SELinux mitigates remote root vulnerability in OpenPegasus

According to Red Hat Security Advisory RHSA-2008-0002, a recently discovered stack overflow flaw in OpenPegasus is mitigated by standard SELinux targeted policy in RHEL4 and RHEL5:

… an unauthenticated remote user could trigger this flaw and potentially execute arbitrary code with root privileges. (CVE-2008-0003)

Note that the tog-pegasus packages are not installed by default on Red Hat Enterprise Linux. The Red Hat Security Response Team believes that it would be hard to remotely exploit this issue to execute arbitrary code, due to the default SELinux targeted policy on Red Hat Enterprise Linux 4 and 5, and the SELinux memory protection tests enabled by default on Red Hat Enterprise Linux.

The enhanced memory protection tests in RHEL5 contribute here to mitigation.

On a related note, Mark Cox has just published an updated grid of vulnerability and threat mitigation features in RHEL and Fedora. Fedora 8, being the most recent distro listed, has the greatest number of these features.

securiy feature grid

Btw, for those able to attend FUDCon in Raleigh over the weekend, there will be a few SELinux folk around to answer questions, listen to feedback etc.

Update:
Someone asked for more Fedora-specific information to compare with other distributions. Here’s a well-maintained page on Fedora Security Features.

SELinux mitigates HPLIP vulnerability

I missed this one at the time, but a member of the Red Hat security response team just pointed me at this RHEL advisory from October, where a vulnerability in HPLIP was mitigated by standard targeted policy.

That is, SELinux provided zero-day protection against local users exploiting this vulnerability to run arbitrary code as root.

Previously:

FOSS.IN/2007 Wrapup

I’m finally back from FOSS.IN/2007, although my body clock seems to be lost somewhere in the Arabian Sea.

The push to make the conference more contributor-focused seemed to work very well.

The final talk slot, which was given to Rusty on short notice, included an invitation for FOSS developers to come down and stand on the stage. First, people who had contributed code to a project — way more people than anyone expected — stood up and came down. Then, progressively, people who’d submitted a bug report, or written documentation, or helped others, and finally, anyone who’d used FOSS. Here’s what it looked like:

foss.in closing talk: contributors on stage

Photo by Jim Grisanzio

Members of the then non-audience passed the microphone around for some ad-hoc lightning talks on what they were doing.

Following that, Atul spoke about the future of FOSS contribution in India, explaining that FOSS.IN would not move around the country, as it is preferred that each region develop their own event. Organizers of other Indian FOSS conferences provided brief overviews of each, including the entirely student-run FOSS Meet@NITC in Calicut.

It was a great ending to a great conference, and overall, simply refreshing to see so much grassroots activity.

An older attendee wrote a nice email to the conference mailing list with some interesting observations, such as “You are prime-movers of modern India” and “Some had weird hairstyles”. Indeed, as has been noted by others, including Simon Phipps, there’s an intense enthusiasm for technology in India which I’ve not seen elsewhere.

I really would not be surprised, within ten years, to see India become the top FOSS contributing country.

As a foreign speaker, I found the conference to be a great opportunity to spread knowledge in a direct way — beyond what is possible via code, documentation, blogging etc. — and can highly recommend it to others. Rusty had fun, although he definitely under-assessed his final talk.

If you’ve ever wondered what it’s like to return from your morning coffee run to be serenaded by a Nadaswaram, “the world’s loudest non-brass acoustic instrument”, here’s a video starring Andrew Cowie, Spot Calloway and the omnipresent Rusty as part of the audience.

http://www.youtube.com/watch?v=9kwI3Vn7aiM

FOSS.IN/2007 Photos

I’ve started uploading a conference photo set here. Expect to see more soon. You can find many photos by others by searching flickr for the tag “fossin2007”.

e.g. http://flickr.com/search/?q=fossin2007&w=all

some foss.in speakers

Jet lag is fun, as always — I didn’t think it’d be so bad traveling from Sydney instead of Boston, but it’s possibly worse. Thankfully, there is no shortage of strong coffee in Bangalore.

FOSS.IN kicks off

The FOSS.IN project days have commenced, ahead of the main conference. It’s great to be back in India, and to meet up with everyone again.

Rusty and I were walking around Bangalore yesterday, and encountered a family of monkeys crossing the road.

(video in case the embedding doesn’t work…)

NSA Security Guide for RHEL5

The NSA have published a 170-page security configuration guide for RHEL5. It’s a kind of best practices document for security, with step-by-step explanations for locking down pretty much every feature of the OS.

I’d say this is essential reading for anyone deploying RHEL or similar (Fedora, CentOS etc.) distributions, and likely also quite useful in the general case.

Seems like ideal reading during travel to FOSS.IN :-)

Less than a fortnight to go…

FOSS.IN/2007 looks to be shaping up well — here’s the shortlisted schedule.

The live registration stats are interesting — 57% of delegates have indicated interest in the Fedora session of the project days.

I’m honoured and very happy to be returning this year to give talks on general kernel development and the state of SELinux. While preparing the slides, I was surprised at how much has happened in SELinux since my last talk at the conference in 2005. Things really move fast in FOSS.

It’s lucky the talks this year have been extended to 90 minutes, as I have approximately several million slides to get through. Well, perhaps not so lucky for those attending my talks. I’ll post the slides after the conference. In the meantime, catch this interview with Dan Walsh on some cool SELinux features in Fedora 8.

Something that may be of interest to others visiting India for the conference is the excellent Foreign Speaker HOWTO by Harald Welte.

I’d echo his advice to always have small change on you (in denominations of 20/10/5 Rs and some coins), as 500 Rs notes are not very useful for local transport and similar, unless you like the idea of giving 10000% tips. It’s probably best to obtain the currency before getting to India, which typically needs to be ordered ahead of time.

see you @ foss.in 2007

Uli on SELinux; Hemispherical Shifts

Ulrich Drepper features in a video in the latest Red Hat Magazine, explaining how to play nicely with SELinux.

One of the common issues we see is breakage of third party applications, where they ship with dangerous bugs in the code, which SELinux will often find. These can be coding errors, such as not closing files on exec, where child processes will inherit the parent’s, or also commonly, linking issues, where the application has not been built correctly. In the latter case, you will typically see some probably unexpected memory-related security checks failing: Dan Walsh has written about this in detail recently.

Ulrich mentions another common issue, where the application simply has no policy written for it. One approach for this is to run the application as an unconfined domain, which of course doesn’t help secure the application itself, but ensures that the rest of the system retains its SELinux protection.

Ideally, the application should have a policy, and Ulrich mentions efforts in education and training to help people better understand this area, as well as improvements in SELinux tools (setroubleshoot) and the development environment (e.g. modular policy).

Another approach that I would suggest, which should be highly effective, is to post details of your application to an SELinux mailing list (fedora-selinux, the main list etc.) and ask for help. In the meantime, you can run the system in permissive mode, which will ensure that labeling is still enforced, and that you can observe the logs for further analysis if required.

Ulrich also mentions more policy being developed internally for packages, with increasing support for user-oriented (as opposed to server-) applications.

***

Some will know that I’ve recently moved back to Sydney, where I’ll be working in the same role with Red Hat. Linux in the Asia-Pacific region certainly seems to have grown since I left four years ago, as evidenced by the size of the current Sydney RH office compared to the fairly small one I visited then.

They have one of the most amazing views I’ve ever seen in Sydney, stretching from the harbour around to the Blue Mountains. Of course, my tiny camera & lack of skills cannot do it justice.

sydney harbour from the red hat sydney office in north sydney

On a clear day you can see New Zealand

It’s really exciting to be back.