December 2, 2005

Linux Advisory Watch - December 2, 2005

Author: Benjamin D. Thomas

This week, advisories were released for zope, gtk, certericq, gdk-pixbuf, horde2, inkscape, chmlib, fuse, netpbm, and the kernel. The distributors include Debian, Gentoo, and Mandriva.Hacks From Pax: SELinux Policy Development
By: Pax Dickenson

Hi, and welcome to the final entry in my series of articles on SELinux. My
last three articles have provided an overview and history of SELinux, discussed
how SELinux makes access decisions, and explained how to administer an SELinux
system. Today we'll build on the SELinux knowledge we've gained and learn how
to perform basic customization of our system's security policy.

Customizing your system's SELinux policy can be necessary when running an application your policy is unaware of. Particularly, web based applications might need customization of Apache policy in order to run properly.

Setting Up a Policy Development Environment

For the purposes of this article, I'll assume you have a server running EnGarde Secure Community 3.0 (a free downloadable ISO image is available). Engarde Secure Linux is a good base for learning SELinux policy since it is a server system only, which allows for a policy that is easier to understand than distributions such as Fedora which include many policy modules for X11 and other desktop applications.

First, log in as root and transition to the sysadm_r role. Generally policy development is best done with SELinux in permissive mode, so use the setenforce command to set the proper mode. Be sure your system is upgraded to the latest release by issuing the apt-get update command, and then install the necessary policy development packages by entering apt-get install make m4 gcc python engarde-policy-sources. Other packages may be installed due to dependencies.

Compiling Policy

Once this is done, you should change to the policy sources directory which is /etc/selinux/engarde/src/policy/. The main part of the policy sources is the policy/modules directory, which contains directories that contain your actual policy source modules for all services and applications constrained by SELinux.

The first time you compile a policy, you must make the configuration files by typing make conf in the main policy directory. This creates the modules.conf and policy.conf files. Now you can compile the policy by entering make policy. This gathers all the modules and compiles them into a binary policy that is directly used by SELinux.

The next step is to install the newly compiled policy by issuing the make install command. Next, you must reload the policy by typing make reload. If you have changed file specifications, you also need to relabel based on the new policy, this is done by typing make relabel. Finally, return to enforcing mode using the setenforce command.

One way to speed up this process is to issue all of the compilation commands in a single command line, as shown below.

# setenforce 0 && make policy install reload relabel reload && setenforce 1

Read Entire Aricle:
http://www.linuxsecurity.com/content/view/120837/49/


   Debian
  Debian: New zope2.7 packages fix arbitrary
file inclusion
  24th, November, 2005
Updated package.
 
  Debian: New gtk+2.0 packages fix several
vulnerabilities
  29th, November, 2005
Updated package.
 
  Debian: New centericq packages fix denial
of service
  30th, November, 2005
Updated package.
 
  Debian: New gdk-pixbuf packages fix several
vulnerabilities
  1st, December, 2005
Updated package.
 
  Debian: New horde2 packages fix cross-site
scripting
  1st, December, 2005
Updated package.
 
   Gentoo
  Gentoo: Macromedia Flash Player Remote
arbitrary code
  25th, November, 2005
A vulnerability has been identified that allows arbitrary code
execution on a user's system via the handling of malicious SWF files.
 
  Gentoo: Inkscape Buffer overflow
  28th, November, 2005
A vulnerability has been identified that allows a specially
crafted SVG file to exploit a buffer overflow and potentially execute
arbitrary code when opened.
 
  Gentoo: chmlib, KchmViewer Stack-based
buffer overflow
  28th, November, 2005
chmlib and KchmViewer contain a buffer overflow vulnerability
which may lead to the execution of arbitrary code.
 
  Gentoo: chmlib, KchmViewer Stack-based
buffer overflow
  28th, November, 2005
chmlib and KchmViewer contain a buffer overflow vulnerability
which may lead to the execution of arbitrary code.
 
   Mandriva
  Mandriva: Updated fuse packages fix vulnerability
  24th, November, 2005
Thomas Beige found that fusermount failed to securely handle
special characters specified in mount points, which could allow a local
attacker to corrupt the contents of /etc/mtab by mounting over a maliciously-named
directory using fusermount.
 
  Mandriva: Updated netpbm packages fix
pnmtopng vulnerabilities
  30th, November, 2005
Greg Roelofs discovered and fixed several buffer overflows in
pnmtopng which is also included in netpbm, a collection of graphic conversion
utilities, that can lead to the execution of arbitrary code via a specially
crafted PNM file.
 
  Mandriva: Updated kernel packages fix
numerous vulnerabilities
  30th, November, 2005
Updated package.
 
  Mandriva: Updated kernel packages fix
numerous vulnerabilities
  30th, November, 2005
Updated package.
 
  Mandriva: Updated kernel packages fix
numerous vulnerabilities
  30th, November, 2005
Updated package.
 

Category:

  • Security
Click Here!