LinuxSecurity.com
Share your story
The central voice for Linux and Open Source security news
Home News Topics Advisories HOWTOs Features Newsletters About Register

Welcome!
Sign up!
EnGarde Community
Login
Polls
What is the most important Linux security technology?
 
Advisories
Community
Linux Events
Linux User Groups
Link to Us
Security Center
Book Reviews
Security Dictionary
Security Tips
SELinux
White Papers
Featured Blogs
All About Linux
DanWalsh LiveJournal
Securitydistro
Latest Newsletters
Linux Security Week: October 27th, 2014
Linux Advisory Watch: October 24th, 2014
Subscribe
LinuxSecurity Newsletters
E-mail:
Choose Lists:
About our Newsletters
RSS Feeds
Get the LinuxSecurity news you want faster with RSS
Powered By

  
Linux Advisory Watch: December 16th 2005 Print E-mail
User Rating:      How can I rate this item?
Source: LinuxSecurity.com Contributors - Posted by Benjamin D. Thomas   
Linux Advisory Watch This week, advisories were released for courier, osh, curl, ethereal, phpMyAdmin, Openswan, Xmail, Ethereal, perl, openvpn, thunderbird, xmovie, mplayer, and ffmpeg. The distributors include Debian, Gentoo, Mandriva.


Earn an NSA recognized IA Masters Online

The NSA has designated Norwich University a center of Academic Excellence in Information Security. Our program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Using interactive e-Learning technology, you can earn this esteemed degree, without disrupting your career or home life.

http://www.msia.norwich.edu/linsec


SELinux Policy Development: Modifying Policy
By: Pax Dickenson

Once you have your list of all your allow statements, examine them carefully and try to understand what you are allowing before adding them to policy. One weakness of audit2allow is that it is unaware of macros contained in the policy, so grep through your policy sources for allow statements close to the ones you'd like to add and try to find appropriate macros to use instead. If you're planning on doing a lot of policy customization it's a good idea to familiarize yourself with the existing policy sources so you're aware what macros are available.

The $policy/policy/support/obj_perm_sets.spt is one good place to start, it contains macros that expand out to useful permissions groupings. For example, rather than allowing a domain the ioctl, read, getattr, lock, write, and append permissions to a given type, you can simply assign it the rw_file_perms macro instead. This helps keep policy readable later on.

Once you have generated your needed allow statements, add them to the $policy/policy/modules/admin/local.te file and recompile the policy. If your application still won't work in enforcing mode, just repeat the process until you can run it with no SELinux audit errors.

Always keep your policy changes in the: $policy/policy/modules/admin/local.* files. T

hese files are included in the package empty and intended for local policy customization. If you change a file that belongs to a service and contains rules already your changes will be lost when the policy is upgraded, so keep local changes in the local.te and local.fc files where they belong.

If you find a problem in existing policy, add your changes to local.* but provide a patch to the policy maintainers so they can include it in a later build. Most SELinux policies are being constantly developed and revised since the technology is still fairly new, and your upstream maintainers will thank you for your help.

Policy development can be difficult at the beginning, but I think you'll find that as you make progress you'll be learning not only about SELinux but about the details of what your applications are really doing under the hood. You'll not only be making your system more secure, you'll be learning about the low level details of your system and its services. SELinux development has already resulted in upstream patches to many applications that had hidden bugs that were only found because SELinux alerted policy developers to the kernel level actions the applications were attempting.

I hope you enjoyed reading this SELinux series as much as I enjoyed writing it. Until next time, stay secure and keep your policy locked down tight.

Read Entire Aricle:
http://www.linuxsecurity.com/content/view/120837/49/


LinuxSecurity.com Feature Extras:

Linux File & Directory Permissions Mistakes - One common mistake Linux administrators make is having file and directory permissions that are far too liberal and allow access beyond that which is needed for proper system operations. A full explanation of unix file permissions is beyond the scope of this article, so I'll assume you are familiar with the usage of such tools as chmod, chown, and chgrp. If you'd like a refresher, one is available right here on linuxsecurity.com.

Introduction: Buffer Overflow Vulnerabilities - Buffer overflows are a leading type of security vulnerability. This paper explains what a buffer overflow is, how it can be exploited, and what countermeasures can be taken to prevent the use of buffer overflow vulnerabilities.

Getting to Know Linux Security: File Permissions - Welcome to the first tutorial in the 'Getting to Know Linux Security' series. The topic explored is Linux file permissions. It offers an easy to follow explanation of how to read permissions, and how to set them using chmod. This guide is intended for users new to Linux security, therefore very simple. If the feedback is good, I'll consider creating more complex guides for advanced users. Please let us know what you think and how these can be improved.

 

Take advantage of our Linux Security discussion list! This mailing list is for general security-related questions and comments. To subscribe send an e-mail to security-discuss-request@linuxsecurity.com with "subscribe" as the subject.

Thank you for reading the LinuxSecurity.com weekly security newsletter. The purpose of this document is to provide our readers with a quick summary of each week's most relevant Linux security headline.


   Debian
  Debian: New courier packages fix unauthorised access
  8th, December, 2005

Updated package.

http://www.linuxsecurity.com/content/view/120959
 
  Debian: New osh packages fix privilege escalation
  9th, December, 2005

Updated package.

http://www.linuxsecurity.com/content/view/120969
 
  Debian: New curl packages fix potential security problem
  12th, December, 2005

Updated package.

http://www.linuxsecurity.com/content/view/120980
 
  Debian: New ethereal packages fix arbitrary code execution
  13th, December, 2005

Updated package.

http://www.linuxsecurity.com/content/view/120987
 
  Debian: New Linux 2.4.27 packages fix several vulnerabilities
  14th, December, 2005

Updated package.

http://www.linuxsecurity.com/content/view/121004
 
  Debian: New Linux 2.6.8 packages fix several vulnerabilities
  14th, December, 2005

Updated package.

http://www.linuxsecurity.com/content/view/121005
 
   Gentoo
  Gentoo: phpMyAdmin Multiple vulnerabilities
  11th, December, 2005

Multiple flaws in phpMyAdmin may lead to several XSS issues and local and remote file inclusion vulnerabilities.

http://www.linuxsecurity.com/content/view/120975
 
  Gentoo: Openswan, IPsec-Tools Vulnerabilities in ISAKMP
  12th, December, 2005

Openswan and IPsec-Tools suffer from an implementation flaw which may allow a Denial of Service attack.

http://www.linuxsecurity.com/content/view/120981
 
  Gentoo: Xmail Privilege escalation through sendmail
  14th, December, 2005

The sendmail program in Xmail is vulnerable to a buffer overflow, potentially resulting in local privilege escalation.

http://www.linuxsecurity.com/content/view/121002
 
  Gentoo: Ethereal Buffer overflow in OSPF protocol dissector
  14th, December, 2005

Ethereal is missing bounds checking in the OSPF protocol dissector that could lead to abnormal program termination or the execution of arbitrary code.

http://www.linuxsecurity.com/content/view/121003
 
   Mandriva
  Mandriva: Updated curl package fixes format string vulnerability
  8th, December, 2005

Updated package.

http://www.linuxsecurity.com/content/view/120966
 
  Mandriva: Updated perl package fixes format string vulnerability
  8th, December, 2005

Jack Louis discovered a new way to exploit format string errors in the Perl programming language that could lead to the execution of arbitrary code.

http://www.linuxsecurity.com/content/view/120967
 
  Mandriva: Updated openvpn packages fix multiple vulnerabilities
  10th, December, 2005

Two Denial of Service vulnerabilities exist in OpenVPN. The first allows a malicious or compromised server to execute arbitrary code on the client (CVE-2005-3393). The second DoS can occur if when in TCP server mode, OpenVPN received an error on accept(2) and the resulting exception handler causes a segfault (CVE-2005-3409). The updated packages have been patched to correct these problems.

http://www.linuxsecurity.com/content/view/120974
 
  Mandriva: Updated mozilla-thunderbird package fix vulnerability in enigmail
  13th, December, 2005

A bug in enigmail, the GPG support extension for Mozilla MailNews and Mozilla Thunderbird was discovered that could lead to the encryption of an email with the wrong public key. This could potentially disclose confidential data to unintended recipients. The updated packages have been patched to prevent this problem.

http://www.linuxsecurity.com/content/view/120986
 
  Mandriva: Updated ethereal packages fix vulnerability
  14th, December, 2005

A stack-based buffer overflow was discovered in the OSPF dissector in Ethereal. This could potentially be abused to allow remote attackers to execute arbitrary code via crafted packets. The updated packages have been patched to prevent this problem.

http://www.linuxsecurity.com/content/view/121010
 
  Mandriva: Updated xine-lib packages fix buffer overflow vulnerability
  14th, December, 2005

Simon Kilvington discovered a vulnerability in FFmpeg libavcodec, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially to compromise a user's system.

http://www.linuxsecurity.com/content/view/121011
 
  Mandriva: Updated xmovie packages fix buffer overflow vulnerability
  14th, December, 2005

Updated package.

http://www.linuxsecurity.com/content/view/121012
 
  Mandriva: Updated gstreamer-ffmpeg packages fix buffer overflow vulnerability
  14th, December, 2005

Simon Kilvington discovered a vulnerability in FFmpeg libavcodec, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially to compromise a user's system.

http://www.linuxsecurity.com/content/view/121013
 
  Mandriva: Updated mplayer packages fix buffer overflow vulnerability
  14th, December, 2005

Simon Kilvington discovered a vulnerability in FFmpeg libavcodec, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially to compromise a user's system.

http://www.linuxsecurity.com/content/view/121014
 
  Mandriva: Updated ffmpeg packages fix buffer overflow vulnerability
  14th, December, 2005

Simon Kilvington discovered a vulnerability in FFmpeg libavcodec, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially to compromise a user's system.

http://www.linuxsecurity.com/content/view/121015
 

Only registered users can write comments.
Please login or register.

Powered by AkoComment!

 
< Prev   Next >
    
Partner

 

Latest Features
Peter Smith Releases Linux Network Security Online
Securing a Linux Web Server
Password guessing with Medusa 2.0
Password guessing as an attack vector
Squid and Digest Authentication
Squid and Basic Authentication
Demystifying the Chinese Hacking Industry: Earning 6 Million a Night
Free Online security course (LearnSIA) - A Call for Help
What You Need to Know About Linux Rootkits
Review: A Practical Guide to Fedora and Red Hat Enterprise Linux - Fifth Edition
Yesterday's Edition
Hackers Are Using Gmail Drafts to Update Their Malware and Steal Data
Hackers target unclassified White House network
BYOD: Why the biggest security worry is the fool within rather than the enemy without
Partner Sponsor

Community | HOWTOs | Blogs | Features | Book Reviews | Networking
 Security Projects |  Latest News |  Newsletters |  SELinux |  Privacy |  Home
 Hardening |   About Us |   Advertise |   Legal Notice |   RSS |   Guardian Digital
(c)Copyright 2014 Guardian Digital, Inc. All rights reserved.