> > Thanks Tom for your guidance. Tomorrow as I get > to work and get the > > alert(s) will try to capture following your advice and > mail them to > > list. > > Bear in mind that if you're running auditd, the messages > will be > in /var/log/audit/audit.log rather than /var/log/messages. > > Paul. > Thanks Paul :) Tom's advice worked. Here's the denied avc [olivares@localhost ~]$ su - Password: [root@localhost ~]# tail -f /var/log/messages Aug 18 07:26:02 localhost kernel: [drm] TV-14: set mode NTSC 480i 0 Aug 18 07:26:02 localhost kernel: [drm] TV-14: set mode NTSC 480i 0 Aug 18 07:26:02 localhost kernel: [drm] TV-14: set mode NTSC 480i 0 Aug 18 07:26:02 localhost kernel: [drm] TV-14: set mode NTSC 480i 0 Aug 18 07:26:03 localhost setroubleshoot: Your system may be seriously compromised! For complete SELinux messages. run sealert -l 70b576a6-6313-4753-9403-22ac883c585a Aug 18 07:26:03 localhost setroubleshoot: Your system may be seriously compromised! For complete SELinux messages. run sealert -l 70b576a6-6313-4753-9403-22ac883c585a Aug 18 07:26:04 localhost kernel: [drm] TV-14: set mode NTSC 480i 0 Aug 18 07:26:04 localhost kernel: [drm] TV-14: set mode NTSC 480i 0 Aug 18 07:26:04 localhost kernel: [drm] TV-14: set mode NTSC 480i 0 Aug 18 07:26:05 localhost kernel: [drm] TV-14: set mode NTSC 480i 0 ^C [root@localhost ~]# [root@localhost ~]# [root@localhost ~]# sealert -l 70b576a6-6313-4753-9403-22ac883c585a Summary: Your system may be seriously compromised! Detailed Description: SELinux has denied the explorer.exe the ability to mmap low area of the kernel address space. The ability to mmap a low area of the address space, as configured by /proc/sys/kernel/mmap_min_addr. Preventing such mappings helps protect against exploiting null deref bugs in the kernel. All applications that need this access should have already had policy written for them. If a compromised application tries modify the kernel this AVC would be generated. This is a serious issue. Your system may very well be compromised. Allowing Access: Contact your security administrator and report this issue. Additional Information: Source Context unconfined_u:unconfined_r:wine_t:s0-s0:c0.c1023 Target Context unconfined_u:unconfined_r:wine_t:s0-s0:c0.c1023 Target Objects None [ memprotect ] Source wine-preloader Source Path /usr/bin/wine-preloader Port <Unknown> Host localhost.localdomain Source RPM Packages wine-core-1.1.26-1.fc12 Target RPM Packages Policy RPM selinux-policy-3.6.26-8.fc12 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name mmap_zero Host Name localhost.localdomain Platform Linux localhost.localdomain 2.6.31-0.125.4.2.rc5.git2.fc12.i686 #1 SMP Tue Aug 11 21:20:05 EDT 2009 i686 i686 Alert Count 86 First Seen Wed Aug 12 17:09:09 2009 Last Seen Tue Aug 18 07:26:03 2009 Local ID 70b576a6-6313-4753-9403-22ac883c585a Line Numbers Raw Audit Messages node=localhost.localdomain type=AVC msg=audit(1250598363.591:37): avc: denied { mmap_zero } for pid=1861 comm="explorer.exe" scontext=unconfined_u:unconfined_r:wine_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:wine_t:s0-s0:c0.c1023 tclass=memprotect node=localhost.localdomain type=SYSCALL msg=audit(1250598363.591:37): arch=40000003 syscall=192 success=no exit=-13 a0=0 a1=110000 a2=0 a3=32 items=0 ppid=1 pid=1861 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm="explorer.exe" exe="/usr/bin/wine-preloader" subj=unconfined_u:unconfined_r:wine_t:s0-s0:c0.c1023 key=(null) Thanks, Antonio __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list