Dear fellow selinux experts, selinux is at it again, this time, setroubleshoot shot out the warnings: Summary: SELinux is preventing hal-acl-tool (hald_acl_t) "sys_resource" hald_acl_t. Detailed Description: SELinux denied access requested by hal-acl-tool. It is not expected that this access is required by hal-acl-tool and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: You can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package. Additional Information: Source Context system_u:system_r:hald_acl_t:s0 Target Context system_u:system_r:hald_acl_t:s0 Target Objects None [ capability ] Source hal-acl-tool Source Path /usr/libexec/hal-acl-tool Port <Unknown> Host riohigh Source RPM Packages hal-0.5.12-3.20081013git.fc10 Target RPM Packages Policy RPM selinux-policy-3.5.13-1.fc10 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name catchall Host Name riohigh Platform Linux riohigh 2.6.27.3-27.rc1.fc10.i686 #1 SMP Sat Oct 18 20:35:56 EDT 2008 i686 athlon Alert Count 25 First Seen Thu 16 Oct 2008 05:21:21 PM CDT Last Seen Mon 20 Oct 2008 07:22:37 AM CDT Local ID 2dda3b9b-7240-47c2-9865-4e1c1971771c Line Numbers Raw Audit Messages node=riohigh type=AVC msg=audit(1224505357.902:104): avc: denied { sys_resource } for pid=3200 comm="hal-acl-tool" capability=24 scontext=system_u:system_r:hald_acl_t:s0 tcontext=system_u:system_r:hald_acl_t:s0 tclass=capability node=riohigh type=SYSCALL msg=audit(1224505357.902:104): arch=40000003 syscall=4 success=yes exit=2132 a0=4 a1=b7f94000 a2=854 a3=854 items=0 ppid=1873 pid=3200 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="hal-acl-tool" exe="/usr/libexec/hal-acl-tool" subj=system_u:system_r:hald_acl_t:s0 key=(null) Summary: SELinux is preventing knotify4 from making the program stack executable. Detailed Description: The knotify4 application attempted to make its stack executable. This is a potential security problem. This should never ever be necessary. Stack memory is not executable on most OSes these days and this will not change. Executable stack memory is one of the biggest security problems. An execstack error might in fact be most likely raised by malicious code. Applications are sometimes coded incorrectly and request this permission. The SELinux Memory Protection Tests (http://people.redhat.com/drepper/selinux-mem.html) web page explains how to remove this requirement. If knotify4 does not work and you need it to work, you can configure SELinux temporarily to allow this access until the application is fixed. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package. Allowing Access: Sometimes a library is accidentally marked with the execstack flag, if you find a library with this flag you can clear it with the execstack -c LIBRARY_PATH. Then retry your application. If the app continues to not work, you can turn the flag back on with execstack -s LIBRARY_PATH. Otherwise, if you trust knotify4 to run correctly, you can change the context of the executable to unconfined_execmem_exec_t. "chcon -t unconfined_execmem_exec_t '/usr/bin/knotify4'" You must also change the default file context files on the system in order to preserve them even on a full relabel. "semanage fcontext -a -t unconfined_execmem_exec_t '/usr/bin/knotify4'" Fix Command: chcon -t unconfined_execmem_exec_t '/usr/bin/knotify4' Additional Information: Source Context unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1 023 Target Context unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1 023 Target Objects None [ process ] Source knotify4 Source Path /usr/bin/knotify4 Port <Unknown> Host riohigh Source RPM Packages kdebase-runtime-4.1.2-5.fc10 Target RPM Packages Policy RPM selinux-policy-3.5.13-1.fc10 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name allow_execstack Host Name riohigh Platform Linux riohigh 2.6.27.3-27.rc1.fc10.i686 #1 SMP Sat Oct 18 20:35:56 EDT 2008 i686 athlon Alert Count 2 First Seen Mon 20 Oct 2008 07:21:30 AM CDT Last Seen Mon 20 Oct 2008 07:21:30 AM CDT Local ID eebb1d00-400c-4898-888b-ae7a132cd800 Line Numbers Raw Audit Messages node=riohigh type=AVC msg=audit(1224505290.544:95): avc: denied { execstack } for pid=2883 comm="knotify4" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process node=riohigh type=SYSCALL msg=audit(1224505290.544:95): arch=40000003 syscall=125 success=no exit=-13 a0=bf983000 a1=1000 a2=1000007 a3=fffff000 items=0 ppid=1 pid=2883 auid=501 uid=501 gid=501 euid=501 suid=501 fsuid=501 egid=501 sgid=501 fsgid=501 tty=(none) ses=1 comm="knotify4" exe="/usr/bin/knotify4" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null) Summary: SELinux is preventing console-kit-dae (consolekit_t) "sys_resource" consolekit_t. Detailed Description: SELinux denied access requested by console-kit-dae. It is not expected that this access is required by console-kit-dae and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: You can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package. Additional Information: Source Context system_u:system_r:consolekit_t:s0-s0:c0.c1023 Target Context system_u:system_r:consolekit_t:s0-s0:c0.c1023 Target Objects None [ capability ] Source console-kit-dae Source Path /usr/sbin/console-kit-daemon Port <Unknown> Host riohigh Source RPM Packages ConsoleKit-0.3.0-2.fc10 Target RPM Packages Policy RPM selinux-policy-3.5.13-1.fc10 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name catchall Host Name riohigh Platform Linux riohigh 2.6.27.3-27.rc1.fc10.i686 #1 SMP Sat Oct 18 20:35:56 EDT 2008 i686 athlon Alert Count 23 First Seen Thu 16 Oct 2008 04:27:59 PM CDT Last Seen Mon 20 Oct 2008 07:20:39 AM CDT Local ID 18c02e39-31cf-4b70-b999-fa910c61d822 Line Numbers Raw Audit Messages node=riohigh type=AVC msg=audit(1224505239.547:88): avc: denied { sys_resource } for pid=1810 comm="console-kit-dae" capability=24 scontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tcontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tclass=capability node=riohigh type=SYSCALL msg=audit(1224505239.547:88): arch=40000003 syscall=4 success=yes exit=672 a0=1a a1=9fb1758 a2=2a0 a3=9fb1758 items=0 ppid=1 pid=1810 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="console-kit-dae" exe="/usr/sbin/console-kit-daemon" subj=system_u:system_r:consolekit_t:s0-s0:c0.c1023 key=(null) Summary: SELinux is preventing sm-notify (rpcd_t) "sys_resource" rpcd_t. Detailed Description: SELinux denied access requested by sm-notify. It is not expected that this access is required by sm-notify and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: You can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package. Additional Information: Source Context unconfined_u:system_r:rpcd_t:s0 Target Context unconfined_u:system_r:rpcd_t:s0 Target Objects None [ capability ] Source rpc.statd Source Path /sbin/rpc.statd Port <Unknown> Host riohigh Source RPM Packages nfs-utils-1.1.3-6.fc10 Target RPM Packages Policy RPM selinux-policy-3.5.12-2.fc10 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name catchall Host Name riohigh Platform Linux riohigh 2.6.27-3.fc10.i686 #1 SMP Fri Oct 10 01:26:26 EDT 2008 i686 athlon Alert Count 2 First Seen Thu 16 Oct 2008 05:15:06 PM CDT Last Seen Thu 16 Oct 2008 05:15:06 PM CDT Local ID cc9a1241-41d6-4b07-aa8c-4d2701763004 Line Numbers Raw Audit Messages node=riohigh type=AVC msg=audit(1224195306.728:103): avc: denied { sys_resource } for pid=7184 comm="sm-notify" capability=24 scontext=unconfined_u:system_r:rpcd_t:s0 tcontext=unconfined_u:system_r:rpcd_t:s0 tclass=capability node=riohigh type=SYSCALL msg=audit(1224195306.728:103): arch=40000003 syscall=4 success=yes exit=5 a0=5 a1=bffbd700 a2=5 a3=5 items=0 ppid=7183 pid=7184 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="sm-notify" exe="/usr/sbin/sm-notify" subj=unconfined_u:system_r:rpcd_t:s0 key=(null) Which ones should I file bugs against, if there are any to file? I have seen knotify and selinux again, this one is filed. Do I need more info? Thanks, Antonio __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
