Adding two new booleans to httpd to tighten it's security.
Tom London
selinux at gmail.com
Sun Dec 11 22:13:19 UTC 2005
On 12/11/05, Ulrich Drepper <drepper at redhat.com> wrote:
> Tom London wrote:
> > path="/usr/lib/vmware/lib/libgdk-x11-2.0.so.0/libgdk-x11-2.0.so.0"
> > type=SYSCALL msg=audit(1134335151.660:39): arch=40000003 syscall=125 per=400000
>
> This is indeed a text relocation issue. Since the code is LGPLed they
> have to provide you with the sources. Just use compile and use
> eu-findtextrel to determine the sources of the text relocation.
>
>
> > type=PATH msg=audit(1134331229.904:20): item=0 name="/usr/bin/skype"
> > flags=101 inode=145190 dev=fd:00 mode=0100755 ouid=0 ogid=0 rdev=00:00
> > type=CWD msg=audit(1134331229.904:20): cwd="/home/tbl"
> > type=SYSCALL msg=audit(1134331229.904:20): arch=40000003 syscall=11
>
> That's a fault in the execve syscall. This most likely means the binary
> has a section which is executable and writable at the same time. This
> really should never happen, it's a security nightmare. Would you want
> an application which by its nature has to accept connections from all
> over the net to have such a flaw?
>
> Maybe you can post the output of
>
> eu-readelf -l /usr/bin/skype
>
> --
> ➧ Ulrich Drepper ➧ Red Hat, Inc. ➧ 444 Castro St ➧ Mountain View, CA ❖
>
Agree that its a security 'accident' waiting to happen.
Here is the output of 'eu-readelf -l /usr/bin/skype'
Program Headers:
Type Offset VirtAddr PhysAddr FileSiz MemSiz Flg Align
PHDR 0x000034 0x08048034 0x08048034 0x000120 0x000120 R E 0x4
INTERP 0x000154 0x08048154 0x08048154 0x000013 0x000013 R 0x1
[Requesting program interpreter: /lib/ld-linux.so.2]
LOAD 0x000000 0x08048000 0x08048000 0x7970f9 0x7970f9 RWE 0x1000
LOAD 0x7970fc 0x087e00fc 0x087e00fc 0x00bc68 0x101e44 RWE 0x1000
LOAD 0x7a2d64 0x088e2d64 0x088e2d64 0x016768 0x016768 RW 0x1000
DYNAMIC 0x7972c4 0x087e02c4 0x087e02c4 0x000108 0x000108 RW 0x4
NOTE 0x000168 0x08048168 0x08048168 0x000020 0x000020 R 0x4
GNU_EH_FRAME 0x7008ec 0x087488ec 0x087488ec 0x0108fc 0x0108fc R 0x4
GNU_STACK 0x000000 0x00000000 0x00000000 0x000000 0x000000 RW 0x4
Section to Segment mapping:
Segment Sections...
00
01 .interp
02 .interp .note.ABI-tag .hash .dynsym .gnu.version
.gnu.version_r .rel.dyn .rel.plt .init .plt .text .fini .rodata
.eh_frame_hdr .eh_frame .gcc_except_table
03 .ctors .dtors .jcr .dynamic .got .got.plt .data .dynbss .bss
04 .dynstr .gnu.liblist .gnu.conflict
05 .dynamic
06 .note.ABI-tag
07 .eh_frame_hdr
08
--
Tom London
More information about the selinux
mailing list