On 03/06/2009 06:10 PM, Antonio Olivares wrote:
Dear selinux experts,
I am running rawhide and I have encountered the following denied avc's. Thank you all for your help in anticipation :).
Summary:
SELinux is preventing kerneloops (kerneloops_t) "read" inotifyfs_t.
Detailed Description:
SELinux denied access requested by kerneloops. It is not expected that this
access is required by kerneloops and this access may signal an intrusion
attempt. It is also possible that the specific version or configuration of the
application is causing it to require additional access.
Allowing Access:
You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.
Additional Information:
Source Context system_u:system_r:kerneloops_t:s0-s0:c0.c1023
Target Context system_u:object_r:inotifyfs_t:s0
Target Objects inotify [ dir ]
Source kerneloops
Source Path /usr/sbin/kerneloops
Port<Unknown>
Host riohigh
Source RPM Packages kerneloops-0.12-3.fc11
Target RPM Packages
Policy RPM selinux-policy-3.6.7-2.fc11
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name catchall
Host Name riohigh
Platform Linux riohigh 2.6.29-0.203.rc7.fc11.i586 #1 SMP
Wed Mar 4 18:03:29 EST 2009 i686 athlon
Alert Count 2
First Seen Fri 06 Mar 2009 08:37:41 AM CST
Last Seen Fri 06 Mar 2009 04:13:48 PM CST
Local ID a255a610-ce27-4ae2-8583-5e79658a0022
Line Numbers
Raw Audit Messages
node=riohigh type=AVC msg=audit(1236377628.970:206): avc: denied { read } for pid=14322 comm="kerneloops" path="inotify" dev=inotifyfs ino=1 scontext=system_u:system_r:kerneloops_t:s0-s0:c0.c1023 tcontext=system_u:object_r:inotifyfs_t:s0 tclass=dir
node=riohigh type=SYSCALL msg=audit(1236377628.970:206): arch=40000003 syscall=11 success=yes exit=0 a0=987de20 a1=987dde8 a2=987d008 a3=9880368 items=0 ppid=14321 pid=14322 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="kerneloops" exe="/usr/sbin/kerneloops" subj=system_u:system_r:kerneloops_t:s0-s0:c0.c1023 key=(null)
Summary:
SELinux is preventing NetworkManager (NetworkManager_t) "read write"
unconfined_t.
Detailed Description:
SELinux denied access requested by NetworkManager. It is not expected that this
access is required by NetworkManager and this access may signal an intrusion
attempt. It is also possible that the specific version or configuration of the
application is causing it to require additional access.
Allowing Access:
You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.
Additional Information:
Source Context unconfined_u:system_r:NetworkManager_t:s0
Target Context unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1
023
Target Objects socket [ unix_stream_socket ]
Source NetworkManager
Source Path /usr/sbin/NetworkManager
Port<Unknown>
Host riohigh
Source RPM Packages NetworkManager-0.7.0.99-1.fc11
Target RPM Packages
Policy RPM selinux-policy-3.6.7-2.fc11
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name catchall
Host Name riohigh
Platform Linux riohigh 2.6.29-0.203.rc7.fc11.i586 #1 SMP
Wed Mar 4 18:03:29 EST 2009 i686 athlon
Alert Count 5
First Seen Mon 23 Feb 2009 07:23:54 AM CST
Last Seen Fri 06 Mar 2009 04:15:00 PM CST
Local ID f192ed25-15af-43fd-aa2e-524cca16b88a
Line Numbers
Raw Audit Messages
node=riohigh type=AVC msg=audit(1236377700.684:236): avc: denied { read write } for pid=14462 comm="NetworkManager" path="socket:[26116]" dev=sockfs ino=26116 scontext=unconfined_u:system_r:NetworkManager_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket
node=riohigh type=AVC msg=audit(1236377700.684:236): avc: denied { read write } for pid=14462 comm="NetworkManager" path="socket:[26116]" dev=sockfs ino=26116 scontext=unconfined_u:system_r:NetworkManager_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket
node=riohigh type=AVC msg=audit(1236377700.684:236): avc: denied { read write } for pid=14462 comm="NetworkManager" path="socket:[26116]" dev=sockfs ino=26116 scontext=unconfined_u:system_r:NetworkManager_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket
node=riohigh type=SYSCALL msg=audit(1236377700.684:236): arch=40000003 syscall=11 success=yes exit=0 a0=84f2ee0 a1=84f2e30 a2=84f2268 a3=84f2e30 items=0 ppid=14461 pid=14462 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=10 comm="NetworkManager" exe="/usr/sbin/NetworkManager" subj=unconfined_u:system_r:NetworkManager_t:s0 key=(null)
Summary:
SELinux is preventing consoletype (consoletype_t) "read write" unconfined_t.
Detailed Description:
SELinux denied access requested by consoletype. It is not expected that this
access is required by consoletype and this access may signal an intrusion
attempt. It is also possible that the specific version or configuration of the
application is causing it to require additional access.
Allowing Access:
You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.
Additional Information:
Source Context unconfined_u:system_r:consoletype_t:s0
Target Context unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1
023
Target Objects socket [ unix_stream_socket ]
Source consoletype
Source Path /sbin/consoletype
Port<Unknown>
Host riohigh
Source RPM Packages initscripts-8.89-2
Target RPM Packages
Policy RPM selinux-policy-3.6.7-2.fc11
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name catchall
Host Name riohigh
Platform Linux riohigh 2.6.29-0.203.rc7.fc11.i586 #1 SMP
Wed Mar 4 18:03:29 EST 2009 i686 athlon
Alert Count 10
First Seen Mon 23 Feb 2009 07:23:51 AM CST
Last Seen Fri 06 Mar 2009 04:15:00 PM CST
Local ID 2797c459-0038-4c1e-a419-d4bc54691e3a
Line Numbers
Raw Audit Messages
node=riohigh type=AVC msg=audit(1236377700.541:235): avc: denied { read write } for pid=14459 comm="consoletype" path="socket:[26116]" dev=sockfs ino=26116 scontext=unconfined_u:system_r:consoletype_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket
node=riohigh type=AVC msg=audit(1236377700.541:235): avc: denied { read write } for pid=14459 comm="consoletype" path="socket:[26116]" dev=sockfs ino=26116 scontext=unconfined_u:system_r:consoletype_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket
node=riohigh type=AVC msg=audit(1236377700.541:235): avc: denied { read write } for pid=14459 comm="consoletype" path="socket:[26116]" dev=sockfs ino=26116 scontext=unconfined_u:system_r:consoletype_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket
node=riohigh type=SYSCALL msg=audit(1236377700.541:235): arch=40000003 syscall=11 success=yes exit=0 a0=8fe0470 a1=8fe0078 a2=8fe01c8 a3=8fe0078 items=0 ppid=14458 pid=14459 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=10 comm="consoletype" exe="/sbin/consoletype" subj=unconfined_u:system_r:consoletype_t:s0 key=(null)
Summary:
SELinux is preventing dhclient (dhcpc_t) "read write" unconfined_t.
Detailed Description:
SELinux denied access requested by dhclient. It is not expected that this access
is required by dhclient and this access may signal an intrusion attempt. It is
also possible that the specific version or configuration of the application is
causing it to require additional access.
Allowing Access:
You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.
Additional Information:
Source Context unconfined_u:system_r:dhcpc_t:s0-s0:c0.c1023
Target Context unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1
023
Target Objects socket [ unix_stream_socket ]
Source dhclient
Source Path /sbin/dhclient
Port<Unknown>
Host riohigh
Source RPM Packages dhclient-4.1.0-9.fc11
Target RPM Packages
Policy RPM selinux-policy-3.6.7-2.fc11
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name catchall
Host Name riohigh
Platform Linux riohigh 2.6.29-0.203.rc7.fc11.i586 #1 SMP
Wed Mar 4 18:03:29 EST 2009 i686 athlon
Alert Count 3
First Seen Fri 06 Mar 2009 04:16:01 PM CST
Last Seen Fri 06 Mar 2009 04:16:01 PM CST
Local ID a9c1d6de-334d-4f45-99bb-470f0f97e3ff
Line Numbers
Raw Audit Messages
node=riohigh type=AVC msg=audit(1236377761.743:243): avc: denied { read write } for pid=14537 comm="dhclient" path="socket:[26116]" dev=sockfs ino=26116 scontext=unconfined_u:system_r:dhcpc_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket
node=riohigh type=AVC msg=audit(1236377761.743:243): avc: denied { read write } for pid=14537 comm="dhclient" path="socket:[26116]" dev=sockfs ino=26116 scontext=unconfined_u:system_r:dhcpc_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket
node=riohigh type=AVC msg=audit(1236377761.743:243): avc: denied { read write } for pid=14537 comm="dhclient" path="socket:[26116]" dev=sockfs ino=26116 scontext=unconfined_u:system_r:dhcpc_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket
node=riohigh type=SYSCALL msg=audit(1236377761.743:243): arch=40000003 syscall=11 success=yes exit=0 a0=8d98e40 a1=8da51d0 a2=8d891b8 a3=8da51d0 items=0 ppid=14469 pid=14537 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts2 ses=10 comm="dhclient" exe="/sbin/dhclient" subj=unconfined_u:system_r:dhcpc_t:s0-s0:c0.c1023 key=(null)
I first started the system, then I saw that there was no connection, so I did a service NetworkManager stop, followed by a start and then the denied avc. I did not get a working internet connection, so I then went to call dhclient, the command worked, but selinux kicked in. Thank you for your help. Will get back to work on Monday :)
Regards,
Antonio
--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
kerneloops should be fixed in current rawhide.
selinux-policy-3.6.8-1.fc11
THe other leaks are probably caused by running konsole/kde. Which leaks
file descriptors like crazy. You can create a policy te file like the
following
cat > kdeleaks.te << __eof
policy_module(kdeleaks, 1.0)
require {
type unconfined_t;
attribute domain;
class unix_stream_socket { read write };
}
#============= dhcpc_t ==============
dontaudit domain unconfined_t:unix_stream_socket { read write };
_eof
# make -f /usr/share/selinux/devel/Makefile
# semodule -i kdeleaks.pp
--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
