Re: avc denials: nspluginscan, file_t, gconfd?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Antonio Olivares wrote:
> Dear all,
> 
> I got a setroubleshoot popop on the laptop.  I am
> attaching them here:  
> 
> Advice/suggestions/comments greatly appreciated.
> 
> TIA,
> 
> Antonio 
> 
> 
> Summary:
> 
> SELinux is preventing nspluginscan from making the
> program stack executable.
> 
> Detailed Description:
> 
> The nspluginscan application attempted to make its
> stack executable. This is a
> potential security problem. This should never ever be
> necessary. Stack memory is
> not executable on most OSes these days and this will
> not change. Executable
> stack memory is one of the biggest security problems.
> An execstack error might
> in fact be most likely raised by malicious code.
> Applications are sometimes
> coded incorrectly and request this permission. The
> SELinux Memory Protection
> Tests
> (http://people.redhat.com/drepper/selinux-mem.html)
> web page explains how
> to remove this requirement. If nspluginscan does not
> work and you need it to
> work, you can configure SELinux temporarily to allow
> this access until the
> application is fixed. Please file a bug report
> (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
> against this package.
> 
> Allowing Access:
> 
> Sometimes a library is accidentally marked with the
> execstack flag, if you find
> a library with this flag you can clear it with the
> execstack -c LIBRARY_PATH.
> Then retry your application. If the app continues to
> not work, you can turn the
> flag back on with execstack -s LIBRARY_PATH.
> Otherwise, if you trust
> nspluginscan to run correctly, you can change the
> context of the executable to
> unconfined_execmem_exec_t. "chcon -t
> unconfined_execmem_exec_t
> '/usr/bin/nspluginscan'" You must also change the
> default file context files on
> the system in order to preserve them even on a full
> relabel. "semanage fcontext
> -a -t unconfined_execmem_exec_t
> '/usr/bin/nspluginscan'"
> 
> Fix Command:
> 
> chcon -t unconfined_execmem_exec_t
> '/usr/bin/nspluginscan'
> 
> Additional Information:
> 
> Source Context               
> unconfined_u:unconfined_r:unconfined_t:SystemLow-
>                               SystemHigh
> Target Context               
> unconfined_u:unconfined_r:unconfined_t:SystemLow-
>                               SystemHigh
> Target Objects                None [ process ]
> Source                        nspluginscan
> Source Path                   /usr/bin/nspluginscan
> Port                          <Unknown>
> Host                          localhost.localdomain
> Source RPM Packages           kdebase-4.0.3-9.fc9
> Target RPM Packages           
> Policy RPM                   
> selinux-policy-3.3.1-45.fc10
> Selinux Enabled               True
> Policy Type                   targeted
> MLS Enabled                   True
> Enforcing Mode                Enforcing
> Plugin Name                   allow_execstack
> Host Name                     localhost.localdomain
> Platform                      Linux
> localhost.localdomain
>                              
> 2.6.26-0.17.rc3.fc10.i686 #1 SMP Sun May 18
>                               19:05:03 EDT 2008 i686
> i686
> Alert Count                   11
> First Seen                    Tue 05 Feb 2008 07:13:02
> AM CST
> Last Seen                     Wed 21 May 2008 08:23:12
> AM CDT
> Local ID                     
> 7afb3a36-5b69-486c-a93b-02e714040250
> Line Numbers                  
> 
> Raw Audit Messages            
> 
> host=localhost.localdomain type=AVC
> msg=audit(1211376192.783:89): avc:  denied  {
> execstack } for  pid=3177 comm="nspluginscan"
> scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
> tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
> tclass=process
> 
> host=localhost.localdomain type=SYSCALL
> msg=audit(1211376192.783:89): arch=40000003
> syscall=125 success=no exit=-13 a0=bfeee000 a1=1000
> a2=1000007 a3=fffff000 items=0 ppid=3166 pid=3177
> auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500
> egid=500 sgid=500 fsgid=500 tty=(none) ses=1
> comm="nspluginscan" exe="/usr/bin/nspluginscan"
> subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
> key=(null)
> 
> 
You choice here is to first report a bug to who ever supplies the
plugin.  Then you can either do as the setroubleshoot tells you and turn
on the allow_execstack boolean or you can confine nsplugin using
allow_unconfined_nsplugin_transition.

If you turn on nsplugin confinement you probably need to relabel your
homedir

restorecon -R -v ~


> 
> Summary:
> 
> SELinux is preventing nm-system-setti
> (NetworkManager_t) "read" to
> ./PolicyKit.reload (system_crond_var_lib_t).
> 
> Detailed Description:
> 
> SELinux denied access requested by nm-system-setti. It
> is not expected that this
> access is required by nm-system-setti and this access
> may signal an intrusion
> attempt. It is also possible that the specific version
> or configuration of the
> application is causing it to require additional
> access.
> 
> Allowing Access:
> 
> Sometimes labeling problems can cause SELinux denials.
> You could try to restore
> the default system file context for
> ./PolicyKit.reload,
> 
> restorecon -v './PolicyKit.reload'
> 
> If this does not work, there is currently no automatic
> way to allow this access.
> Instead, you can generate a local policy module to
> allow this access - see FAQ
> (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385)
> Or you can disable
> SELinux protection altogether. Disabling SELinux
> protection is not recommended.
> Please file a bug report
> (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
> against this package.
> 
> Additional Information:
> 
> Source Context               
> system_u:system_r:NetworkManager_t:SystemLow-
>                               SystemHigh
> Target Context               
> system_u:object_r:system_crond_var_lib_t
> Target Objects                ./PolicyKit.reload [
> file ]
> Source                        nm-system-setti
> Source Path                  
> /usr/sbin/nm-system-settings
> Port                          <Unknown>
> Host                          localhost.localdomain
> Source RPM Packages          
> NetworkManager-0.7.0-0.9.3.svn3675.fc10
> Target RPM Packages           
> Policy RPM                   
> selinux-policy-3.3.1-45.fc10
> Selinux Enabled               True
> Policy Type                   targeted
> MLS Enabled                   True
> Enforcing Mode                Enforcing
> Plugin Name                   catchall_file
> Host Name                     localhost.localdomain
> Platform                      Linux
> localhost.localdomain
>                              
> 2.6.26-0.17.rc3.fc10.i686 #1 SMP Sun May 18
>                               19:05:03 EDT 2008 i686
> i686
> Alert Count                   3
> First Seen                    Wed 21 May 2008 08:21:22
> AM CDT
> Last Seen                     Thu 22 May 2008 06:51:05
> AM CDT
> Local ID                     
> 842c746b-258d-45ad-bb2e-22c271d0b9ef
> Line Numbers                  
> 
> Raw Audit Messages            
> 
> host=localhost.localdomain type=AVC
> msg=audit(1211457065.391:7): avc:  denied  { read }
> for  pid=2501 comm="nm-system-setti"
> name="PolicyKit.reload" dev=dm-0 ino=443096
> scontext=system_u:system_r:NetworkManager_t:s0-s0:c0.c1023
> tcontext=system_u:object_r:system_crond_var_lib_t:s0
> tclass=file
> 
> host=localhost.localdomain type=SYSCALL
> msg=audit(1211457065.391:7): arch=40000003 syscall=292
> success=no exit=-13 a0=6 a1=75d620 a2=106 a3=9b81f20
> items=0 ppid=2500 pid=2501 auid=4294967295 uid=0 gid=0
> euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none)
> ses=4294967295 comm="nm-system-setti"
> exe="/usr/sbin/nm-system-settings"
> subj=system_u:system_r:NetworkManager_t:s0-s0:c0.c1023
> key=(null)
> 
> 

This is a bug which is fixed in F9 policy, but we have not been able to
build policy for F10.  It probably can be ignored.

> 
> Summary:
> 
> SELinux is preventing nm-system-setti
> (NetworkManager_t) "getattr" to /dev/root
> (fixed_disk_device_t).
> 
> Detailed Description:
> 
> SELinux denied access requested by nm-system-setti. It
> is not expected that this
> access is required by nm-system-setti and this access
> may signal an intrusion
> attempt. It is also possible that the specific version
> or configuration of the
> application is causing it to require additional
> access.
> 
> Allowing Access:
> 
> Sometimes labeling problems can cause SELinux denials.
> You could try to restore
> the default system file context for /dev/root,
> 
> restorecon -v '/dev/root'
> 
> If this does not work, there is currently no automatic
> way to allow this access.
> Instead, you can generate a local policy module to
> allow this access - see FAQ
> (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385)
> Or you can disable
> SELinux protection altogether. Disabling SELinux
> protection is not recommended.
> Please file a bug report
> (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
> against this package.
> 
> Additional Information:
> 
> Source Context               
> system_u:system_r:NetworkManager_t:SystemLow-
>                               SystemHigh
> Target Context               
> system_u:object_r:fixed_disk_device_t
> Target Objects                /dev/root [ blk_file ]
> Source                        nm-system-setti
> Source Path                  
> /usr/sbin/nm-system-settings
> Port                          <Unknown>
> Host                          localhost.localdomain
> Source RPM Packages          
> NetworkManager-0.7.0-0.9.3.svn3675.fc10
> Target RPM Packages           
> Policy RPM                   
> selinux-policy-3.3.1-45.fc10
> Selinux Enabled               True
> Policy Type                   targeted
> MLS Enabled                   True
> Enforcing Mode                Enforcing
> Plugin Name                   catchall_file
> Host Name                     localhost.localdomain
> Platform                      Linux
> localhost.localdomain
>                              
> 2.6.26-0.17.rc3.fc10.i686 #1 SMP Sun May 18
>                               19:05:03 EDT 2008 i686
> i686
> Alert Count                   3
> First Seen                    Wed 21 May 2008 08:21:23
> AM CDT
> Last Seen                     Thu 22 May 2008 06:51:07
> AM CDT
> Local ID                     
> 12a9ceb6-2b80-406f-86ce-eddd56016c6b
> Line Numbers                  
> 
> Raw Audit Messages            
> 
> host=localhost.localdomain type=AVC
> msg=audit(1211457067.143:8): avc:  denied  { getattr }
> for  pid=2501 comm="nm-system-setti" path="/dev/root"
> dev=tmpfs ino=402
> scontext=system_u:system_r:NetworkManager_t:s0-s0:c0.c1023
> tcontext=system_u:object_r:fixed_disk_device_t:s0
> tclass=blk_file
> 
> host=localhost.localdomain type=SYSCALL
> msg=audit(1211457067.143:8): arch=40000003 syscall=195
> success=no exit=-13 a0=415283d a1=bff720ec a2=3d8fff4
> a3=415283d items=0 ppid=1 pid=2501 auid=4294967295
> uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
> fsgid=0 tty=(none) ses=4294967295
> comm="nm-system-setti"
> exe="/usr/sbin/nm-system-settings"
> subj=system_u:system_r:NetworkManager_t:s0-s0:c0.c1023
> key=(null)
> 
> 
Also can be ignored

> 
> Summary:
> 
> SELinux is preventing dbus-daemon (xdm_dbusd_t)
> "execute" to ./gconfd-2
> (gconfd_exec_t).
> 
> Detailed Description:
> 
> SELinux denied access requested by dbus-daemon. It is
> not expected that this
> access is required by dbus-daemon and this access may
> signal an intrusion
> attempt. It is also possible that the specific version
> or configuration of the
> application is causing it to require additional
> access.
> 
> Allowing Access:
> 
> Sometimes labeling problems can cause SELinux denials.
> You could try to restore
> the default system file context for ./gconfd-2,
> 
> restorecon -v './gconfd-2'
> 
> If this does not work, there is currently no automatic
> way to allow this access.
> Instead, you can generate a local policy module to
> allow this access - see FAQ
> (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385)
> Or you can disable
> SELinux protection altogether. Disabling SELinux
> protection is not recommended.
> Please file a bug report
> (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
> against this package.
> 
> Additional Information:
> 
> Source Context               
> system_u:system_r:xdm_dbusd_t:SystemLow-SystemHigh
> Target Context               
> system_u:object_r:gconfd_exec_t
> Target Objects                ./gconfd-2 [ file ]
> Source                        dbus-daemon
> Source Path                   /bin/dbus-daemon
> Port                          <Unknown>
> Host                          localhost.localdomain
> Source RPM Packages           dbus-1.2.1-3.fc10
> Target RPM Packages           
> Policy RPM                   
> selinux-policy-3.3.1-45.fc10
> Selinux Enabled               True
> Policy Type                   targeted
> MLS Enabled                   True
> Enforcing Mode                Enforcing
> Plugin Name                   catchall_file
> Host Name                     localhost.localdomain
> Platform                      Linux
> localhost.localdomain
>                              
> 2.6.26-0.17.rc3.fc10.i686 #1 SMP Sun May 18
>                               19:05:03 EDT 2008 i686
> i686
> Alert Count                   401
> First Seen                    Wed 21 May 2008 08:21:39
> AM CDT
> Last Seen                     Thu 22 May 2008 06:55:49
> AM CDT
> Local ID                     
> 3d366e28-6abd-4740-b078-7ec3f331bce5
> Line Numbers                  
> 
> Raw Audit Messages            
> 
> host=localhost.localdomain type=AVC
> msg=audit(1211457349.146:165): avc:  denied  { execute
> } for  pid=3544 comm="dbus-daemon" name="gconfd-2"
> dev=dm-0 ino=125235
> scontext=system_u:system_r:xdm_dbusd_t:s0-s0:c0.c1023
> tcontext=system_u:object_r:gconfd_exec_t:s0
> tclass=file
> 
> host=localhost.localdomain type=SYSCALL
> msg=audit(1211457349.146:165): arch=40000003
> syscall=11 success=no exit=-13 a0=b8ed76f0 a1=b8edffa8
> a2=b8ede8f8 a3=b8edbb58 items=0 ppid=3543 pid=3544
> auid=4294967295 uid=42 gid=42 euid=42 suid=42 fsuid=42
> egid=42 sgid=42 fsgid=42 tty=(none) ses=4294967295
> comm="dbus-daemon" exe="/bin/dbus-daemon"
> subj=system_u:system_r:xdm_dbusd_t:s0-s0:c0.c1023
> key=(null)
> 
> 
> 
> 
> 
> Summary:
> 
> SELinux is preventing access to files with the label,
> file_t.
> 
> Detailed Description:
> 
> SELinux permission checks on files labeled file_t are
> being denied. file_t is
> the context the SELinux kernel gives to files that do
> not have a label. This
> indicates a serious labeling problem. No files on an
> SELinux box should ever be
> labeled file_t. If you have just added a new disk
> drive to the system you can
> relabel it using the restorecon command. Otherwise you
> should relabel the entire
> files system.
> 
> Allowing Access:
> 
> You can execute the following command as root to
> relabel your computer system:
> "touch /.autorelabel; reboot"
> 
> Additional Information:
> 
> Source Context               
> system_u:system_r:tmpreaper_t
> Target Context                system_u:object_r:file_t
> Target Objects                ./kpc [ dir ]
> Source                        tmpwatch
> Source Path                   /usr/sbin/tmpwatch
> Port                          <Unknown>
> Host                          localhost.localdomain
> Source RPM Packages           tmpwatch-2.9.13-2
> Target RPM Packages           
> Policy RPM                   
> selinux-policy-3.3.1-45.fc10
> Selinux Enabled               True
> Policy Type                   targeted
> MLS Enabled                   True
> Enforcing Mode                Enforcing
> Plugin Name                   file
> Host Name                     localhost.localdomain
> Platform                      Linux
> localhost.localdomain
>                              
> 2.6.26-0.17.rc3.fc10.i686 #1 SMP Sun May 18
>                               19:05:03 EDT 2008 i686
> i686
> Alert Count                   12
> First Seen                    Thu 28 Feb 2008 08:12:12
> AM CST
> Last Seen                     Thu 22 May 2008 08:15:01
> AM CDT
> Local ID                     
> 78c39dd1-e417-40e6-8056-ac3a90e9e235
> Line Numbers                  
> 
> Raw Audit Messages            
> 
> host=localhost.localdomain type=AVC
> msg=audit(1211462101.317:204): avc:  denied  { read }
> for  pid=14967 comm="tmpwatch" name="kpc" dev=dm-0
> ino=885859 scontext=system_u:system_r:tmpreaper_t:s0
> tcontext=system_u:object_r:file_t:s0 tclass=dir
> 
> host=localhost.localdomain type=SYSCALL
> msg=audit(1211462101.317:204): arch=40000003 syscall=5
> success=no exit=-13 a0=804ac62 a1=98800 a2=0 a3=0
> items=0 ppid=14964 pid=14967 auid=4294967295 uid=0
> gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
> tty=(none) ses=4294967295 comm="tmpwatch"
> exe="/usr/sbin/tmpwatch"
> subj=system_u:system_r:tmpreaper_t:s0 key=(null)
> 
> 
> 
> 
> 
>       
> 
> --
> fedora-selinux-list mailing list
> fedora-selinux-list@xxxxxxxxxx
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list

We will fix these as soon as we can update Rawhide Policy.

--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list

[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux