> > Thanks Tom for your guidance. Tomorrow as I get
> to work and get the
> > alert(s) will try to capture following your advice and
> mail them to
> > list.
>
> Bear in mind that if you're running auditd, the messages
> will be
> in /var/log/audit/audit.log rather than /var/log/messages.
>
> Paul.
>
Thanks Paul :)
Tom's advice worked. Here's the denied avc
[olivares@localhost ~]$ su -
Password:
[root@localhost ~]# tail -f /var/log/messages
Aug 18 07:26:02 localhost kernel: [drm] TV-14: set mode NTSC 480i 0
Aug 18 07:26:02 localhost kernel: [drm] TV-14: set mode NTSC 480i 0
Aug 18 07:26:02 localhost kernel: [drm] TV-14: set mode NTSC 480i 0
Aug 18 07:26:02 localhost kernel: [drm] TV-14: set mode NTSC 480i 0
Aug 18 07:26:03 localhost setroubleshoot: Your system may be seriously compromised! For complete SELinux messages. run sealert -l 70b576a6-6313-4753-9403-22ac883c585a
Aug 18 07:26:03 localhost setroubleshoot: Your system may be seriously compromised! For complete SELinux messages. run sealert -l 70b576a6-6313-4753-9403-22ac883c585a
Aug 18 07:26:04 localhost kernel: [drm] TV-14: set mode NTSC 480i 0
Aug 18 07:26:04 localhost kernel: [drm] TV-14: set mode NTSC 480i 0
Aug 18 07:26:04 localhost kernel: [drm] TV-14: set mode NTSC 480i 0
Aug 18 07:26:05 localhost kernel: [drm] TV-14: set mode NTSC 480i 0
^C
[root@localhost ~]#
[root@localhost ~]#
[root@localhost ~]# sealert -l 70b576a6-6313-4753-9403-22ac883c585a
Summary:
Your system may be seriously compromised!
Detailed Description:
SELinux has denied the explorer.exe the ability to mmap low area of the kernel
address space. The ability to mmap a low area of the address space, as
configured by /proc/sys/kernel/mmap_min_addr. Preventing such mappings helps
protect against exploiting null deref bugs in the kernel. All applications that
need this access should have already had policy written for them. If a
compromised application tries modify the kernel this AVC would be generated.
This is a serious issue. Your system may very well be compromised.
Allowing Access:
Contact your security administrator and report this issue.
Additional Information:
Source Context unconfined_u:unconfined_r:wine_t:s0-s0:c0.c1023
Target Context unconfined_u:unconfined_r:wine_t:s0-s0:c0.c1023
Target Objects None [ memprotect ]
Source wine-preloader
Source Path /usr/bin/wine-preloader
Port <Unknown>
Host localhost.localdomain
Source RPM Packages wine-core-1.1.26-1.fc12
Target RPM Packages
Policy RPM selinux-policy-3.6.26-8.fc12
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name mmap_zero
Host Name localhost.localdomain
Platform Linux localhost.localdomain
2.6.31-0.125.4.2.rc5.git2.fc12.i686 #1 SMP Tue Aug
11 21:20:05 EDT 2009 i686 i686
Alert Count 86
First Seen Wed Aug 12 17:09:09 2009
Last Seen Tue Aug 18 07:26:03 2009
Local ID 70b576a6-6313-4753-9403-22ac883c585a
Line Numbers
Raw Audit Messages
node=localhost.localdomain type=AVC msg=audit(1250598363.591:37): avc: denied { mmap_zero } for pid=1861 comm="explorer.exe" scontext=unconfined_u:unconfined_r:wine_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:wine_t:s0-s0:c0.c1023 tclass=memprotect
node=localhost.localdomain type=SYSCALL msg=audit(1250598363.591:37): arch=40000003 syscall=192 success=no exit=-13 a0=0 a1=110000 a2=0 a3=32 items=0 ppid=1 pid=1861 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm="explorer.exe" exe="/usr/bin/wine-preloader" subj=unconfined_u:unconfined_r:wine_t:s0-s0:c0.c1023 key=(null)
Thanks,
Antonio
__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
