, 2005

The OpenVPN client is potentially vulnerable to the execution of arbitrary code and the OpenVPN server is vulnerable to a Denial of Service issue.

http://www.linuxsecurity.com/content/view/120735
 
  Gentoo: QDBM, ImageMagick, GDAL RUNPATH issues
  8th, November, 2005

Multiple packages suffer from RUNPATH issues that may allow users in the "portage" group to escalate privileges.

http://www.linuxsecurity.com/content/view/120759
 
  Gentoo: libgda Format string vulnerabilities
  8th, November, 2005

Two format string vulnerabilities in libgda may lead to the execution of arbitrary code.

http://www.linuxsecurity.com/content/view/120760
 
   Mandriva
  Mandriva: Updated mandriva-release packages provide updated information
  7th, November, 2005

The updated mandriva-release packages provides a fixed CREDITS file.

http://www.linuxsecurity.com/content/view/120749
 
  Mandriva: Updated clamav packages fix multiple vulnerabilities
  7th, November, 2005

Updated package.

http://www.linuxsecurity.com/content/view/120750
 
  Mandriva: Updated openvpn packages fix multiple vulnerabilities
  8th, November, 2005

Updated package.

http://www.linuxsecurity.com/content/view/120758
 
  Mandriva: Updated scim-qtimm packages fix incorrect requires for x86_64
  9th, November, 2005

Due to a bug in the RPM requires for the scim-qtimm package, it was only installable on i586 platforms, and not on x86_64 due to differences in the naming for libqt3 (vs. lib64qt3). This update corrects the requires allowing the package to be installed on Mandriva Linux 2006/x86_64.

http://www.linuxsecurity.com/content/view/120769
 
  Mandriva: Updated e2fsprogs packages fix segfault
  9th, November, 2005

The mklost+found program was segfaulting on Mandriva Linux 2006. This update corrects the problem.

http://www.linuxsecurity.com/content/view/120770
 
  Mandriva: Updated ldetect-lst packages provide updated PCI information
  9th, November, 2005

The updated ldetect-lst packages provide five new PCI modem definitions in the hardware database.

http://www.linuxsecurity.com/content/view/120771
 
  Mandriva: Updated drakxtools packages fix various bugs
  9th, November, 2005

The updated ldetect-lst packages provide five new PCI modem definitions in the hardware database.

http://www.linuxsecurity.com/content/view/120772
 
  Mandriva: Updated libungif packages fix various vulnerabilities
  9th, November, 2005

Several bugs have been discovered in the way libungif decodes GIF images.

http://www.linuxsecurity.com/content/view/120773
 
  Mandriva: Updated emacs packages fix Lisp vulnerability
  9th, November, 2005

Emacs 21.2 does not prompt or warn the user before executing Lisp code in the local variables section of a text file, which allows user-complicit attackers to execute arbitrary commands, as demonstrated using the mode-name variable.

http://www.linuxsecurity.com/content/view/120774
 
  Mandriva: Updated fetchmail packages fixes fetchmailconf vulnerability
  9th, November, 2005

Thomas Wolff and Miloslav Trmac discovered a race condition in the fetchmailconf program.

http://www.linuxsecurity.com/content/view/120775
 
  Mandriva: Updated w3c-libwww packages fixes DoS vulnerability.
  9th, November, 2005

Sam Varshavchik discovered the HTBoundary_put_block function in HTBound.c for W3C libwww (w3c-libwww) allows remote servers to cause a denial of service (segmentation fault) via a crafted multipart/byteranges MIME message that triggers an out-of-bounds read.

http://www.linuxsecurity.com/content/view/120776
 
  Mandriva: Updated drakxtools packages fix various bugs
  9th, November, 2005

Updated package.

http://www.linuxsecurity.com/content/view/120777
 
   Red Hat
  RedHat: Important: libungif security update
  3rd, November, 2005

Updated libungif packages that fix two security issues are now available. This update has been rated as having important security impact by the Red Hat Security Response Team.

http://www.linuxsecurity.com/content/view/120721
 
  RedHat: Critical: flash-plugin security update
  9th, November, 2005

Updated Macromedia Flash Player packages that fix a security issue are now available. This update has been rated as having critical security impact by the Red Hat Security Response Team.

http://www.linuxsecurity.com/content/view/120768
 

Only registered users can write comments.
Please login or register.

Powered by AkoComment!

 
< Prev   Next >
    
Partner

 

Latest Features
Peter Smith Releases Linux Network Security Online
Securing a Linux Web Server
Password guessing with Medusa 2.0
Password guessing as an attack vector
Squid and Digest Authentication
Squid and Basic Authentication
Demystifying the Chinese Hacking Industry: Earning 6 Million a Night
Free Online security course (LearnSIA) - A Call for Help
What You Need to Know About Linux Rootkits
Review: A Practical Guide to Fedora and Red Hat Enterprise Linux - Fifth Edition
Yesterday's Edition
Partner Sponsor

Community | HOWTOs | Blogs | Features | Book Reviews | Networking
 Security Projects |  Latest News |  Newsletters |  SELinux |  Privacy |  Home
 Hardening |   About Us |   Advertise |   Legal Notice |   RSS |   Guardian Digital
(c)Copyright 2014 Guardian Digital, Inc. All rights reserved.