Trend Micro IWSS AVCs

Jeronimo Zucco <JCZucco@xxxxxx> · Thu, 02 Apr 2009 14:50:22 -0300

I'm getting some avc's using Trend Micro IWSS (web proxy anti-virus -  
www.trendmicro.com/en/products/gateway/iwss/evaluate/overview.htm ).  
Here are the logs:

   Linux: Red Hat Enterprise Linux Server release 5.2
   Policy version:                 21
   Policy from config file:        targeted

type=SYSCALL msg=audit(1238693758.307:18): arch=40000003 syscall=125  
success=no exit=-13 a0=6a1000 a1=51000 a2=5 a3=bfd8ecf0 items=0 ppid=1  
pid=4639 auid=4294967295 uid=502 gid=502 euid=502 suid=502 fsuid=502  
egid=502 sgid=502 fsgid=502 tty=(none) ses=4294967295 comm="iwssd"  
exe="/opt/trend/iwss/bin/iwss-process"  
subj=system_u:system_r:initrc_t:s0 key=(null)
type=AVC msg=audit(1238693769.018:25): avc:  denied  { execmod } for   
pid=4756 comm="ismetricmgmtd"  
path="/opt/trend/iwss/bin/lib/libReportLogging.so" dev=dm-0  
ino=9231574 scontext=system_u:system_r:initrc_t:s0  
tcontext=system_u:object_r:usr_t:s0 tclass=file
type=SYSCALL msg=audit(1238693769.018:25): arch=40000003 syscall=125  
success=no exit=-13 a0=93b000 a1=5f000 a2=5 a3=bfd4a040 items=0  
ppid=4753 pid=4756 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0  
egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ismetricmgmtd"  
exe="/opt/trend/iwss/bin/ismetricmgmtd"  
subj=system_u:system_r:initrc_t:s0 key=(null)
type=AVC msg=audit(1238693772.384:32): avc:  denied  { execmod } for   
pid=4798 comm="svcmonitor"  
path="/opt/trend/iwss/bin/lib/libReportLogging.so" dev=dm-0  
ino=9231574 scontext=system_u:system_r:initrc_t:s0  
tcontext=system_u:object_r:usr_t:s0 tclass=file
type=SYSCALL msg=audit(1238693772.384:32): arch=40000003 syscall=125  
success=no exit=-13 a0=895000 a1=5f000 a2=5 a3=bfd7f0b0 items=0 ppid=1  
pid=4798 auid=4294967295 uid=502 gid=502 euid=0 suid=0 fsuid=0  
egid=502 sgid=502 fsgid=502 tty=(none) ses=4294967295  
comm="svcmonitor" exe="/opt/trend/iwss/bin/svcmonitor"  
subj=system_u:system_r:initrc_t:s0 key=(null)
type=AVC msg=audit(1238693775.995:35): avc:  denied  { execmod } for   
pid=4889 comm="iwssd"  
path="/opt/trend/iwss/bin/plugin/IWSSPIJavascan.so" dev=dm-0  
ino=9166090 scontext=system_u:system_r:initrc_t:s0  
tcontext=system_u:object_r:usr_t:s0 tclass=file
type=SYSCALL msg=audit(1238693775.995:35): arch=40000003 syscall=125  
success=no exit=-13 a0=5ed000 a1=51000 a2=5 a3=bf8afb10 items=0 ppid=1  
pid=4889 auid=4294967295 uid=502 gid=502 euid=502 suid=502 fsuid=502  
egid=502 sgid=502 fsgid=502 tty=(none) ses=4294967295 comm="iwssd"  
exe="/opt/trend/iwss/bin/iwss-process"  
subj=system_u:system_r:initrc_t:s0 key=(null)
type=AVC msg=audit(1238694058.311:155): avc:  denied  { execmod } for   
pid=19765 comm="iwssd"  
path="/opt/trend/iwss/bin/plugin/IWSSPIJavascan.so" dev=dm-0  
ino=9166090 scontext=user_u:system_r:unconfined_t:s0  
tcontext=system_u:object_r:usr_t:s0 tclass=file
type=SYSCALL msg=audit(1238694058.311:155): arch=40000003 syscall=125  
success=yes exit=0 a0=702000 a1=51000 a2=5 a3=bffed4c0 items=0 ppid=1  
pid=19765 auid=500 uid=502 gid=502 euid=502 suid=502 fsuid=502  
egid=502 sgid=502 fsgid=502 tty=(none) ses=1 comm="iwssd"  
exe="/opt/trend/iwss/bin/iwss-process"  
subj=user_u:system_r:unconfined_t:s0 key=(null)
type=AVC msg=audit(1238694060.596:156): avc:  denied  { execmod } for   
pid=19765 comm="iwssd"  
path="/opt/trend/iwss/bin/plugin/libIWSSPIUrlFilter.so" dev=dm-0  
ino=9166092 scontext=user_u:system_r:unconfined_t:s0  
tcontext=system_u:object_r:initrc_tmp_t:s0 tclass=file
type=SYSCALL msg=audit(1238694060.596:156): arch=40000003 syscall=125  
success=yes exit=0 a0=7de000 a1=53000 a2=5 a3=bffed4c0 items=0 ppid=1  
pid=19765 auid=500 uid=502 gid=502 euid=502 suid=502 fsuid=502  
egid=502 sgid=502 fsgid=502 tty=(none) ses=1 comm="iwssd"  
exe="/opt/trend/iwss/bin/iwss-process"  
subj=user_u:system_r:unconfined_t:s0 key=(null)
type=AVC msg=audit(1238694164.063:188): avc:  denied  { execmod } for   
pid=4582 comm="iwssd"  
path="/opt/trend/iwss/bin/plugin/IWSSPIJavascan.so" dev=dm-0  
ino=9166090 scontext=system_u:system_r:initrc_t:s0  
tcontext=system_u:object_r:initrc_tmp_t:s0 tclass=file
type=SYSCALL msg=audit(1238694164.063:188): arch=40000003 syscall=125  
success=yes exit=0 a0=81d000 a1=51000 a2=5 a3=bfecca10 items=0 ppid=1  
pid=4582 auid=4294967295 uid=502 gid=502 euid=502 suid=502 fsuid=502  
egid=502 sgid=502 fsgid=502 tty=(none) ses=4294967295 comm="iwssd"  
exe="/opt/trend/iwss/bin/iwss-process"  
subj=system_u:system_r:initrc_t:s0 key=(null)

It was running ok whith target selinux enforced, since december until  
today. Now I have to put selinux in permissive mode to get IWSS  
running again.

Running audit2allow, I've got this policy:

#============= initrc_t ==============
allow initrc_t initrc_tmp_t:file execmod;
allow initrc_t usr_t:file execmod;

#============= unconfined_t ==============
allow unconfined_t initrc_tmp_t:file execmod;
allow unconfined_t usr_t:file execmod;

To permissive, isn't? Any ideia how to fix it?

--
Jeronimo Zucco
LPIC-1 Linux Professional Institute Certified
Universidade de Caxias do Sul - NPDU

http://jczucco.blogspot.com

---------------------------------------
Essa mensagem foi enviada pelo UCS Mail

--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list