On Thu, 2009-04-02 at 14:50 -0300, Jeronimo Zucco wrote:
> I'm getting some avc's using Trend Micro IWSS (web proxy anti-virus -
> www.trendmicro.com/en/products/gateway/iwss/evaluate/overview.htm ).
> Here are the logs:
>
>
> Linux: Red Hat Enterprise Linux Server release 5.2
> Policy version: 21
> Policy from config file: targeted
>
>
>
> type=SYSCALL msg=audit(1238693758.307:18): arch=40000003 syscall=125
> success=no exit=-13 a0=6a1000 a1=51000 a2=5 a3=bfd8ecf0 items=0 ppid=1
> pid=4639 auid=4294967295 uid=502 gid=502 euid=502 suid=502 fsuid=502
> egid=502 sgid=502 fsgid=502 tty=(none) ses=4294967295 comm="iwssd"
> exe="/opt/trend/iwss/bin/iwss-process"
> subj=system_u:system_r:initrc_t:s0 key=(null)
> type=AVC msg=audit(1238693769.018:25): avc: denied { execmod } for
> pid=4756 comm="ismetricmgmtd"
> path="/opt/trend/iwss/bin/lib/libReportLogging.so" dev=dm-0
> ino=9231574 scontext=system_u:system_r:initrc_t:s0
> tcontext=system_u:object_r:usr_t:s0 tclass=file
semanage fcontext -a -t
textrel_shlib_t /opt/trend/iwss/bin/lib/libReportLogging.so
restorecon /opt/trend/iwss/bin/lib/libReportLogging.so
> type=SYSCALL msg=audit(1238693769.018:25): arch=40000003 syscall=125
> success=no exit=-13 a0=93b000 a1=5f000 a2=5 a3=bfd4a040 items=0
> ppid=4753 pid=4756 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0
> egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ismetricmgmtd"
> exe="/opt/trend/iwss/bin/ismetricmgmtd"
> subj=system_u:system_r:initrc_t:s0 key=(null)
> type=AVC msg=audit(1238693772.384:32): avc: denied { execmod } for
> pid=4798 comm="svcmonitor"
> path="/opt/trend/iwss/bin/lib/libReportLogging.so" dev=dm-0
> ino=9231574 scontext=system_u:system_r:initrc_t:s0
> tcontext=system_u:object_r:usr_t:s0 tclass=file
Same as above
> type=SYSCALL msg=audit(1238693772.384:32): arch=40000003 syscall=125
> success=no exit=-13 a0=895000 a1=5f000 a2=5 a3=bfd7f0b0 items=0 ppid=1
> pid=4798 auid=4294967295 uid=502 gid=502 euid=0 suid=0 fsuid=0
> egid=502 sgid=502 fsgid=502 tty=(none) ses=4294967295
> comm="svcmonitor" exe="/opt/trend/iwss/bin/svcmonitor"
> subj=system_u:system_r:initrc_t:s0 key=(null)
> type=AVC msg=audit(1238693775.995:35): avc: denied { execmod } for
> pid=4889 comm="iwssd"
> path="/opt/trend/iwss/bin/plugin/IWSSPIJavascan.so" dev=dm-0
> ino=9166090 scontext=system_u:system_r:initrc_t:s0
> tcontext=system_u:object_r:usr_t:s0 tclass=file
semanage fcontext -a -t
textrel_shlib_t /opt/trend/iwss/bin/plugin/IWSSPIJavascan.so
restorecon /opt/trend/iwss/bin/plugin/IWSSPIJavascan.so
> type=SYSCALL msg=audit(1238693775.995:35): arch=40000003 syscall=125
> success=no exit=-13 a0=5ed000 a1=51000 a2=5 a3=bf8afb10 items=0 ppid=1
> pid=4889 auid=4294967295 uid=502 gid=502 euid=502 suid=502 fsuid=502
> egid=502 sgid=502 fsgid=502 tty=(none) ses=4294967295 comm="iwssd"
> exe="/opt/trend/iwss/bin/iwss-process"
> subj=system_u:system_r:initrc_t:s0 key=(null)
> type=AVC msg=audit(1238694058.311:155): avc: denied { execmod } for
> pid=19765 comm="iwssd"
> path="/opt/trend/iwss/bin/plugin/IWSSPIJavascan.so" dev=dm-0
> ino=9166090 scontext=user_u:system_r:unconfined_t:s0
> tcontext=system_u:object_r:usr_t:s0 tclass=file
Same as above
> type=SYSCALL msg=audit(1238694058.311:155): arch=40000003 syscall=125
> success=yes exit=0 a0=702000 a1=51000 a2=5 a3=bffed4c0 items=0 ppid=1
> pid=19765 auid=500 uid=502 gid=502 euid=502 suid=502 fsuid=502
> egid=502 sgid=502 fsgid=502 tty=(none) ses=1 comm="iwssd"
> exe="/opt/trend/iwss/bin/iwss-process"
> subj=user_u:system_r:unconfined_t:s0 key=(null)
> type=AVC msg=audit(1238694060.596:156): avc: denied { execmod } for
> pid=19765 comm="iwssd"
> path="/opt/trend/iwss/bin/plugin/libIWSSPIUrlFilter.so" dev=dm-0
> ino=9166092 scontext=user_u:system_r:unconfined_t:s0
> tcontext=system_u:object_r:initrc_tmp_t:s0 tclass=file
semanage fcontext -a -t
textrel_shlib_t /opt/trend/iwss/bin/plugin/libIWSSPIUrlFilter.so
restorecon /opt/trend/iwss/bin/plugin/libIWSSPIUrlFilter.so
> type=SYSCALL msg=audit(1238694060.596:156): arch=40000003 syscall=125
> success=yes exit=0 a0=7de000 a1=53000 a2=5 a3=bffed4c0 items=0 ppid=1
> pid=19765 auid=500 uid=502 gid=502 euid=502 suid=502 fsuid=502
> egid=502 sgid=502 fsgid=502 tty=(none) ses=1 comm="iwssd"
> exe="/opt/trend/iwss/bin/iwss-process"
> subj=user_u:system_r:unconfined_t:s0 key=(null)
> type=AVC msg=audit(1238694164.063:188): avc: denied { execmod } for
> pid=4582 comm="iwssd"
> path="/opt/trend/iwss/bin/plugin/IWSSPIJavascan.so" dev=dm-0
> ino=9166090 scontext=system_u:system_r:initrc_t:s0
> tcontext=system_u:object_r:initrc_tmp_t:s0 tclass=file
Same as above
> type=SYSCALL msg=audit(1238694164.063:188): arch=40000003 syscall=125
> success=yes exit=0 a0=81d000 a1=51000 a2=5 a3=bfecca10 items=0 ppid=1
> pid=4582 auid=4294967295 uid=502 gid=502 euid=502 suid=502 fsuid=502
> egid=502 sgid=502 fsgid=502 tty=(none) ses=4294967295 comm="iwssd"
> exe="/opt/trend/iwss/bin/iwss-process"
> subj=system_u:system_r:initrc_t:s0 key=(null)
>
>
> It was running ok whith target selinux enforced, since december until
> today. Now I have to put selinux in permissive mode to get IWSS
> running again.
>
>
> Running audit2allow, I've got this policy:
>
> #============= initrc_t ==============
> allow initrc_t initrc_tmp_t:file execmod;
> allow initrc_t usr_t:file execmod;
>
> #============= unconfined_t ==============
> allow unconfined_t initrc_tmp_t:file execmod;
> allow unconfined_t usr_t:file execmod;
>
>
>
> To permissive, isn't? Any ideia how to fix it?
>
Yes too permissive. The Trend Micro IWSS daemon runs in initrc_t (this domain is unconfined and meant for init scripts)
You should write policy for this init daemon.
--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
