LinuxSecurity.com
Share your story
The central voice for Linux and Open Source security news
Home News Topics Advisories HOWTOs Features Newsletters About Register

Welcome!
Sign up!
EnGarde Community
Login
Polls
What is the most important Linux security technology?
 
Advisories
Community
Linux Events
Linux User Groups
Link to Us
Security Center
Book Reviews
Security Dictionary
Security Tips
SELinux
White Papers
Featured Blogs
All About Linux
DanWalsh LiveJournal
Securitydistro
Latest Newsletters
Linux Advisory Watch: August 29th, 2014
Linux Security Week: August 25th, 2014
Subscribe
LinuxSecurity Newsletters
E-mail:
Choose Lists:
About our Newsletters
RSS Feeds
Get the LinuxSecurity news you want faster with RSS
Powered By

  
Linux Advisory Watch: December 2nd 2005 Print E-mail
User Rating:      How can I rate this item?
Source: LinuxSecurity.com Contributors - Posted by Benjamin D. Thomas   
Linux Advisory Watch This week, advisories were released for zope, gtk, certericq, gdk-pixbuf, horde2, inkscape, chmlib, fuse, netpbm, and the kernel. The distributors include Debian, Gentoo, and Mandriva.


Earn an NSA recognized IA Masters Online

The NSA has designated Norwich University a center of Academic Excellence in Information Security. Our program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Using interactive e-Learning technology, you can earn this esteemed degree, without disrupting your career or home life.

http://www.msia.norwich.edu/linsec


Hacks From Pax: SELinux Policy Development
By: Pax Dickenson

Hi, and welcome to the final entry in my series of articles on SELinux. My last three articles have provided an overview and history of SELinux, discussed how SELinux makes access decisions, and explained how to administer an SELinux system. Today we'll build on the SELinux knowledge we've gained and learn how to perform basic customization of our system's security policy.

Customizing your system's SELinux policy can be necessary when running an application your policy is unaware of. Particularly, web based applications might need customization of Apache policy in order to run properly.

Setting Up a Policy Development Environment

For the purposes of this article, I'll assume you have a server running EnGarde Secure Community 3.0 (a free downloadable ISO image is available). Engarde Secure Linux is a good base for learning SELinux policy since it is a server system only, which allows for a policy that is easier to understand than distributions such as Fedora which include many policy modules for X11 and other desktop applications.

First, log in as root and transition to the sysadm_r role. Generally policy development is best done with SELinux in permissive mode, so use the setenforce command to set the proper mode. Be sure your system is upgraded to the latest release by issuing the apt-get update command, and then install the necessary policy development packages by entering apt-get install make m4 gcc python engarde-policy-sources. Other packages may be installed due to dependencies.

Compiling Policy

Once this is done, you should change to the policy sources directory which is /etc/selinux/engarde/src/policy/. The main part of the policy sources is the policy/modules directory, which contains directories that contain your actual policy source modules for all services and applications constrained by SELinux.

The first time you compile a policy, you must make the configuration files by typing make conf in the main policy directory. This creates the modules.conf and policy.conf files. Now you can compile the policy by entering make policy. This gathers all the modules and compiles them into a binary policy that is directly used by SELinux.

The next step is to install the newly compiled policy by issuing the make install command. Next, you must reload the policy by typing make reload. If you have changed file specifications, you also need to relabel based on the new policy, this is done by typing make relabel. Finally, return to enforcing mode using the setenforce command.

One way to speed up this process is to issue all of the compilation commands in a single command line, as shown below.

# setenforce 0 && make policy install reload relabel reload && setenforce 1

Read Entire Aricle:
http://www.linuxsecurity.com/content/view/120837/49/


LinuxSecurity.com Feature Extras:

Linux File & Directory Permissions Mistakes - One common mistake Linux administrators make is having file and directory permissions that are far too liberal and allow access beyond that which is needed for proper system operations. A full explanation of unix file permissions is beyond the scope of this article, so I'll assume you are familiar with the usage of such tools as chmod, chown, and chgrp. If you'd like a refresher, one is available right here on linuxsecurity.com.

Introduction: Buffer Overflow Vulnerabilities - Buffer overflows are a leading type of security vulnerability. This paper explains what a buffer overflow is, how it can be exploited, and what countermeasures can be taken to prevent the use of buffer overflow vulnerabilities.

Getting to Know Linux Security: File Permissions - Welcome to the first tutorial in the 'Getting to Know Linux Security' series. The topic explored is Linux file permissions. It offers an easy to follow explanation of how to read permissions, and how to set them using chmod. This guide is intended for users new to Linux security, therefore very simple. If the feedback is good, I'll consider creating more complex guides for advanced users. Please let us know what you think and how these can be improved.

 

Take advantage of our Linux Security discussion list! This mailing list is for general security-related questions and comments. To subscribe send an e-mail to security-discuss-request@linuxsecurity.com with "subscribe" as the subject.

Thank you for reading the LinuxSecurity.com weekly security newsletter. The purpose of this document is to provide our readers with a quick summary of each week's most relevant Linux security headline.


   Debian
  Debian: New zope2.7 packages fix arbitrary file inclusion
  24th, November, 2005

Updated package.

http://www.linuxsecurity.com/content/view/120884
 
  Debian: New gtk+2.0 packages fix several vulnerabilities
  29th, November, 2005

Updated package.

http://www.linuxsecurity.com/content/view/120908
 
  Debian: New centericq packages fix denial of service
  30th, November, 2005

Updated package.

http://www.linuxsecurity.com/content/view/120909
 
  Debian: New gdk-pixbuf packages fix several vulnerabilities
  1st, December, 2005

Updated package.

http://www.linuxsecurity.com/content/view/120917
 
  Debian: New horde2 packages fix cross-site scripting
  1st, December, 2005

Updated package.

http://www.linuxsecurity.com/content/view/120918
 
   Gentoo
  Gentoo: Macromedia Flash Player Remote arbitrary code
  25th, November, 2005

A vulnerability has been identified that allows arbitrary code execution on a user's system via the handling of malicious SWF files.

http://www.linuxsecurity.com/content/view/120893
 
  Gentoo: Inkscape Buffer overflow
  28th, November, 2005

A vulnerability has been identified that allows a specially crafted SVG file to exploit a buffer overflow and potentially execute arbitrary code when opened.

http://www.linuxsecurity.com/content/view/120900
 
  Gentoo: chmlib, KchmViewer Stack-based buffer overflow
  28th, November, 2005

chmlib and KchmViewer contain a buffer overflow vulnerability which may lead to the execution of arbitrary code.

http://www.linuxsecurity.com/content/view/120901
 
  Gentoo: chmlib, KchmViewer Stack-based buffer overflow
  28th, November, 2005

chmlib and KchmViewer contain a buffer overflow vulnerability which may lead to the execution of arbitrary code.

http://www.linuxsecurity.com/content/view/120903
 
   Mandriva
  Mandriva: Updated fuse packages fix vulnerability
  24th, November, 2005

Thomas Beige found that fusermount failed to securely handle special characters specified in mount points, which could allow a local attacker to corrupt the contents of /etc/mtab by mounting over a maliciously-named directory using fusermount.

http://www.linuxsecurity.com/content/view/120891
 
  Mandriva: Updated netpbm packages fix pnmtopng vulnerabilities
  30th, November, 2005

Greg Roelofs discovered and fixed several buffer overflows in pnmtopng which is also included in netpbm, a collection of graphic conversion utilities, that can lead to the execution of arbitrary code via a specially crafted PNM file.

http://www.linuxsecurity.com/content/view/120913
 
  Mandriva: Updated kernel packages fix numerous vulnerabilities
  30th, November, 2005

Updated package.

http://www.linuxsecurity.com/content/view/120914
 
  Mandriva: Updated kernel packages fix numerous vulnerabilities
  30th, November, 2005

Updated package.

http://www.linuxsecurity.com/content/view/120915
 
  Mandriva: Updated kernel packages fix numerous vulnerabilities
  30th, November, 2005

Updated package.

http://www.linuxsecurity.com/content/view/120916
 

Only registered users can write comments.
Please login or register.

Powered by AkoComment!

 
< Prev   Next >
    
Partner

 

Latest Features
Peter Smith Releases Linux Network Security Online
Securing a Linux Web Server
Password guessing with Medusa 2.0
Password guessing as an attack vector
Squid and Digest Authentication
Squid and Basic Authentication
Demystifying the Chinese Hacking Industry: Earning 6 Million a Night
Free Online security course (LearnSIA) - A Call for Help
What You Need to Know About Linux Rootkits
Review: A Practical Guide to Fedora and Red Hat Enterprise Linux - Fifth Edition
Weekend Edition
How Cops and Hackers Could Abuse California’s New Phone Kill-Switch Law
Why Russian hackers are beating us
DQ Breach? HQ Says No, But Would it Know?
Partner Sponsor

Community | HOWTOs | Blogs | Features | Book Reviews | Networking
 Security Projects |  Latest News |  Newsletters |  SELinux |  Privacy |  Home
 Hardening |   About Us |   Advertise |   Legal Notice |   RSS |   Guardian Digital
(c)Copyright 2014 Guardian Digital, Inc. All rights reserved.