Adding two new booleans to httpd to tighten it's security.

Nicolas Mailhot nicolas.mailhot at laposte.net
Mon Dec 12 20:00:26 UTC 2005


On Dim 11 décembre 2005 23:24, Ulrich Drepper wrote:
> Nicolas Mailhot wrote:
>> Seems some python bits and mplayer are not safe either :
>
> You have to specify which architecture.  I assume the following are x64
> since otherwise syscall=10 makes no sense.

x86_64

>> type=AVC msg=audit(1134326070.107:1325): avc:  denied  { execmem } for
>> pid=28368 comm="mplayer"
>> scontext=user_u:system_r:unconfined_t:s0-s0:c0.c255
>> tcontext=user_u:system_r:unconfined_t:s0-s0:c0.c255 tclass=process
>> type=SYSCALL msg=audit(1134326070.107:1325): arch=c000003e syscall=10
>> success=no exit=-13 a0=7fffff8a5000 a1=1000 a2=1000007 a3=1 items=0
>> pid=28368 auid=4294967295 uid=500 gid=500 euid=500 suid=500 fsuid=500
>> egid=500 sgid=500 fsgid=500 comm="mplayer" exe="/usr/bin/mplayer"
>>
>> type=AVC msg=audit(1134326066.831:1324): avc:  denied  { execmem } for
>> pid=28361 comm="python"
>> scontext=user_u:system_r:unconfined_t:s0-s0:c0.c255
>> tcontext=user_u:system_r:unconfined_t:s0-s0:c0.c255 tclass=process
>> type=SYSCALL msg=audit(1134326066.831:1324): arch=c000003e syscall=10
>> success=no exit=-13 a0=7fffff863000 a1=1000 a2=1000007 a3=1 items=0
>> pid=28361 auid=4294967295 uid=500 gid=500 euid=500 suid=500 fsuid=500
>> egid=500 sgid=500 fsgid=500 comm="python" exe="/usr/bin/python"
>
> Both a mprotect calls but because x64 does not allow text relocations
> the reason must be in the program logic.  Definitely wrong code but what
> remains to be seen.
>
> Try using strace to determine what the programs try to do.

I will try to isolate the problem. This was just a quick scan of
yesterday's audit.log. I installed a lot of new python packages at that
time, so pinpointing the problem is going to take some time.

Regards,

-- 
Nicolas Mailhot




More information about the fedora-selinux-list mailing list