mirrors/meta-security
1
0
Fork 0
mirror of https://git.yoctoproject.org/meta-security synced 2026-02-25 17:40:10 +00:00
Code Issues Projects Releases Wiki Activity
Files
master
meta-security/recipes-ids
History
Clayton Casciato c32a913012 suricata: add PACKAGECONFIG[seccomp] - MemoryDenyWriteExecute 
Add option to prevent memory mappings that are both writable and
executable.

https://www.freedesktop.org/software/systemd/man/255/systemd.exec.html#MemoryDenyWriteExecute=

Core Suricata developer:
a606a81032/7.0/suricata-4.1.1-service.patch (L23)

Fedora:
cfb3b996f5

Resolve SELinux AVC denial:
type=PROCTITLE proctitle=/usr/bin/suricata
-c /etc/suricata/suricata.yaml -i eth0

type=SYSCALL arch=aarch64 syscall=mprotect success=no
exit=EACCES(Permission denied) a0=0x7fffa7d04000 a1=0x4000
a2=PROT_READ|PROT_WRITE|PROT_EXEC a3=0x21 items=0 ppid=1 pid=283
auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root
sgid=root fsgid=root tty=(none) ses=unset comm=Suricata-Main
exe=/usr/bin/suricata subj=system_u:system_r:initrc_t:s0 key=(null)

type=AVC avc:  denied  { execmem } for  pid=283 comm=Suricata-Main
scontext=system_u:system_r:initrc_t:s0
tcontext=system_u:system_r:initrc_t:s0 tclass=process

Signed-off-by: Clayton Casciato <majortomtosourcecontrol@gmail.com>
Signed-off-by: Scott Murray <scott.murray@konsulko.com>
2026-01-16 23:24:59 +02:00
..
aide
crowdsec
ossec
samhain
suricata
suricata: add PACKAGECONFIG[seccomp] - MemoryDenyWriteExecute
2026-01-16 23:24:59 +02:00