Re: F13: nautilus & mmap

"Daniel B. Thurman" <dant@xxxxxxxxx> · Tue, 14 Dec 2010 15:38:45 -0800

On 12/14/2010 02:02 PM, Daniel B. Thurman wrote:
> Not sure what this means, but it sound omimous...
> Using the latest updates.
>
> ==================================================
> Summary:
>
> Your system may be seriously compromised! /usr/bin/nautilus (deleted)
> attempted
> to mmap low kernel memory.
>
> Detailed Description:
>
> SELinux has denied the nautilus the ability to mmap low area of the kernel
> address space. The ability to mmap a low area of the address space, as
> configured by /proc/sys/kernel/mmap_min_addr. Preventing such mappings helps
> protect against exploiting null deref bugs in the kernel. All
> applications that
> need this access should have already had policy written for them. If a
> compromised application tries modify the kernel this AVC would be generated.
> This is a serious issue. Your system may very well be compromised.
>
> Allowing Access:
>
> Contact your security administrator and report this issue.
>
> Additional Information:
>
> Source Context               
> unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1
>                               023
> Target Context               
> unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1
>                               023
> Target Objects                None [ memprotect ]
> Source                        nautilus
> Source Path                   /usr/bin/nautilus (deleted)
> Port                          <Unknown>
> Host                          (removed)
> Source RPM Packages          
> Target RPM Packages          
> Policy RPM                    selinux-policy-3.7.19-74.fc13
> Selinux Enabled               True
> Policy Type                   targeted
> Enforcing Mode                Enforcing
> Plugin Name                   mmap_zero
> Host Name                     (removed)
> Platform                      Linux <host>.<domain>.com
> 2.6.34.7-61.fc13.i686 #1 SMP
>                               Tue Oct 19 04:42:47 UTC 2010 i686 i686
> Alert Count                   1186
> First Seen                    Thu 09 Dec 2010 12:08:59 PM PST
> Last Seen                     Thu 09 Dec 2010 12:13:09 PM PST
> Local ID                      aba9eed1-e6cf-48cb-80c4-88ccf2d90f43
> Line Numbers                 
>
> Raw Audit Messages           
>
> node=<host>.<domain>.com type=AVC msg=audit(1291925589.462:92406): avc: 
> denied  { mmap_zero } for  pid=26679 comm="nautilus"
> scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
> tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
> tclass=memprotect
>
> node=<host>.<domain>.com type=SYSCALL msg=audit(1291925589.462:92406):
> arch=40000003 syscall=192 success=no exit=-13 a0=0 a1=a000 a2=3 a3=22
> items=0 ppid=2663 pid=26679 auid=500 uid=500 gid=500 euid=500 suid=500
> fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm="nautilus"
> exe=2F7573722F62696E2F6E617574696C7573202864656C6574656429
> subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
>
>
> --
> selinux mailing list
> selinux@xxxxxxxxxxxxxxxxxxxxxxx
> https://admin.fedoraproject.org/mailman/listinfo/selinux

This selinux error also comes up with the above:

====================================================
Summary:

SELinux is preventing /usr/bin/nautilus "mmap_zero" access on <Unknown>.

Detailed Description:

SELinux denied access requested by nautilus. The current boolean
settings do not
allow this access. If you have not setup nautilus to require this access
this
may signal an intrusion attempt. If you do intend this access you need
to change
the booleans on this system to allow the access.

Allowing Access:

Confined processes can be configured to run requiring different access,
SELinux
provides booleans to allow you to turn on/off access as needed. The boolean
mmap_low_allowed is set incorrectly.
Boolean Description:
Allow certain domains to map low memory in the kernel

Fix Command:

# setsebool -P mmap_low_allowed 1

Additional Information:

Source Context               
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1
                              023
Target Context               
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1
                              023
Target Objects                None [ memprotect ]
Source                        nautilus
Source Path                   /usr/bin/nautilus
Port                          <Unknown>
Host                          <host>.<domain>.com
Source RPM Packages           nautilus-2.30.1-6.fc13
Target RPM Packages          
Policy RPM                    selinux-policy-3.7.19-74.fc13
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Plugin Name                   catchall_boolean
Host Name                     <host>.<domain>.com
Platform                      Linux <host>.<domain>.com
2.6.34.7-63.fc13.i686 #1 SMP
                              Fri Dec 3 12:35:44 UTC 2010 i686 i686
Alert Count                   1543
First Seen                    Mon 13 Dec 2010 02:44:43 PM PST
Last Seen                     Mon 13 Dec 2010 02:54:42 PM PST
Local ID                      f035f5c8-ea23-4496-a9cd-8eab88c60842
Line Numbers                 

Raw Audit Messages           

node=<host>.<domain>.com type=AVC msg=audit(1292280882.565:140615):
avc:  denied  { mmap_zero } for  pid=12468 comm="nautilus"
scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
tclass=memprotect

node=<host>.<domain>.com type=SYSCALL msg=audit(1292280882.565:140615):
arch=40000003 syscall=192 success=no exit=-13 a0=0 a1=1000 a2=3 a3=22
items=0 ppid=2553 pid=12468 auid=500 uid=500 gid=500 euid=500 suid=500
fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm="nautilus"
exe="/usr/bin/nautilus"
subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)

--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux