FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora SELinux Support

 
 
LinkBack Thread Tools
 
Old 04-09-2010, 12:14 PM
Paul Howarth
 
Default milter policy hardening

Here I have a couple of changes to the milter policy that reduce what
milters (well, spamass-milter in particular) are able to do.


Firstly, I noticed a while back that I was getting AVCs from
milter-regex and milter-greylist trying to read /proc/cpuinfo at program
start-up. I couldn't figure out what was causing that to happen
(probably part of some system call or maybe in libmilter) but this
access being denied didn't seem to cause any problems. I also saw that
the spamass-milter policy allowed this access. A few weeks ago I updated
my local policy to dontaudit this instead of allowing it and don't
appear to be suffering any problems as a result, so I propose to
dontaudit it in the milter template.


Secondly, the fix for CVE-2010-1132 in spamass-milter was just pushed to
stable for all supported Fedora and EPEL releases. This was unsanitized
input being passed in an argument to popen() and hence a shell. Upstream
proposed a patch for this several weeks ago that replaced the popen()
call with execve() via a wrapper called popenv(), which avoids the use
of a shell for this functionality. This fix hasn't been committed to
upstream CVS yet but I have tested it extensively myself and this fix
has been incorporated into the Fedora and Debian spamass-milter
packages. So for Fedora and Debian, the following policy rules are no
longer needed:


corecmd_exec_shell(spamass_milter_t)
corecmd_search_bin(spamass_milter_t)

These changes are all included in the attached patch against Rawhide policy.

Paul.
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 04-12-2010, 04:51 PM
Daniel J Walsh
 
Default milter policy hardening

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 04/09/2010 08:14 AM, Paul Howarth wrote:
> Here I have a couple of changes to the milter policy that reduce what
> milters (well, spamass-milter in particular) are able to do.
>
> Firstly, I noticed a while back that I was getting AVCs from
> milter-regex and milter-greylist trying to read /proc/cpuinfo at program
> start-up. I couldn't figure out what was causing that to happen
> (probably part of some system call or maybe in libmilter) but this
> access being denied didn't seem to cause any problems. I also saw that
> the spamass-milter policy allowed this access. A few weeks ago I updated
> my local policy to dontaudit this instead of allowing it and don't
> appear to be suffering any problems as a result, so I propose to
> dontaudit it in the milter template.
>
> Secondly, the fix for CVE-2010-1132 in spamass-milter was just pushed to
> stable for all supported Fedora and EPEL releases. This was unsanitized
> input being passed in an argument to popen() and hence a shell. Upstream
> proposed a patch for this several weeks ago that replaced the popen()
> call with execve() via a wrapper called popenv(), which avoids the use
> of a shell for this functionality. This fix hasn't been committed to
> upstream CVS yet but I have tested it extensively myself and this fix
> has been incorporated into the Fedora and Debian spamass-milter
> packages. So for Fedora and Debian, the following policy rules are no
> longer needed:
>
> corecmd_exec_shell(spamass_milter_t)
> corecmd_search_bin(spamass_milter_t)
>
> These changes are all included in the attached patch against Rawhide
> policy.
>
> Paul.
>
>
>
> --
> selinux mailing list
> selinux@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux
Applied to selinux-policy-3.7.18-2.fc13.noarch
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.14 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAkvDT5IACgkQrlYvE4MpobOTWACg3whsPhhIWl iarn2LtOM9JQ/W
GQgAoKIkNtKUI7zUYwQFGsx3DZLMO+qm
=J6zQ
-----END PGP SIGNATURE-----
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 

Thread Tools




All times are GMT. The time now is 08:05 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org