Adding two new booleans to httpd to tighten it's security.

Tom London selinux at gmail.com
Sun Dec 11 22:13:19 UTC 2005 

On 12/11/05, Ulrich Drepper <drepper at redhat.com> wrote:
> Tom London wrote:
> > path="/usr/lib/vmware/lib/libgdk-x11-2.0.so.0/libgdk-x11-2.0.so.0"
> > type=SYSCALL msg=audit(1134335151.660:39): arch=40000003 syscall=125 per=400000
>
> This is indeed a text relocation issue.  Since the code is LGPLed they
> have to provide you with the sources.  Just use compile and use
> eu-findtextrel to determine the sources of the text relocation.
>
>
> > type=PATH msg=audit(1134331229.904:20): item=0 name="/usr/bin/skype"
> > flags=101 inode=145190 dev=fd:00 mode=0100755 ouid=0 ogid=0 rdev=00:00
> > type=CWD msg=audit(1134331229.904:20):  cwd="/home/tbl"
> > type=SYSCALL msg=audit(1134331229.904:20): arch=40000003 syscall=11
>
> That's a fault in the execve syscall.  This most likely means the binary
> has a section which is executable and writable at the same time.  This
> really should never happen, it's a security nightmare.  Would you want
> an application which by its nature has to accept connections from all
> over the net to have such a flaw?
>
> Maybe you can post the output of
>
>    eu-readelf -l /usr/bin/skype
>
> --
> ➧ Ulrich Drepper ➧ Red Hat, Inc. ➧ 444 Castro St ➧ Mountain View, CA ❖
>
Agree that its a security 'accident' waiting to happen.

Here is the output of 'eu-readelf -l /usr/bin/skype'
Program Headers:
  Type           Offset   VirtAddr   PhysAddr   FileSiz  MemSiz   Flg Align
  PHDR           0x000034 0x08048034 0x08048034 0x000120 0x000120 R E 0x4
  INTERP         0x000154 0x08048154 0x08048154 0x000013 0x000013 R   0x1
        [Requesting program interpreter: /lib/ld-linux.so.2]
  LOAD           0x000000 0x08048000 0x08048000 0x7970f9 0x7970f9 RWE 0x1000
  LOAD           0x7970fc 0x087e00fc 0x087e00fc 0x00bc68 0x101e44 RWE 0x1000
  LOAD           0x7a2d64 0x088e2d64 0x088e2d64 0x016768 0x016768 RW  0x1000
  DYNAMIC        0x7972c4 0x087e02c4 0x087e02c4 0x000108 0x000108 RW  0x4
  NOTE           0x000168 0x08048168 0x08048168 0x000020 0x000020 R   0x4
  GNU_EH_FRAME   0x7008ec 0x087488ec 0x087488ec 0x0108fc 0x0108fc R   0x4
  GNU_STACK      0x000000 0x00000000 0x00000000 0x000000 0x000000 RW  0x4

 Section to Segment mapping:
  Segment Sections...
   00
   01      .interp
   02      .interp .note.ABI-tag .hash .dynsym .gnu.version
.gnu.version_r .rel.dyn .rel.plt .init .plt .text .fini .rodata
.eh_frame_hdr .eh_frame .gcc_except_table
   03      .ctors .dtors .jcr .dynamic .got .got.plt .data .dynbss .bss
   04      .dynstr .gnu.liblist .gnu.conflict
   05      .dynamic
   06      .note.ABI-tag
   07      .eh_frame_hdr
   08


--
Tom London

More information about the selinux mailing list