-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 04/09/2010 08:14 AM, Paul Howarth wrote:
Here I have a couple of changes to the milter policy that reduce
what
milters (well, spamass-milter in particular) are able to do.
Firstly, I noticed a while back that I was getting AVCs from
milter-regex and milter-greylist trying to read /proc/cpuinfo at program
start-up. I couldn't figure out what was causing that to happen
(probably part of some system call or maybe in libmilter) but this
access being denied didn't seem to cause any problems. I also saw that
the spamass-milter policy allowed this access. A few weeks ago I updated
my local policy to dontaudit this instead of allowing it and don't
appear to be suffering any problems as a result, so I propose to
dontaudit it in the milter template.
Secondly, the fix for CVE-2010-1132 in spamass-milter was just pushed to
stable for all supported Fedora and EPEL releases. This was unsanitized
input being passed in an argument to popen() and hence a shell. Upstream
proposed a patch for this several weeks ago that replaced the popen()
call with execve() via a wrapper called popenv(), which avoids the use
of a shell for this functionality. This fix hasn't been committed to
upstream CVS yet but I have tested it extensively myself and this fix
has been incorporated into the Fedora and Debian spamass-milter
packages. So for Fedora and Debian, the following policy rules are no
longer needed:
corecmd_exec_shell(spamass_milter_t)
corecmd_search_bin(spamass_milter_t)
These changes are all included in the attached patch against Rawhide
policy.
Paul.
--
selinux mailing list
selinux(a)lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux Applied to
selinux-policy-3.7.18-2.fc13.noarch
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.14 (GNU/Linux)
Comment: Using GnuPG with Fedora -
http://enigmail.mozdev.org/
iEYEARECAAYFAkvDT5IACgkQrlYvE4MpobOTWACg3whsPhhIWliarn2LtOM9JQ/W
GQgAoKIkNtKUI7zUYwQFGsx3DZLMO+qm
=J6zQ
-----END PGP SIGNATURE-----