Re: Who? Me?? Attacked???

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Tue, 23 Apr 2013 17:44:33 +0100, Junk wrote:

> On 23 Apr 2013, at 17:10, Beartooth <beartooth@xxxxxxxxxxx> wrote:
> 
>> On Mon, 22 Apr 2013 16:40:19 +0800, Ed Greshko wrote:
>>    [....]
>>> The only thing worse than a poorly asked question is a cryptic answer.
>> 
>>    OK, first off, I'm the OP.
>> 
>>    I suppose I should be flattered at being addressed as if I were
>> an Alpha Plus Technoid; but I'm not one. I'm just an old twice-retired
>> bookworm, running Fedora because there's more and better help online
>> for it than for anything else I've tried (most of the well-known
>> distros), and because I began back in '98 with RedHat. I can't imagine
>> anything I have being of interest to an intruder.
>> 
>> 
> Your right. They probably aren't interested in what you have. They might
> be interested in taking over your machine as part of a botnet though. A
> large amount of attacks are now automated against wide ranges of devices

	Well, yes, I suppose some bad guy wanting only lots of machines, 
any machines, might like mine, too.

>>    All the replies in this thread so far have been way over my head.
>> The one thing I gather some of you want is the error message from SEL,
>> verbatim. I don't have it; I presume it's in some log somewhere, but I
>> have no idea how to find that log.
>> 
>> 
> Try sealert -a /var/log/audit/audit.log

[root@Hbsk2 ~]# sealert -a /var/log/audit/audit.log
 12% done[Errno 2] No such file or directory: 'wine-preloader'
100% donefound 3 alerts in /var/log/audit/audit.log
-----------------------------------------------------------------------------
	[snip]
--------------------------------------------------------------------------------

SELinux is preventing /usr/bin/arora from mmap_zero access on the 
memprotect .

*****  Plugin mmap_zero (53.1 confidence) suggests  
**************************

If you do not think /usr/bin/arora should need to mmap low memory in the 
kernel.
Then you may be under attack by a hacker, this is a very dangerous access.
Do
contact your security administrator and report this issue.

*****  Plugin catchall_boolean (42.6 confidence) suggests  
*******************

If you want to mmap_low_allowed
Then you must tell SELinux about this by enabling the 'mmap_low_allowed' 
boolean.You can read 'unconfined_selinux' man page for more details.
Do
setsebool -P mmap_low_allowed 1

*****  Plugin catchall (5.76 confidence) suggests  
***************************

If you believe that arora should be allowed mmap_zero access on the  
memprotect by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep arora /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp


Additional Information:
Source Context                unconfined_u:unconfined_r:unconfined_t:s0-
s0:c0.c1
                              023
Target Context                unconfined_u:unconfined_r:unconfined_t:s0-
s0:c0.c1
                              023
Target Objects                 [ memprotect ]
Source                        arora
Source Path                   /usr/bin/arora
Port                          <Unknown>
Host                          <Unknown>
Source RPM Packages           arora-0.11.0-4.fc17.i686
Target RPM Packages           
Policy RPM                    selinux-policy-3.10.0-167.fc17.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     Hbsk2.hsd1.va.comcast.net
Platform                      Linux Hbsk2.hsd1.va.comcast.net
                              3.8.4-102.fc17.i686.PAE #1 SMP Sun Mar 24 
13:15:17
                              UTC 2013 i686 i686
Alert Count                   1
First Seen                    2013-04-21 16:01:52 EDT
Last Seen                     2013-04-21 16:01:52 EDT
Local ID                      fedad9e7-5ad4-49b0-a517-15a1e9efd7d4

Raw Audit Messages
type=AVC msg=audit(1366574512.695:480): avc:  denied  { mmap_zero } for  
pid=25852 comm="arora" scontext=unconfined_u:unconfined_r:unconfined_t:s0-
s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-
s0:c0.c1023 tclass=memprotect


type=SYSCALL msg=audit(1366574512.695:480): arch=i386 syscall=mmap2 
success=no exit=EACCES a0=0 a1=7000 a2=3 a3=4022 items=0 ppid=1 pid=25852 
auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 
sgid=1000 fsgid=1000 ses=2 tty=(none) comm=arora exe=/usr/bin/arora 
subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)

Hash: arora,unconfined_t,unconfined_t,memprotect,mmap_zero

audit2allow

#============= unconfined_t ==============
#!!!! This avc can be allowed using the boolean 'mmap_low_allowed'

allow unconfined_t self:memprotect mmap_zero;

audit2allow -R

#============= unconfined_t ==============
#!!!! This avc can be allowed using the boolean 'mmap_low_allowed'

allow unconfined_t self:memprotect mmap_zero;


[root@Hbsk2 ~]# 

----------------------------------------------------------------------------
> Or
> 
> grep setroubleshoot /var/log/messages
> 
> There will have been a full report in the graphical tool that initially
> warned you but these should give the same result.

	They don't -- this one gets 

[root@Hbsk2 ~]# grep setroubleshoot /var/log/messages
Apr 21 16:02:00 Hbsk2 setroubleshoot: SELinux is preventing /usr/bin/arora 
from mmap_zero access on the memprotect . For complete SELinux messages. 
run sealert -l 6805396b-b8d1-4368-9356-aef00cbb2e43
Apr 22 14:57:12 Hbsk2 setroubleshoot: Plugin Exception wine
Apr 22 14:57:12 Hbsk2 setroubleshoot: SELinux is preventing wine-preloader 
from mmap_zero access on the memprotect . For complete SELinux messages. 
run sealert -l 78752ead-8351-4d64-a04d-a2f500d942cd
[root@Hbsk2 ~]# 






-- 
Beartooth Staffwright, Neo-Redneck Not Quite Clueless Power User
Remember I have precious (very precious!) little idea where up is.


-- 
users mailing list
users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org




[Index of Archives]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [EPEL Devel]     [Fedora Magazine]     [Fedora Summer Coding]     [Fedora Laptop]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Desktop]     [Fedora Fonts]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Yosemite News]     [Gnome Users]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Fedora Sparc]     [Libvirt Users]     [Fedora ARM]

  Powered by Linux