Hi all, first of all this comes from another thread I started in the Software section of the forum on how to build my own .rpm (
http://www.linuxquestions.org/questi....php?t=420119), but since it went offtopic and I haven't got more replies concerning a -what seems to me- security issue I discovered, I thought opening a new thread in the security section would be more usefull.
Ok, a few days ago I downloaded the source of gyachi from
http://gyachi.sourceforge.net/. Then I decided to build my own .rpm with the source package and did it using checkinstall. Then I opened the resulting .rpm package with fille-roller to verify its contents. It had two directories to be extracted in '/': 'usr' (containing 'local/share/gyachi' and 'local/bin/gyach'), and 'selinux' (containing a binary file named 'context'). Gyachi is suppposed to be a messaging app for yahoo, so why should it write something in the '/selinux' directory during installation? Sounds like some sort of virus to me.
As a side note, I reinstalled gyachi from the source yesterday in the afternoon and after I discovered this '/selinux/context' file in the .rpm package I issued the command 'ls -la /selinux' and this is what I got:
Code:
$ ls -la /selinux
total 8
drwxr-xr-x 1 root root 0 feb 27 03:30 .
drwxr-xr-x 23 root root 4096 feb 27 07:30 ..
-rw-rw-rw- 1 root root 0 feb 27 03:30 access
dr-xr-xr-x 1 root root 0 feb 27 03:30 avc
dr-xr-xr-x 1 root root 0 feb 27 03:30 booleans
-rw-r--r-- 1 root root 0 feb 27 03:30 checkreqprot
--w------- 1 root root 0 feb 27 03:30 commit_pending_bools
-rw-rw-rw- 1 root root 0 feb 27 03:30 context
-rw-rw-rw- 1 root root 0 feb 27 03:30 create
--w------- 1 root root 0 feb 27 03:30 disable
-rw-r--r-- 1 root root 0 feb 27 03:30 enforce
-rw------- 1 root root 0 feb 27 03:30 load
-rw-rw-rw- 1 root root 0 feb 27 03:30 member
-r--r--r-- 1 root root 0 feb 27 03:30 mls
crw-rw-rw- 1 root root 1, 3 feb 27 03:30 null
-r--r--r-- 1 root root 0 feb 27 03:30 policyvers
-rw-rw-rw- 1 root root 0 feb 27 03:30 relabel
-rw-rw-rw- 1 root root 0 feb 27 03:30 user
As you can see, all the contents of the directory seem to have been cretaed yesterday afternoon (however, the contents of '/usr/local/share/gyachi' where created yesterday at 18:30. I'm not sure the precise time when I reinstalled gyachi).
So, what do you think about this? What to do now?
BTW, I already submitted the 'context' file to clamav's website to see wether it's a virus or not.