Get the LinuxSecurity news you want faster with RSS
Powered By
Linux Advisory Watch: December 16th 2005
Source: LinuxSecurity.com Contributors - Posted by Benjamin D. Thomas
This week, advisories were released for courier, osh, curl, ethereal, phpMyAdmin,
Openswan, Xmail, Ethereal, perl, openvpn, thunderbird, xmovie, mplayer, and
ffmpeg. The distributors include Debian, Gentoo, Mandriva.
The NSA has designated Norwich University a center of Academic Excellence
in Information Security. Our program offers unparalleled Infosec management
education and the case study affords you unmatched consulting experience.
Using interactive e-Learning technology, you can earn this esteemed degree,
without disrupting your career or home life.
Once you have your list of all your allow statements, examine them carefully
and try to understand what you are allowing before adding them to policy. One
weakness of audit2allow is that it is unaware of macros contained in the policy,
so grep through your policy sources for allow statements close to the ones you'd
like to add and try to find appropriate macros to use instead. If you're planning
on doing a lot of policy customization it's a good idea to familiarize yourself
with the existing policy sources so you're aware what macros are available.
The $policy/policy/support/obj_perm_sets.spt is one good place to start, it
contains macros that expand out to useful permissions groupings. For example,
rather than allowing a domain the ioctl, read, getattr, lock, write, and append
permissions to a given type, you can simply assign it the rw_file_perms macro
instead. This helps keep policy readable later on.
Once you have generated your needed allow statements, add them to the $policy/policy/modules/admin/local.te
file and recompile the policy. If your application still won't work in enforcing
mode, just repeat the process until you can run it with no SELinux audit errors.
Always keep your policy changes in the: $policy/policy/modules/admin/local.*
files. T
hese files are included in the package empty and intended for local policy
customization. If you change a file that belongs to a service and contains rules
already your changes will be lost when the policy is upgraded, so keep local
changes in the local.te and local.fc files where they belong.
If you find a problem in existing policy, add your changes to local.* but
provide a patch to the policy maintainers so they can include it in a later
build. Most SELinux policies are being constantly developed and revised since
the technology is still fairly new, and your upstream maintainers will thank
you for your help.
Policy development can be difficult at the beginning, but I think you'll find
that as you make progress you'll be learning not only about SELinux but about
the details of what your applications are really doing under the hood. You'll
not only be making your system more secure, you'll be learning about the low
level details of your system and its services. SELinux development has already
resulted in upstream patches to many applications that had hidden bugs that
were only found because SELinux alerted policy developers to the kernel level
actions the applications were attempting.
I hope you enjoyed reading this SELinux series as much as I enjoyed writing
it. Until next time, stay secure and keep your policy locked down tight.
Linux File
& Directory Permissions Mistakes - One common mistake Linux administrators
make is having file and directory permissions that are far too liberal and
allow access beyond that which is needed for proper system operations. A full
explanation of unix file permissions is beyond the scope of this article,
so I'll assume you are familiar with the usage of such tools as chmod, chown,
and chgrp. If you'd like a refresher, one is available right here on linuxsecurity.com.
Introduction:
Buffer Overflow Vulnerabilities - Buffer overflows are a leading type
of security vulnerability. This paper explains what a buffer overflow is,
how it can be exploited, and what countermeasures can be taken to prevent
the use of buffer overflow vulnerabilities.
Getting
to Know Linux Security: File Permissions - Welcome to the first
tutorial in the 'Getting to Know Linux Security' series. The topic explored
is Linux file permissions. It offers an easy to follow explanation of how
to read permissions, and how to set them using chmod. This guide is intended
for users new to Linux security, therefore very simple. If the feedback is
good, I'll consider creating more complex guides for advanced users. Please
let us know what you think and how these can be improved.
Take advantage of our Linux Security discussion
list! This mailing list is for general security-related questions and comments.
To subscribe send an e-mail to security-discuss-request@linuxsecurity.com
with "subscribe" as the subject.
Thank you for reading the LinuxSecurity.com
weekly security newsletter. The purpose of this document is to provide our readers
with a quick summary of each week's most relevant Linux security headline.
Debian
Debian: New courier packages fix unauthorised
access
Gentoo: Ethereal Buffer overflow in OSPF
protocol dissector
14th, December, 2005
Ethereal is missing bounds checking in the OSPF protocol dissector
that could lead to abnormal program termination or the execution of arbitrary
code.
http://www.linuxsecurity.com/content/view/121003
Mandriva
Mandriva: Updated curl package fixes
format string vulnerability
Mandriva: Updated perl package fixes
format string vulnerability
8th, December, 2005
Jack Louis discovered a new way to exploit format string errors
in the Perl programming language that could lead to the execution of arbitrary
code.
http://www.linuxsecurity.com/content/view/120967
Two Denial of Service vulnerabilities exist in OpenVPN. The
first allows a malicious or compromised server to execute arbitrary code
on the client (CVE-2005-3393). The second DoS can occur if when in TCP
server mode, OpenVPN received an error on accept(2) and the resulting
exception handler causes a segfault (CVE-2005-3409). The updated packages
have been patched to correct these problems.
Mandriva: Updated mozilla-thunderbird
package fix vulnerability in enigmail
13th, December, 2005
A bug in enigmail, the GPG support extension for Mozilla MailNews
and Mozilla Thunderbird was discovered that could lead to the encryption
of an email with the wrong public key. This could potentially disclose
confidential data to unintended recipients. The updated packages have
been patched to prevent this problem.
http://www.linuxsecurity.com/content/view/120986
A stack-based buffer overflow was discovered in the OSPF dissector
in Ethereal. This could potentially be abused to allow remote attackers
to execute arbitrary code via crafted packets. The updated packages have
been patched to prevent this problem.
http://www.linuxsecurity.com/content/view/121010
Simon Kilvington discovered a vulnerability in FFmpeg libavcodec,
which can be exploited by malicious people to cause a DoS (Denial of Service)
and potentially to compromise a user's system.
http://www.linuxsecurity.com/content/view/121011
Simon Kilvington discovered a vulnerability in FFmpeg libavcodec,
which can be exploited by malicious people to cause a DoS (Denial of Service)
and potentially to compromise a user's system.
http://www.linuxsecurity.com/content/view/121013
Simon Kilvington discovered a vulnerability in FFmpeg libavcodec,
which can be exploited by malicious people to cause a DoS (Denial of Service)
and potentially to compromise a user's system.
http://www.linuxsecurity.com/content/view/121014
Simon Kilvington discovered a vulnerability in FFmpeg libavcodec,
which can be exploited by malicious people to cause a DoS (Denial of Service)
and potentially to compromise a user's system.
http://www.linuxsecurity.com/content/view/121015
Only registered users can write comments. Please login or register.
