Linux Advisory Watch – December 16, 2005

24

Author: Benjamin D. Thomas

This week, advisories were released for courier, osh, curl, ethereal, phpMyAdmin,
Openswan, Xmail, Ethereal, perl, openvpn, thunderbird, xmovie, mplayer, and
ffmpeg. The distributors include Debian, Gentoo, Mandriva.SELinux Policy Development: Modifying Policy
By: Pax Dickenson

Once you have your list of all your allow statements, examine them carefully
and try to understand what you are allowing before adding them to policy. One
weakness of audit2allow is that it is unaware of macros contained in the policy,
so grep through your policy sources for allow statements close to the ones you’d
like to add and try to find appropriate macros to use instead. If you’re planning
on doing a lot of policy customization it’s a good idea to familiarize yourself
with the existing policy sources so you’re aware what macros are available.

The $policy/policy/support/obj_perm_sets.spt is one good place to start, it
contains macros that expand out to useful permissions groupings. For example,
rather than allowing a domain the ioctl, read, getattr, lock, write, and append
permissions to a given type, you can simply assign it the rw_file_perms macro
instead. This helps keep policy readable later on.

Once you have generated your needed allow statements, add them to the $policy/policy/modules/admin/local.te
file and recompile the policy. If your application still won’t work in enforcing
mode, just repeat the process until you can run it with no SELinux audit errors.

Always keep your policy changes in the: $policy/policy/modules/admin/local.*
files. T

hese files are included in the package empty and intended for local policy
customization. If you change a file that belongs to a service and contains rules
already your changes will be lost when the policy is upgraded, so keep local
changes in the local.te and local.fc files where they belong.

If you find a problem in existing policy, add your changes to local.* but
provide a patch to the policy maintainers so they can include it in a later
build. Most SELinux policies are being constantly developed and revised since
the technology is still fairly new, and your upstream maintainers will thank
you for your help.

Policy development can be difficult at the beginning, but I think you’ll find
that as you make progress you’ll be learning not only about SELinux but about
the details of what your applications are really doing under the hood. You’ll
not only be making your system more secure, you’ll be learning about the low
level details of your system and its services. SELinux development has already
resulted in upstream patches to many applications that had hidden bugs that
were only found because SELinux alerted policy developers to the kernel level
actions the applications were attempting.

I hope you enjoyed reading this SELinux series as much as I enjoyed writing
it. Until next time, stay secure and keep your policy locked down tight.

Read Entire Aricle:
http://www.linuxsecurity.com/content/view/120837/49/


   Debian
  Debian: New courier packages fix unauthorised
access
  8th, December, 2005

Updated package.

 
  Debian: New osh packages fix privilege
escalation
  9th, December, 2005

Updated package.

 
  Debian: New curl packages fix potential
security problem
  12th, December, 2005

Updated package.

 
  Debian: New ethereal packages fix arbitrary
code execution
  13th, December, 2005

Updated package.

 
  Debian: New Linux 2.4.27 packages fix
several vulnerabilities
  14th, December, 2005

Updated package.

 
  Debian: New Linux 2.6.8 packages fix
several vulnerabilities
  14th, December, 2005

Updated package.

 
   Gentoo
  Gentoo: phpMyAdmin Multiple vulnerabilities
  11th, December, 2005

Multiple flaws in phpMyAdmin may lead to several XSS issues
and local and remote file inclusion vulnerabilities.

 
  Gentoo: Openswan, IPsec-Tools Vulnerabilities
in ISAKMP
  12th, December, 2005

Openswan and IPsec-Tools suffer from an implementation flaw
which may allow a Denial of Service attack.

 
  Gentoo: Xmail Privilege escalation through
sendmail
  14th, December, 2005

The sendmail program in Xmail is vulnerable to a buffer overflow,
potentially resulting in local privilege escalation.

 
  Gentoo: Ethereal Buffer overflow in OSPF
protocol dissector
  14th, December, 2005

Ethereal is missing bounds checking in the OSPF protocol dissector
that could lead to abnormal program termination or the execution of arbitrary
code.

 
   Mandriva
  Mandriva: Updated curl package fixes
format string vulnerability
  8th, December, 2005

Updated package.

 
  Mandriva: Updated perl package fixes
format string vulnerability
  8th, December, 2005

Jack Louis discovered a new way to exploit format string errors
in the Perl programming language that could lead to the execution of arbitrary
code.

 
  Mandriva: Updated openvpn packages fix
multiple vulnerabilities
  10th, December, 2005

Two Denial of Service vulnerabilities exist in OpenVPN. The
first allows a malicious or compromised server to execute arbitrary code
on the client (CVE-2005-3393). The second DoS can occur if when in TCP
server mode, OpenVPN received an error on accept(2) and the resulting
exception handler causes a segfault (CVE-2005-3409). The updated packages
have been patched to correct these problems.

 
  Mandriva: Updated mozilla-thunderbird
package fix vulnerability in enigmail
  13th, December, 2005

A bug in enigmail, the GPG support extension for Mozilla MailNews
and Mozilla Thunderbird was discovered that could lead to the encryption
of an email with the wrong public key. This could potentially disclose
confidential data to unintended recipients. The updated packages have
been patched to prevent this problem.

 
  Mandriva: Updated ethereal packages fix
vulnerability
  14th, December, 2005

A stack-based buffer overflow was discovered in the OSPF dissector
in Ethereal. This could potentially be abused to allow remote attackers
to execute arbitrary code via crafted packets. The updated packages have
been patched to prevent this problem.

 
  Mandriva: Updated xine-lib packages fix
buffer overflow vulnerability
  14th, December, 2005

Simon Kilvington discovered a vulnerability in FFmpeg libavcodec,
which can be exploited by malicious people to cause a DoS (Denial of Service)
and potentially to compromise a user’s system.

 
  Mandriva: Updated xmovie packages fix
buffer overflow vulnerability
  14th, December, 2005

Updated package.

 
  Mandriva: Updated gstreamer-ffmpeg packages
fix buffer overflow vulnerability
  14th, December, 2005

Simon Kilvington discovered a vulnerability in FFmpeg libavcodec,
which can be exploited by malicious people to cause a DoS (Denial of Service)
and potentially to compromise a user’s system.

 
  Mandriva: Updated mplayer packages fix
buffer overflow vulnerability
  14th, December, 2005

Simon Kilvington discovered a vulnerability in FFmpeg libavcodec,
which can be exploited by malicious people to cause a DoS (Denial of Service)
and potentially to compromise a user’s system.

 
  Mandriva: Updated ffmpeg packages fix
buffer overflow vulnerability
  14th, December, 2005

Simon Kilvington discovered a vulnerability in FFmpeg libavcodec,
which can be exploited by malicious people to cause a DoS (Denial of Service)
and potentially to compromise a user’s system.