On 05/09/2016 03:30 PM, CS DBA wrote:
On 05/09/2016 01:39 PM, Rick Stevens wrote:
On 05/09/2016 12:19 PM, CS DBA wrote:
Hi All;
I'm running Fedora 23 KDE Spin, After a recent firefox update (I'm now
at Firefox 46.0.1) I've been getting these SELINUX alerts:
The source process: 57656220436F6E74656E74
Attempted this access: create
On this rawip_socket:
The alert gives me 2 choices:
1) If I want to use the plugin package:
you must turn off SELinux controls on the Firefox plugins.
# setsebool -P unconfined_mozilla_plugin_transition 0
2) If I believe that 57656220436F6E74656E74 should be allowed to create
access on the Unknown rawip_socket by default:
You should report this as a bug.
You can generate a local policy module to allow this access.
Allow this access for now by executing:
# ausearch -c 57656220436F6E74656E74 --raw | audit2allow -M mypol
# semodule -i mypol.pp
If I click on "Plugin Details" I get this:
SELinux is preventing 57656220436F6E74656E74 from create access on the
rawip_socket Unknown.
Plugin: catchall
you want to allow 57656220436F6E74656E74 to have create access on the
Unknown
rawip_socketIf you believe that 57656220436F6E74656E74 should be allowed
create access on the Unknown rawip_socket by default.
You should report this as a bug.
You can generate a local policy module to allow this access.
Allow this access for now by executing:
# ausearch -c 57656220436F6E74656E74 --raw | audit2allow -M mypol
# semodule -i mypol.pp
Thoughts? Is this a bug? Should I run the setsebool command to allow
access?
Smells fishy. I can't see an Internet website having any legitimate
need to open a raw IP socket and I really don't see Firefox needing to
do such a thing for normal operations. A web interface to an internal
process, perhaps, but not a website.
BTW, the digits given, if used as a hex representation of a string,
equate to "Web content". Hmmmmmmmmm......... I sure as heck wouldn't
enable the boolean or add a policy.
Should I be concerned that my laptop has been compromised? Time to
install clamav? Or re-install fedora completely?
I wouldn't go so far as to reinstall. SELinux has blocked a request--
specifically from Firefox--to open a rawip socket and that's what it's
supposed to do. Why Firefox tried to do that is a guess, but I think
you visited a site with some evil Javascript stuff in it and it's the
javascript that's trying to open the port. Since the Javascript would
be running in the context of the browser, SELinux reported that Firefox
was doing it. Note that antics such as this is another reason to not
just blithely allow Javascript to run in your browser. I certainly
don't.
So, to your question in more detail...
Are you compromised? Probably not. Emphasis on the "probably."
Is that website evil? If they're injecting Javascript to do things like
this, yes and they should be beaten senseless and staked out over an
anthill under a noon sun in the Sahara.
Should you ever just enable a boolean or set up a local policy? Not
unless you research and understand WHY you'd do such a thing. They do
have their uses at times.
Should you disable SELinux? Nope. Generally a bad idea.
Should you run a very restrictive firewall? Oh, yes, indeedy-do!
Should you run virus checkers such as clamav? Hell, yes!
Should you periodically scan your entire disk for viruses using
whatever checker you have? Again, hell yes! (I run clamscan every
night as a minimum).
Linux is a bit more impervious to the nefarious actions of the evil
hackers out there than MacOS and a lot more so that Winblows, but it
isn't perfect. If you're surfing the web, wear a full-body condom or
two. And always remember the motto:
"Just because I'm paranoid doesn't mean they AREN'T out to get me!"
----------------------------------------------------------------------
- Rick Stevens, Systems Engineer, AllDigital ricks@xxxxxxxxxxxxxx -
- AIM/Skype: therps2 ICQ: 226437340 Yahoo: origrps2 -
- -
- "Microsoft is a cross between The Borg and the Ferengi. -
- Unfortunately they use Borg to do their marketing and Ferengi to -
- do their programming." -- Simon Slavin -
----------------------------------------------------------------------
--
users mailing list
users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe or change subscription options:
http://lists.fedoraproject.org/admin/lists/users@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org
