-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 04/09/2010 08:14 AM, Paul Howarth wrote: > Here I have a couple of changes to the milter policy that reduce what > milters (well, spamass-milter in particular) are able to do. > > Firstly, I noticed a while back that I was getting AVCs from > milter-regex and milter-greylist trying to read /proc/cpuinfo at program > start-up. I couldn't figure out what was causing that to happen > (probably part of some system call or maybe in libmilter) but this > access being denied didn't seem to cause any problems. I also saw that > the spamass-milter policy allowed this access. A few weeks ago I updated > my local policy to dontaudit this instead of allowing it and don't > appear to be suffering any problems as a result, so I propose to > dontaudit it in the milter template. > > Secondly, the fix for CVE-2010-1132 in spamass-milter was just pushed to > stable for all supported Fedora and EPEL releases. This was unsanitized > input being passed in an argument to popen() and hence a shell. Upstream > proposed a patch for this several weeks ago that replaced the popen() > call with execve() via a wrapper called popenv(), which avoids the use > of a shell for this functionality. This fix hasn't been committed to > upstream CVS yet but I have tested it extensively myself and this fix > has been incorporated into the Fedora and Debian spamass-milter > packages. So for Fedora and Debian, the following policy rules are no > longer needed: > > corecmd_exec_shell(spamass_milter_t) > corecmd_search_bin(spamass_milter_t) > > These changes are all included in the attached patch against Rawhide > policy. > > Paul. > > > > -- > selinux mailing list > selinux@xxxxxxxxxxxxxxxxxxxxxxx > https://admin.fedoraproject.org/mailman/listinfo/selinux Applied to selinux-policy-3.7.18-2.fc13.noarch -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.14 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAkvDT5IACgkQrlYvE4MpobOTWACg3whsPhhIWliarn2LtOM9JQ/W GQgAoKIkNtKUI7zUYwQFGsx3DZLMO+qm =J6zQ -----END PGP SIGNATURE----- -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux