[CentOS] ejabberd 2.0.2 vs SELinux vs CentOS 5
Stephen John Smoogen
smooge at gmail.com
Sat Oct 4 19:01:56 UTC 2008
On Sat, Oct 4, 2008 at 10:25 AM, Damian S <dsteward at internode.on.net> wrote:
> To answer my question, I have found the allow_execmem boolean, and set
> So, should I file a bug with someone?
> Also, I'm thinking I might run into more problems with SELinux silently
> interfering with ejabberd later on, so maybe I should disable SELinux
> and be done with it.
Well look at the problem.. your program is trying to execute code in
the memory area of the stack versus the application. That is usually
what exploit code does. So the first question I would ask is why is it
acting like exploit code? Now certain languages do act like that
because their concept of a stack is 'machine independant' (I think
thats the correct term).. an example is Lisp which expects that you
are running your code on a LISP machine which has a different memory
manager than most modern day hardware. On the other hand, some uses a
side effect to accomplish something because the programmer was being
clever.. which usually bites someone later.
There are several paths you can go from here:
1) Run the system in passive mode. You won't be protected, but you can
watch what might be causing issues later on. [Worst case, if you have
an exploited machine and the logs aren't wiped.. you can figure out
why... ] Anytime you have something doing crypto that way would have
me wondering if some programmer was trying to be too clever.
2) Write a policy using audit2allow that would allow for ejabberd to
execute on the stack but not other programs
3) Turn on the boolean which then allows any program to execute memory.
4) Turn off selinux.
> Does anyone here run ejabberd with SELinux enabled?
> CentOS mailing list
> CentOS at centos.org
Stephen J Smoogen. -- BSD/GNU/Linux
How far that little candle throws his beams! So shines a good deed
in a naughty world. = Shakespeare. "The Merchant of Venice"
More information about the CentOS