Security outside of SElinux?
by Jeff Barnes
Are there commands with this functionality in Fedora?
If not what would it take to make them happen in general?
Reasons would be ease of security application and another reason is
that Enterprise has restrictions on altering SElinux policies
which effect warranty. If this functionality were a logic binary AND
with SELinux then we would not ever need to change default SElinux
policies.
________________________________________________________________
/sbin/PORTS_ALLOW_FOR_USER username list of ports
/sbin/PORTS_DENY_FOR_USER username list of ports
/sbin/LIST_ALLOWED_PORTS_FOR_USER username
/sbin/PORTS_ALLOW_FOR_FILE filename list of ports
/sbin/PORTS_DENY_FOR_FILE filename list of ports
/sbin/LIST_ALLOWED_PORTS_FOR_FILE filename
/sbin/PORTS_ALLOW_FOR_PROCESS processID list of ports
/sbin/PORTS_DENY_FOR_PROCESS processID list of ports
/sbin/LIST_ALLOWED_PORTS_FOR_PROCESS processID
___________________________________________________________________________
/sbin/PRIVILEGES_ALLOW_FOR_USER username list_of_privileges_or_levels
/sbin/PRIVILEGES_DENY_FOR_USER username list_of_privileges_or_levels
/sbin/LIST_ALLOWED_PRIVS_FOR_USER username list_of_privileges_or_levels
/sbin/PRIVILEGES_ALLOW_FOR_FILE filename list_of_privileges
/sbin/PRIVILEGES_DENY_FOR_FILE filename list_or_privileges
/sbin/LIST_ALLOWED_PRIVILIGES_FOR_FILE filename
/sbin/PRIVILEGES_ALLOW_FOR_PROCESS processnameID list_of_privileges
/sbin/PRIVILEGES_DENY_FOR_PROCESS processnameID list_of_privileges
/sbin/LIST_ALLOWED_PRIVILEGES_FOR_PROCESS processID
_____________________________________________________________________________
14 years, 10 months
Library address randomization
by Ricardo Rolim
Hi there,
Apparently I'm not getting library address randomization for any
programs (compiled or not as PIE). Whereas the binary itself, stack
and heap are randomly getting their addresses changed from one
execution to the next, the library stands still at a predictable
location. Strangely enough I've got the expected results out of Ubuntu
8.10. Here's one example:
[ricardo@localhost ~]$ cat /proc/sys/kernel/randomize_va_space
2
[ricardo@localhost ~]$ cat /proc/sys/kernel/exec-shield
1
[ricardo@localhost ~]$ echo 'int main(){}' > dummy.c
[ricardo@localhost ~]$ gcc -fpie -pie -o dummy dummy.c
[ricardo@localhost ~]$ ldd dummy
linux-gate.so.1 => (0x00130000)
libc.so.6 => /lib/libc.so.6 (0x00133000)
/lib/ld-linux.so.2 (0x00110000)
[ricardo@localhost ~]$ ldd dummy
linux-gate.so.1 => (0x00130000)
libc.so.6 => /lib/libc.so.6 (0x00133000)
/lib/ld-linux.so.2 (0x00110000)
Am I missing something? This is the third mailing list that I'm
trying. Thanks a lot :)
14 years, 10 months
Security reviews for new packages
by Jason L Tibbitts III
I do many package reviews, and occasionally I see a package that is
fine packaging-wise but which I don't feel comfortable approving
because I know it has security implications. One such package is
schroot, which has some pam magic to allow users to set up chroots.
https://bugzilla.redhat.com/show_bug.cgi?id=447368
It's quite possible that I'm simply being overly paranoid, but of
course I'm not qualified to say one way or the other. Is it possible
for someone with more knowledge in this area to take a look at the
package? What would be needed? (Perhaps a scratch build, or are the
src.rpm and spec sufficient?)
Could we work out a simple procedure for doing this in the future?
- J<
14 years, 10 months