On 12/14/2010 02:04 PM, Dominick Grift wrote:
> On 12/14/2010 11:02 PM, Daniel B. Thurman wrote:
>
> > Not sure what this means, but it sound omimous...
> > Using the latest updates.
>
> > ==================================================
> > Summary:
>
> > Your system may be seriously compromised! /usr/bin/nautilus (deleted)
> > attempted
> > to mmap low kernel memory.
>
> > Detailed Description:
>
> > SELinux has denied the nautilus the ability to mmap low area of the
> kernel
> > address space. The ability to mmap a low area of the address space, as
> > configured by /proc/sys/kernel/mmap_min_addr. Preventing such
> mappings helps
> > protect against exploiting null deref bugs in the kernel. All
> > applications that
> > need this access should have already had policy written for them. If a
> > compromised application tries modify the kernel this AVC would be
> generated.
> > This is a serious issue. Your system may very well be compromised.
>
> > Allowing Access:
>
> > Contact your security administrator and report this issue.
>
> > Additional Information:
>
> > Source Context
> > unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1
> > 023
> > Target Context
> > unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1
> > 023
> > Target Objects None [ memprotect ]
> > Source nautilus
> > Source Path /usr/bin/nautilus (deleted)
> > Port <Unknown>
> > Host (removed)
> > Source RPM Packages
> > Target RPM Packages
> > Policy RPM selinux-policy-3.7.19-74.fc13
> > Selinux Enabled True
> > Policy Type targeted
> > Enforcing Mode Enforcing
> > Plugin Name mmap_zero
> > Host Name (removed)
> > Platform Linux <host>.<domain>.com
> > 2.6.34.7-61.fc13.i686 #1 SMP
> > Tue Oct 19 04:42:47 UTC 2010 i686 i686
> > Alert Count 1186
> > First Seen Thu 09 Dec 2010 12:08:59 PM PST
> > Last Seen Thu 09 Dec 2010 12:13:09 PM PST
> > Local ID aba9eed1-e6cf-48cb-80c4-88ccf2d90f43
> > Line Numbers
>
> > Raw Audit Messages
>
> > node=<host>.<domain>.com type=AVC msg=audit(1291925589.462:92406): avc:
> > denied { mmap_zero } for pid=26679 comm="nautilus"
> > scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
> > tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
> > tclass=memprotect
>
> that looks pretty uncommon (bad) any way to reproduce this? looks like
> an intrusion attempt to me.
Well, I have no clue what is going on, just that it is incessant.
SeLinuxTool
says that it encountered this 1186 times, and when I just delete the report,
sometime later it starts again.
>
> > node=<host>.<domain>.com type=SYSCALL msg=audit(1291925589.462:92406):
> > arch=40000003 syscall=192 success=no exit=-13 a0=0 a1=a000 a2=3 a3=22
> > items=0 ppid=2663 pid=26679 auid=500 uid=500 gid=500 euid=500 suid=500
> > fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm="nautilus"
> > exe=2F7573722F62696E2F6E617574696C7573202864656C6574656429
> > subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
>
--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux
