-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Frank Murphy wrote:
> ------------A snip from the logwatch included at end-----------------
>
>
> Summary:
>
> SELinux is preventing netstat (logwatch_t) "search" to <Unknown>
> (sysctl_net_t).
>
> Detailed Description:
>
> SELinux denied access requested by netstat. It is not expected that this
> access
> is required by netstat and this access may signal an intrusion attempt.
> It is
> also possible that the specific version or configuration of the
> application is
> causing it to require additional access.
>
> Allowing Access:
>
> Sometimes labeling problems can cause SELinux denials. You could try to
> restore
> the default system file context for <Unknown>,
>
> restorecon -v '<Unknown>'
>
> If this does not work, there is currently no automatic way to allow this
> access.
> Instead, you can generate a local policy module to allow this access -
> see FAQ
> (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can
> disable
> SELinux protection altogether. Disabling SELinux protection is not
> recommended.
> Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
> against this package.
>
> Additional Information:
>
> Source Context system_u:system_r:logwatch_t:s0
> Target Context system_u:object_r:sysctl_net_t:s0
> Target Objects None [ dir ]
> Source ifconfig
> Source Path /sbin/ifconfig
> Port <Unknown>
> Host frank-01
> Source RPM Packages net-tools-1.60-91.fc10
> Target RPM Packages
> Policy RPM selinux-policy-3.5.13-18.fc10
> Selinux Enabled True
> Policy Type targeted
> MLS Enabled True
> Enforcing Mode Enforcing
> Plugin Name catchall_file
> Host Name frank-01
> Platform Linux frank-01 2.6.27.5-117.fc10.i686 #1
> SMP Tue
> Nov 18 12:19:59 EST 2008 i686 i686
> Alert Count 4
> First Seen Sat 22 Nov 2008 09:17:13 GMT
> Last Seen Sat 22 Nov 2008 09:17:13 GMT
> Local ID 144ff94f-abf9-47ba-8ab6-bda6cceb41e8
> Line Numbers
>
> Raw Audit Messages
>
> node=frank-01 type=AVC msg=audit(1227345433.820:48): avc: denied {
> search } for pid=4085 comm="netstat"
> scontext=system_u:system_r:logwatch_t:s0
> tcontext=system_u:object_r:sysctl_net_t:s0 tclass=dir
>
> node=frank-01 type=SYSCALL msg=audit(1227345433.820:48): arch=40000003
> syscall=33 success=no exit=-13 a0=805f195 a1=4 a2=ffffffff a3=8064020
> items=0 ppid=4084 pid=4085 auid=4294967295 uid=0 gid=0 euid=0 suid=0
> fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="netstat"
> exe="/bin/netstat" subj=system_u:system_r:logwatch_t:s0 key=(null)
>
>
> �
>
> Summary:
>
> SELinux is preventing netstat (logwatch_t) "read" to ./unix (proc_net_t).
>
> Detailed Description:
>
> SELinux denied access requested by netstat. It is not expected that this
> access
> is required by netstat and this access may signal an intrusion attempt.
> It is
> also possible that the specific version or configuration of the
> application is
> causing it to require additional access.
>
> Allowing Access:
>
> Sometimes labeling problems can cause SELinux denials. You could try to
> restore
> the default system file context for ./unix,
>
> restorecon -v './unix'
>
> If this does not work, there is currently no automatic way to allow this
> access.
> Instead, you can generate a local policy module to allow this access -
> see FAQ
> (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can
> disable
> SELinux protection altogether. Disabling SELinux protection is not
> recommended.
> Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
> against this package.
>
> Additional Information:
>
> Source Context system_u:system_r:logwatch_t:s0
> Target Context system_u:object_r:proc_net_t:s0
> Target Objects ./unix [ file ]
> Source ifconfig
> Source Path /sbin/ifconfig
> Port <Unknown>
> Host frank-01
> Source RPM Packages net-tools-1.60-91.fc10
> Target RPM Packages
> Policy RPM selinux-policy-3.5.13-18.fc10
> Selinux Enabled True
> Policy Type targeted
> MLS Enabled True
> Enforcing Mode Enforcing
> Plugin Name catchall_file
> Host Name frank-01
> Platform Linux frank-01 2.6.27.5-117.fc10.i686 #1
> SMP Tue
> Nov 18 12:19:59 EST 2008 i686 i686
> Alert Count 2
> First Seen Sat 22 Nov 2008 09:17:13 GMT
> Last Seen Sat 22 Nov 2008 09:17:13 GMT
> Local ID c323266d-4b2a-4e47-9b13-eeb640939573
> Line Numbers
>
> Raw Audit Messages
>
> node=frank-01 type=AVC msg=audit(1227345433.820:45): avc: denied {
> read } for pid=4085 comm="netstat" name="unix" dev=proc ino=4026531984
> scontext=system_u:system_r:logwatch_t:s0
> tcontext=system_u:object_r:proc_net_t:s0 tclass=file
>
> node=frank-01 type=SYSCALL msg=audit(1227345433.820:45): arch=40000003
> syscall=33 success=no exit=-13 a0=805c8b9 a1=4 a2=ffffffff a3=8064360
> items=0 ppid=4084 pid=4085 auid=4294967295 uid=0 gid=0 euid=0 suid=0
> fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="netstat"
> exe="/bin/netstat" subj=system_u:system_r:logwatch_t:s0 key=(null)
>
>
> �
>
> Summary:
>
> SELinux is preventing netstat (logwatch_t) "read" to ./if_inet6
> (proc_net_t).
>
> Detailed Description:
>
> SELinux denied access requested by netstat. It is not expected that this
> access
> is required by netstat and this access may signal an intrusion attempt.
> It is
> also possible that the specific version or configuration of the
> application is
> causing it to require additional access.
>
> Allowing Access:
>
> Sometimes labeling problems can cause SELinux denials. You could try to
> restore
> the default system file context for ./if_inet6,
>
> restorecon -v './if_inet6'
>
> If this does not work, there is currently no automatic way to allow this
> access.
> Instead, you can generate a local policy module to allow this access -
> see FAQ
> (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can
> disable
> SELinux protection altogether. Disabling SELinux protection is not
> recommended.
> Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
> against this package.
>
> Additional Information:
>
> Source Context system_u:system_r:logwatch_t:s0
> Target Context system_u:object_r:proc_net_t:s0
> Target Objects ./if_inet6 [ file ]
> Source ifconfig
> Source Path /sbin/ifconfig
> Port <Unknown>
> Host frank-01
> Source RPM Packages net-tools-1.60-91.fc10
> Target RPM Packages
> Policy RPM selinux-policy-3.5.13-18.fc10
> Selinux Enabled True
> Policy Type targeted
> MLS Enabled True
> Enforcing Mode Enforcing
> Plugin Name catchall_file
> Host Name frank-01
> Platform Linux frank-01 2.6.27.5-117.fc10.i686 #1
> SMP Tue
> Nov 18 12:19:59 EST 2008 i686 i686
> Alert Count 4
> First Seen Sat 22 Nov 2008 09:17:13 GMT
> Last Seen Sat 22 Nov 2008 09:17:13 GMT
> Local ID 9de63b84-aff8-4a49-bc45-510abd4637b3
> Line Numbers
>
> Raw Audit Messages
>
> node=frank-01 type=AVC msg=audit(1227345433.820:46): avc: denied {
> read } for pid=4085 comm="netstat" name="if_inet6" dev=proc
> ino=4026532168 scontext=system_u:system_r:logwatch_t:s0
> tcontext=system_u:object_r:proc_net_t:s0 tclass=file
>
> node=frank-01 type=SYSCALL msg=audit(1227345433.820:46): arch=40000003
> syscall=33 success=no exit=-13 a0=805f29e a1=4 a2=ffffffff a3=8064180
> items=0 ppid=4084 pid=4085 auid=4294967295 uid=0 gid=0 euid=0 suid=0
> fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="netstat"
> exe="/bin/netstat" subj=system_u:system_r:logwatch_t:s0 key=(null)
>
>
> �
>
> Summary:
>
> SELinux is preventing netstat (logwatch_t) "read" to ./dev (proc_net_t).
>
> Detailed Description:
>
> SELinux denied access requested by netstat. It is not expected that this
> access
> is required by netstat and this access may signal an intrusion attempt.
> It is
> also possible that the specific version or configuration of the
> application is
> causing it to require additional access.
>
> Allowing Access:
>
> Sometimes labeling problems can cause SELinux denials. You could try to
> restore
> the default system file context for ./dev,
>
> restorecon -v './dev'
>
> If this does not work, there is currently no automatic way to allow this
> access.
> Instead, you can generate a local policy module to allow this access -
> see FAQ
> (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can
> disable
> SELinux protection altogether. Disabling SELinux protection is not
> recommended.
> Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
> against this package.
>
> Additional Information:
>
> Source Context system_u:system_r:logwatch_t:s0
> Target Context system_u:object_r:proc_net_t:s0
> Target Objects ./dev [ file ]
> Source ifconfig
> Source Path /sbin/ifconfig
> Port <Unknown>
> Host frank-01
> Source RPM Packages net-tools-1.60-91.fc10
> Target RPM Packages filesystem-2.4.19-1.fc10
> Policy RPM selinux-policy-3.5.13-18.fc10
> Selinux Enabled True
> Policy Type targeted
> MLS Enabled True
> Enforcing Mode Enforcing
> Plugin Name catchall_file
> Host Name frank-01
> Platform Linux frank-01 2.6.27.5-117.fc10.i686 #1
> SMP Tue
> Nov 18 12:19:59 EST 2008 i686 i686
> Alert Count 6
> First Seen Sat 22 Nov 2008 09:17:13 GMT
> Last Seen Sat 22 Nov 2008 09:17:13 GMT
> Local ID 44eb7259-6162-4669-9b01-b5d48a63aaa5
> Line Numbers
>
> Raw Audit Messages
>
> node=frank-01 type=AVC msg=audit(1227345433.855:51): avc: denied {
> read } for pid=4085 comm="netstat" name="dev" dev=proc ino=4026531957
> scontext=system_u:system_r:logwatch_t:s0
> tcontext=system_u:object_r:proc_net_t:s0 tclass=file
>
> node=frank-01 type=SYSCALL msg=audit(1227345433.855:51): arch=40000003
> syscall=5 success=no exit=-13 a0=805ff47 a1=0 a2=1b6 a3=0 items=0
> ppid=4084 pid=4085 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0
> egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="netstat"
> exe="/bin/netstat" subj=system_u:system_r:logwatch_t:s0 key=(null)
>
>
> Logwatch:
> --------------------- Network Report Begin ------------------------
>
> Warning: cannot open /proc/net/dev (Permission denied). Limited output.
> Warning: cannot open /proc/net/dev (Permission denied). Limited output.
> Warning: cannot open /proc/net/dev (Permission denied). Limited output.
>
>
> ------------- Network Interfaces ---------------
>
> Ethernet : 1
> Other : 1
> Total : 2
>
>
> ------------- Ethernet -------------------------
>
> eth1 Link encap:Ethernet HWaddr 00:19:E0:7A:40:4C
>
>
> ------------- Other ----------------------------
>
> lo Link encap:Local Loopback
>
>
> ------------- Network Interfaces ---------------
>
>
>
>
> ------------- Network statistics ---------------
>
> 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN
> link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
> inet 127.0.0.1/8 scope host lo
> inet6 ::1/128 scope host
> valid_lft forever preferred_lft forever
> 2: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast
> state UNKNOWN qlen 1000
> link/ether 00:19:e0:7a:40:4c brd ff:ff:ff:ff:ff:ff
> inet 192.168.0.5/24 brd 192.168.0.255 scope global eth1
> inet6 fe80::219:e0ff:fe7a:404c/64 scope link
> valid_lft forever preferred_lft forever
>
> Warning: cannot open /proc/net/dev (Permission denied). Limited output.
> Warning: cannot open /proc/net/dev (Permission denied). Limited output.
> Warning: cannot open /proc/net/dev (Permission denied). Limited output.
> Iface MTU RX-ERR TX-ERR
> eth1 1500 no BMRU
> lo 16436 no LRU
>
>
> ------------- Network statistics ---------------
>
>
>
> ---------------------- Network Report End -------------------------
>
>
So you have logwatch execing netstat? Do you know what script is doing
this?
- --
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
iEYEARECAAYFAkkoAqYACgkQrlYvE4MpobMv2QCg2CH2dEpOAnFbH8oNz9emo9TD
tpUAoL5SJbXO8i/VnLqsqTNUgKIJsCr/
=LUW/
-----END PGP SIGNATURE-----
--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
