lkm rootkitted, or issue with selinux 2.6.7 kernel?

lkm rootkitted, or issue with selinux 2.6.7 kernel?

[Luke Kenneth Casson Leighton]

hello, hello,

i have a slight situation with the fireflier and mysql packages:
their use results in chkrootkit's lkm (linux kernel module) test
showing a warning.

what i wondered was has anyone _else_ seen this issue, on debian/unstable,
with a 2.6.7 kernel.

ta,

l.

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: lkm rootkitted, or issue with selinux 2.6.7 kernel?

[Stephen Smalley]

On Sun, 2004-08-01 at 08:41, Luke Kenneth Casson Leighton wrote:
> hello, hello,
> 
> i have a slight situation with the fireflier and mysql packages:
> their use results in chkrootkit's lkm (linux kernel module) test
> showing a warning.
> 
> what i wondered was has anyone _else_ seen this issue, on debian/unstable,
> with a 2.6.7 kernel.

I have no direct knowledge here, but I have seen discussions on various
lists indicating that chkrootkit is buggy/racy at least with respect to
Linux 2.6, yielding false positives.  

-- 
Stephen Smalley <sds@epoch.ncsc.mil>
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: lkm rootkitted, or issue with selinux 2.6.7 kernel?

[Erich Schubert]

Hi,

> I have no direct knowledge here, but I have seen discussions on various
> lists indicating that chkrootkit is buggy/racy at least with respect to
> Linux 2.6, yielding false positives.  

Yes, IIRC chkrootkit doesn't understand new threads, listing these as
hidden processes. (they used to be in /proc, now they are
in /proc/parentpid/threads or so)

Greetings,
Erich Schubert
-- 
    erich@(vitavonni.de|debian.org)    --    GPG Key ID: 4B3A135C    (o_
     Which is worse: ignorance or apathy? Who knows? Who cares?      //\
  Wer keine Zeit mehr mit echten Freunden verbringt, der wird bald   V_/_
          sein Gleichgewicht verlieren. --- Michael Levine


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: lkm rootkitted, or issue with selinux 2.6.7 kernel?

[Luke Kenneth Casson Leighton]

On Mon, Aug 02, 2004 at 09:07:02AM -0400, Stephen Smalley wrote:
> On Sun, 2004-08-01 at 08:41, Luke Kenneth Casson Leighton wrote:
> > hello, hello,
> > 
> > i have a slight situation with the fireflier and mysql packages:
> > their use results in chkrootkit's lkm (linux kernel module) test
> > showing a warning.
> > 
> > what i wondered was has anyone _else_ seen this issue, on debian/unstable,
> > with a 2.6.7 kernel.
> 
> I have no direct knowledge here, but I have seen discussions on various
> lists indicating that chkrootkit is buggy/racy at least with respect to
> Linux 2.6, yielding false positives.  
 
 ah.  *whew*.  thanks.

 l.


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.