Re: SELinux kerneloops and dhclient issues

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Stephen Croll wrote:
> Note: Originally posted to fedora-list.
> 
> The "setroubleshoot browser" is reporting the following issues on Fedora 9:
> 
> SELinux is preventing kerneloops (kerneloops_t) "signal" to <Unknown>
> (kerneloops_t).
> SELinux is preventing dhclient (dhcpc_t) "read write" to socket
> (unconfined_t).
> 
> The first issue occurred on boot, but no longer seems to be happening. 
> The second
> issue occurs when I bring up eth0.
> 
> Should I file a bug report, or might there be something more sinister
> going on?
> 
> For reference, the complete reports are as follows:
> 
> Summary:
> 
> SELinux is preventing kerneloops (kerneloops_t) "signal" to <Unknown>
> (kerneloops_t).
> 
> Detailed Description:
> 
> SELinux denied access requested by kerneloops. It is not expected that this
> access is required by kerneloops and this access may signal an intrusion
> attempt. It is also possible that the specific version or configuration
> of the
> application is causing it to require additional access.
> 
> Allowing Access:
> 
> You can generate a local policy module to allow this access - see FAQ
> (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can
> disable
> SELinux protection altogether. Disabling SELinux protection is not
> recommended.
> Please file a bug report
> (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
> against this package.
> 
> Additional Information:
> 
> Source Context                system_u:system_r:kerneloops_t:s0
> Target Context                system_u:system_r:kerneloops_t:s0
> Target Objects                None [ process ]
> Source                        kerneloops
> Source Path                   /usr/sbin/kerneloops
> Port                          <Unknown>
> Host                          gerbil
> Source RPM Packages           kerneloops-0.11-1.fc9
> Target RPM Packages            Policy RPM                   
> selinux-policy-3.3.1-84.fc9
> Selinux Enabled               True
> Policy Type                   targeted
> MLS Enabled                   True
> Enforcing Mode                Enforcing
> Plugin Name                   catchall
> Host Name                     gerbil
> Platform                      Linux gerbil 2.6.25.14-108.fc9.x86_64 #1
> SMP Mon
>                             Aug 4 13:46:35 EDT 2008 x86_64 x86_64
> Alert Count                   2
> First Seen                    Sun 07 Sep 2008 03:21:55 AM CDT
> Last Seen                     Sun 07 Sep 2008 03:21:55 AM CDT
> Local ID                      fa4c1bd0-faf1-48ba-ba55-74285538ef90
> Line Numbers                   Raw Audit Messages            
> host=gerbil type=AVC msg=audit(1220775715.59:8): avc:  denied  { signal
> } for  pid=2363 comm="kerneloops"
> scontext=system_u:system_r:kerneloops_t:s0
> tcontext=system_u:system_r:kerneloops_t:s0 tclass=process
> 
> host=gerbil type=SYSCALL msg=audit(1220775715.59:8): arch=c000003e
> syscall=234 success=no exit=-13 a0=93b a1=93b a2=6 a3=8 items=0 ppid=1
> pid=2363 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
> fsgid=0 tty=(none) ses=4294967295 comm="kerneloops"
> exe="/usr/sbin/kerneloops" subj=system_u:system_r:kerneloops_t:s0
> key=(null)
> 
> -and-
> 
> Summary:
> 
> SELinux is preventing dhclient (dhcpc_t) "read write" to socket
> (unconfined_t).
> 
> Detailed Description:
> 
> SELinux denied access requested by dhclient. It is not expected that
> this access
> is required by dhclient and this access may signal an intrusion attempt.
> It is
> also possible that the specific version or configuration of the
> application is
> causing it to require additional access.
> 
> Allowing Access:
> 
> You can generate a local policy module to allow this access - see FAQ
> (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can
> disable
> SELinux protection altogether. Disabling SELinux protection is not
> recommended.
> Please file a bug report
> (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
> against this package.
> 
> Additional Information:
> 
> Source Context                unconfined_u:system_r:dhcpc_t:s0-s0:c0.c1023
> Target Context               
> unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1
>                             023
> Target Objects                socket [ unix_stream_socket ]
> Source                        dhclient
> Source Path                   /sbin/dhclient
> Port                          <Unknown>
> Host                          gerbil
> Source RPM Packages           dhclient-4.0.0-14.fc9
> Target RPM Packages            Policy RPM                   
> selinux-policy-3.3.1-84.fc9
> Selinux Enabled               True
> Policy Type                   targeted
> MLS Enabled                   True
> Enforcing Mode                Enforcing
> Plugin Name                   catchall
> Host Name                     gerbil
> Platform                      Linux gerbil 2.6.25.14-108.fc9.x86_64 #1
> SMP Mon
>                             Aug 4 13:46:35 EDT 2008 x86_64 x86_64
> Alert Count                   16
> First Seen                    Sun 07 Sep 2008 12:56:48 AM CDT
> Last Seen                     Sun 07 Sep 2008 03:23:07 AM CDT
> Local ID                      a3b5492a-0ef2-4cc3-bdd0-4c06696bae70
> Line Numbers                   Raw Audit Messages            
> host=gerbil type=AVC msg=audit(1220775787.407:21): avc:  denied  { read
> write } for  pid=3069 comm="dhclient" path="socket:[68728]" dev=sockfs
> ino=68728 scontext=unconfined_u:system_r:dhcpc_t:s0-s0:c0.c1023
> tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
> tclass=unix_stream_socket
> 
> host=gerbil type=SYSCALL msg=audit(1220775787.407:21): arch=c000003e
> syscall=59 success=yes exit=0 a0=948530 a1=94ad90 a2=8f0d70
> a3=3f48f67a70 items=0 ppid=2970 pid=3069 auid=500 uid=0 gid=0 euid=0
> suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="dhclient"
> exe="/sbin/dhclient" subj=unconfined_u:system_r:dhcpc_t:s0-s0:c0.c1023
> key=(null)
> 


kerneloops needing signal is a bug in selinux-policy.

You can allow this for now.

# audit2allow -M mypol -l -i /var/log/audit/audit.log
# semodule -i mypol.pp

Fixed in selinux-policy-3.3.1-89.fc9.noarch

The dhcp_t (/sbin/dhclient) trying to read/write an unconfined_t
unix_stream_socket, is a leaked file descriptor.  So it is a bug in some
application that you are using to bring up your network.  What app are
you using for this?

--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list

[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux