Earn an NSA recognized IA Masters Online
The NSA has designated Norwich University a center of Academic Excellence in Information Security. Our program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Using interactive e-Learning technology, you can earn this esteemed degree, without disrupting your career or home life.
SELinux Policy Development: Modifying Policy
By: Pax Dickenson
Once you have your list of all your allow statements, examine them carefully and try to understand what you are allowing before adding them to policy. One weakness of audit2allow is that it is unaware of macros contained in the policy, so grep through your policy sources for allow statements close to the ones you'd like to add and try to find appropriate macros to use instead. If you're planning on doing a lot of policy customization it's a good idea to familiarize yourself with the existing policy sources so you're aware what macros are available.
The $policy/policy/support/obj_perm_sets.spt is one good place to start, it contains macros that expand out to useful permissions groupings. For example, rather than allowing a domain the ioctl, read, getattr, lock, write, and append permissions to a given type, you can simply assign it the rw_file_perms macro instead. This helps keep policy readable later on.
Once you have generated your needed allow statements, add them to the $policy/policy/modules/admin/local.te file and recompile the policy. If your application still won't work in enforcing mode, just repeat the process until you can run it with no SELinux audit errors.
Always keep your policy changes in the: $policy/policy/modules/admin/local.* files. T
hese files are included in the package empty and intended for local policy customization. If you change a file that belongs to a service and contains rules already your changes will be lost when the policy is upgraded, so keep local changes in the local.te and local.fc files where they belong.
If you find a problem in existing policy, add your changes to local.* but provide a patch to the policy maintainers so they can include it in a later build. Most SELinux policies are being constantly developed and revised since the technology is still fairly new, and your upstream maintainers will thank you for your help.
Policy development can be difficult at the beginning, but I think you'll find that as you make progress you'll be learning not only about SELinux but about the details of what your applications are really doing under the hood. You'll not only be making your system more secure, you'll be learning about the low level details of your system and its services. SELinux development has already resulted in upstream patches to many applications that had hidden bugs that were only found because SELinux alerted policy developers to the kernel level actions the applications were attempting.
I hope you enjoyed reading this SELinux series as much as I enjoyed writing it. Until next time, stay secure and keep your policy locked down tight.
Read Entire Aricle:
LinuxSecurity.com Feature Extras:
Linux File & Directory Permissions Mistakes - One common mistake Linux administrators make is having file and directory permissions that are far too liberal and allow access beyond that which is needed for proper system operations. A full explanation of unix file permissions is beyond the scope of this article, so I'll assume you are familiar with the usage of such tools as chmod, chown, and chgrp. If you'd like a refresher, one is available right here on linuxsecurity.com.
Introduction: Buffer Overflow Vulnerabilities - Buffer overflows are a leading type of security vulnerability. This paper explains what a buffer overflow is, how it can be exploited, and what countermeasures can be taken to prevent the use of buffer overflow vulnerabilities.
Getting to Know Linux Security: File Permissions - Welcome to the first tutorial in the 'Getting to Know Linux Security' series. The topic explored is Linux file permissions. It offers an easy to follow explanation of how to read permissions, and how to set them using chmod. This guide is intended for users new to Linux security, therefore very simple. If the feedback is good, I'll consider creating more complex guides for advanced users. Please let us know what you think and how these can be improved.
Take advantage of our Linux Security discussion
list! This mailing list is for general security-related questions and comments.
To subscribe send an e-mail to
Thank you for reading the LinuxSecurity.com weekly security newsletter. The purpose of this document is to provide our readers with a quick summary of each week's most relevant Linux security headline.
| Debian | ||
| Debian: New courier packages fix unauthorised access | ||
| 8th, December, 2005
Updated package. advisories/debian/debian-new-courier-packages-fix-unauthorised-access |
||
| Debian: New osh packages fix privilege escalation | ||
| 9th, December, 2005
Updated package. advisories/debian/debian-new-osh-packages-fix-privilege-escalation |
||
| Debian: New curl packages fix potential security problem | ||
| 12th, December, 2005
Updated package. advisories/debian/debian-new-curl-packages-fix-potential-security-problem-23945 |
||
| Debian: New ethereal packages fix arbitrary code execution | ||
| 13th, December, 2005
Updated package. advisories/debian/debian-new-ethereal-packages-fix-arbitrary-code-execution |
||
| Debian: New Linux 2.4.27 packages fix several vulnerabilities | ||
| 14th, December, 2005
Updated package. advisories/debian/debian-new-linux-2427-packages-fix-several-vulnerabilities-53207 |
||
| Debian: New Linux 2.6.8 packages fix several vulnerabilities | ||
| 14th, December, 2005
Updated package. advisories/debian/debian-new-linux-268-packages-fix-several-vulnerabilities-26376 |
||
| Gentoo | ||
| Gentoo: phpMyAdmin Multiple vulnerabilities | ||
| 11th, December, 2005
Multiple flaws in phpMyAdmin may lead to several XSS issues and local and remote file inclusion vulnerabilities. |
||
| Gentoo: Openswan, IPsec-Tools Vulnerabilities in ISAKMP | ||
| 12th, December, 2005
Openswan and IPsec-Tools suffer from an implementation flaw which may allow a Denial of Service attack. |
||
| Gentoo: Xmail Privilege escalation through sendmail | ||
| 14th, December, 2005
The sendmail program in Xmail is vulnerable to a buffer overflow, potentially resulting in local privilege escalation. |
||
| Gentoo: Ethereal Buffer overflow in OSPF protocol dissector | ||
| 14th, December, 2005
Ethereal is missing bounds checking in the OSPF protocol dissector that could lead to abnormal program termination or the execution of arbitrary code. |
||
| Mandriva | ||
| Mandriva: Updated curl package fixes format string vulnerability | ||
| 8th, December, 2005
Updated package. |
||
| Mandriva: Updated perl package fixes format string vulnerability | ||
| 8th, December, 2005
Jack Louis discovered a new way to exploit format string errors in the Perl programming language that could lead to the execution of arbitrary code. |
||
| Mandriva: Updated openvpn packages fix multiple vulnerabilities | ||
| 10th, December, 2005
Two Denial of Service vulnerabilities exist in OpenVPN. The first allows a malicious or compromised server to execute arbitrary code on the client (CVE-2005-3393). The second DoS can occur if when in TCP server mode, OpenVPN received an error on accept(2) and the resulting exception handler causes a segfault (CVE-2005-3409). The updated packages have been patched to correct these problems. |
||
| Mandriva: Updated mozilla-thunderbird package fix vulnerability in enigmail | ||
| 13th, December, 2005
A bug in enigmail, the GPG support extension for Mozilla MailNews and Mozilla Thunderbird was discovered that could lead to the encryption of an email with the wrong public key. This could potentially disclose confidential data to unintended recipients. The updated packages have been patched to prevent this problem. |
||
| Mandriva: Updated ethereal packages fix vulnerability | ||
| 14th, December, 2005
A stack-based buffer overflow was discovered in the OSPF dissector in Ethereal. This could potentially be abused to allow remote attackers to execute arbitrary code via crafted packets. The updated packages have been patched to prevent this problem. |
||
| Mandriva: Updated xine-lib packages fix buffer overflow vulnerability | ||
| 14th, December, 2005
Simon Kilvington discovered a vulnerability in FFmpeg libavcodec, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially to compromise a user's system. |
||
| Mandriva: Updated xmovie packages fix buffer overflow vulnerability | ||
| 14th, December, 2005
Updated package. |
||
| Mandriva: Updated gstreamer-ffmpeg packages fix buffer overflow vulnerability | ||
| 14th, December, 2005
Simon Kilvington discovered a vulnerability in FFmpeg libavcodec, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially to compromise a user's system. |
||
| Mandriva: Updated mplayer packages fix buffer overflow vulnerability | ||
| 14th, December, 2005
Simon Kilvington discovered a vulnerability in FFmpeg libavcodec, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially to compromise a user's system. |
||
| Mandriva: Updated ffmpeg packages fix buffer overflow vulnerability | ||
| 14th, December, 2005
Simon Kilvington discovered a vulnerability in FFmpeg libavcodec, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially to compromise a user's system. |
||
