Adding two new booleans to httpd to tighten it's security.
Nicolas Mailhot
nicolas.mailhot at laposte.net
Sat Dec 10 21:10:16 UTC 2005
On Sam 10 décembre 2005 21:59, Nicolas Mailhot wrote:
>
> On Sam 10 décembre 2005 21:37, Ulrich Drepper wrote:
>> Nicolas Mailhot wrote:
>>> avc: denied { execmem } for pid=2950 comm="thunderbird-bin"
>>> scontext=user_u:system_r:unconfined_t:s0-s0:c0.c255
>>> tcontext=user_u:system_r:unconfined_t:s0-s0:c0.c255 tclass=process
>>
>> If this really happens then this is a terrible bug in tbird. It's
>> nothing which should be patched with the policy. By not adding the
>> support to catch these problems early the code won't be fixed.
>>
>> New rules are often added for a specific purpose: discover bugs in
>> programs and stop existing threats. It would be wrong to not attack
>> these as soon as possible.
>
> It really happens, at least there (and thunderbird hasn't been updated,
> only selinux was - so it was happening before).
>
> So there are lots of work to do with existing rules before even thinking
> of moving to new bits like httpd port policy.
Vanilla x86_64 thunderbird (thunderbird-1.5-0.5.1.rc1) (installed a week
ago when evo started dying on no ascii folders), only extension : enigmail
0.93.1 (not that it actually works)
Rawhide killed evo a week ago (#174931)
It killed thunderbird today
I'm running out of imap clients. I still have squirrelmail, and it's not
even the rawhide one, since that one started misbehaving at least a month
before (#162852)
Do you want a bug entry for this problem too ?
Regards,
--
Nicolas Mailhot
More information about the fedora-selinux-list
mailing list