Earn an NSA recognized IA Masters Online
The NSA has designated Norwich University a center of Academic Excellence in Information Security. Our program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Using interactive e-Learning technology, you can earn this esteemed degree, without disrupting your career or home life.
SELinux Administration, Part II
By: Pax Dickinson
Policy booleans are sections of policy that can be switched on or off, providing a basic level of policy configurability at runtime without requiring the recompilation of the entire security policy. For example, you might be running a webmail application on your server that requires the webserver process to be able to connect to your mail server ports and read mail files out of user's home directories. Rather than adding those permissions to the security policy where they would reduce security for those not running webmail, a policy developer would create a boolean that the local administrator could enable only if it is required. This helps maintain a high level of security and follows the principle of least privilege.
To view a list of the policy booleans in your running policy and their current states, use the sestatus command. This command will list your current enforcing mode and the enforcing mode from the /etc/selinux/config file among other information, and a list of all policy booleans and whether they are active or inactive.
You can view the current status of a single boolean by using the command getsebool and passing it the name of the boolean you want to view the state of. Booleans are set using the setsebool command, and passing it the name of the boolean you want to set followed by a 1 or 0 to set the boolean active or inactive respectively.
Some sample booleans from the EnGarde Secure Linux SELinux policy are httpd_webmail and user_ping. The httpd_webmail boolean is used for the exact situation used as an example above, while the user_ping boolean determines whether or not regular users are able to send ping packets over the network. Booleans can be as simple as a single allow statement, or can enable or disable large swathes of the policy depending on their purpose.
Our SELinux journey is almost done. Next time, we'll discuss policy development basics and see how we can troubleshoot policy denials and write new SELinux policy or modify existing policy to allow our SELinux system to get its jobs done while maintaining a high level of security. Until then, farewell and remember to stay secure.
Read Entire Article:
LinuxSecurity.com Feature Extras:
Linux File & Directory Permissions Mistakes - One common mistake Linux administrators make is having file and directory permissions that are far too liberal and allow access beyond that which is needed for proper system operations. A full explanation of unix file permissions is beyond the scope of this article, so I'll assume you are familiar with the usage of such tools as chmod, chown, and chgrp. If you'd like a refresher, one is available right here on linuxsecurity.com.
Introduction: Buffer Overflow Vulnerabilities - Buffer overflows are a leading type of security vulnerability. This paper explains what a buffer overflow is, how it can be exploited, and what countermeasures can be taken to prevent the use of buffer overflow vulnerabilities.
Getting to Know Linux Security: File Permissions - Welcome to the first tutorial in the 'Getting to Know Linux Security' series. The topic explored is Linux file permissions. It offers an easy to follow explanation of how to read permissions, and how to set them using chmod. This guide is intended for users new to Linux security, therefore very simple. If the feedback is good, I'll consider creating more complex guides for advanced users. Please let us know what you think and how these can be improved.
Take advantage of our Linux Security discussion
list! This mailing list is for general security-related questions and comments.
To subscribe send an e-mail to
Thank you for reading the LinuxSecurity.com weekly security newsletter. The purpose of this document is to provide our readers with a quick summary of each week's most relevant Linux security headline.
| Debian | ||
| Debian: New awstats packages fix arbitrary command execution | ||
| 10th, November, 2005
Updated package. advisories/debian/debian-new-awstats-packages-fix-arbitrary-command-execution-97479 |
||
| Debian: New kdelibs packages fix backup file information leak | ||
| 10th, November, 2005
Updated package. advisories/debian/debian-new-kdelibs-packages-fix-backup-file-information-leak-15398 |
||
| Debian: New acidlab packages fix SQL injection | ||
| 14th, November, 2005
Updated package. advisories/debian/debian-new-acidlab-packages-fix-sql-injection |
||
| Debian: New AbiWord packages fix arbitrary code execution | ||
| 14th, November, 2005
Updated package. advisories/debian/debian-new-abiword-packages-fix-arbitrary-code-execution |
||
| Debian: New uim packages fix privilege escalation | ||
| 14th, November, 2005
Updated package. advisories/debian/debian-new-uim-packages-fix-privilege-escalation |
||
| Debian: New ftpd-ssl packages fix arbitrary code execution | ||
| 15th, November, 2005
Updated package. advisories/debian/debian-new-ftpd-ssl-packages-fix-arbitrary-code-execution |
||
| Debian: New phpsysinfo packages fix several vulnerabilities | ||
| 15th, November, 2005
Updated package. advisories/debian/debian-new-phpsysinfo-packages-fix-several-vulnerabilities |
||
| Debian: New phpgroupware packages fix several vulnerabilities | ||
| 17th, November, 2005
Updated package. advisories/debian/debian-new-phpgroupware-packages-fix-several-vulnerabilities |
||
| Gentoo | ||
| Gentoo: PHP Multiple vulnerabilities | ||
| 13th, November, 2005
PHP suffers from multiple issues, resulting in security functions bypass, local Denial of service, cross-site scripting or PHP variables overwrite. |
||
| Gentoo: Lynx Arbitrary command execution | ||
| 13th, November, 2005
Lynx is vulnerable to an issue which allows the remote execution of arbitrary commands. |
||
| Gentoo: RAR Format string and buffer overflow vulnerabilities | ||
| 13th, November, 2005
RAR contains a format string error and a buffer overflow vulnerability that may be used to execute arbitrary code. |
||
| Gentoo: linux-ftpd-ssl Remote buffer overflow | ||
| 13th, November, 2005
A buffer overflow vulnerability has been found, allowing a remote attacker to execute arbitrary code with escalated privileges on the local system. |
||
| Gentoo: Scorched 3D Multiple vulnerabilities | ||
| 15th, November, 2005
Multiple vulnerabilities in Scorched 3D allow a remote attacker to deny service or execute arbitrary code on game servers. |
||
| Gentoo: Sylpheed, Sylpheed-Claws Buffer overflow in LDIF | ||
| 15th, November, 2005
Sylpheed and Sylpheed-Claws contain a buffer overflow vulnerability which may lead to the execution of arbitrary code. |
||
| Gentoo: GTK+ 2, GdkPixbuf Multiple XPM decoding vulnerabilities | ||
| 16th, November, 2005
The GdkPixbuf library, that is also included in GTK+ 2, contains vulnerabilities that could lead to a Denial of Service or the execution of arbitrary code. |
||
| Mandriva | ||
| Mandriva: Updated lynx packages fix critical vulnerability | ||
| 12th, November, 2005
An arbitrary command execution vulnerability was discovered in the lynx "lynxcgi:" URI handler. An attacker could create a web page that redirects to a malicious URL which could then execute arbitrary code as the user running lynx. The updated packages have been patched to address this issue. |
||
| Mandriva: Updated egroupware packages to address phpldapadmin, phpsysinfo vulnerabilities | ||
| 16th, November, 2005
The updated packages have new versions of these subsystems to correct these issues. |
||
| Mandriva: Updated php packages fix multiple vulnerabilities | ||
| 17th, November, 2005
Updated package. |
||
| Mandriva: Updated autofs packages fix problem with LDAP | ||
| 16th, November, 2005
A problem with how autofs was linked with the LDAP libraries would cause autofs to segfault on startup. The updated package has been fixed to correct this problem. |
||
| Mandriva: Updated acpid package fixes various bugs | ||
| 16th, November, 2005
A number of bugs have been fixed in this new acpid package: Correct an error in the initscript, to look for lm_battery.sh rather than battery.sh. |
||
| Red Hat | ||
| RedHat: Critical: lynx security update | ||
| 11th, November, 2005
An updated lynx package that corrects a security flaw is now available. This update has been rated as having critical security impact by the Red Hat Security Response Team. advisories/red-hat/redhat-critical-lynx-security-update-85832 |
||
| RedHat: Low: cpio security update | ||
| 10th, November, 2005
An updated cpio package that fixes multiple issues is now available. This update has been rated as having low security impact by the Red Hat Security Response Team. advisories/red-hat/redhat-low-cpio-security-update-84799 |
||
| RedHat: Low: lm_sensors security update | ||
| 10th, November, 2005
Updated lm_sensors packages that fix an insecure file issue are now available. This update has been rated as having low security impact by the Red Hat Security Response Team. advisories/red-hat/redhat-low-lmsensors-security-update-RHSA-2005-825-01 |
||
| RedHat: Moderate: php security update | ||
| 10th, November, 2005
Updated PHP packages that fix multiple security issues are now available for Red Hat Enterprise Linux 3 and 4. This update has been rated as having moderate security impact by the Red Hat Security Response Team. advisories/red-hat/redhat-moderate-php-security-update-38610 |
||
| RedHat: Moderate: php security update | ||
| 10th, November, 2005
Updated PHP packages that fix multiple security issues are now available for Red Hat Enterprise Linux 2.1 This update has been rated as having moderate security impact by the Red Hat Security Response Team. advisories/red-hat/redhat-moderate-php-security-update-38610 |
||
| RedHat: Important: gdk-pixbuf security update | ||
| 15th, November, 2005
Updated gdk-pixbuf packages that fix several security issues are now available. This update has been rated as having important security impact by the Red Hat Security Response Team. advisories/red-hat/redhat-important-gdk-pixbuf-security-update-16958 |
||
| RedHat: Important: gtk2 security update | ||
| 15th, November, 2005
Updated gtk2 packages that fix two security issues are now available. This update has been rated as having important security impact by the Red Hat Security Response Team. advisories/red-hat/redhat-important-gtk2-security-update-76593 |
||
