-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 12/15/2010 12:41 AM, Daniel B. Thurman wrote:
> On 12/14/2010 03:35 PM, Dominick Grift wrote:
>> On 12/15/2010 12:32 AM, Daniel B. Thurman wrote:
>>> On 12/14/2010 02:45 PM, Daniel J Walsh wrote:
>>>> On 12/14/2010 05:02 PM, Daniel B. Thurman wrote:
>>>>
>>>>> Not sure what this means, but it sound omimous...
>>>>> Using the latest updates.
>>>>
>>>>> ==================================================
>>>>> Summary:
>>>>
>>>>> Your system may be seriously compromised! /usr/bin/nautilus (deleted)
>>>>> attempted
>>>>> to mmap low kernel memory.
>>>>
>>>>> Detailed Description:
>>>>
>>>>> SELinux has denied the nautilus the ability to mmap low area of the
>>>> kernel
>>>>> address space. The ability to mmap a low area of the address space, as
>>>>> configured by /proc/sys/kernel/mmap_min_addr. Preventing such
>>>> mappings helps
>>>>> protect against exploiting null deref bugs in the kernel. All
>>>>> applications that
>>>>> need this access should have already had policy written for them. If a
>>>>> compromised application tries modify the kernel this AVC would be
>>>> generated.
>>>>> This is a serious issue. Your system may very well be compromised.
>>>>
>>>>> Allowing Access:
>>>>
>>>>> Contact your security administrator and report this issue.
>>>>
>>>>> Additional Information:
>>>>
>>>>> Source Context
>>>>> unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1
>>>>> 023
>>>>> Target Context
>>>>> unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1
>>>>> 023
>>>>> Target Objects None [ memprotect ]
>>>>> Source nautilus
>>>>> Source Path /usr/bin/nautilus (deleted)
>>>>> Port <Unknown>
>>>>> Host (removed)
>>>>> Source RPM Packages
>>>>> Target RPM Packages
>>>>> Policy RPM selinux-policy-3.7.19-74.fc13
>>>>> Selinux Enabled True
>>>>> Policy Type targeted
>>>>> Enforcing Mode Enforcing
>>>>> Plugin Name mmap_zero
>>>>> Host Name (removed)
>>>>> Platform Linux <host>.<domain>.com
>>>>> 2.6.34.7-61.fc13.i686 #1 SMP
>>>>> Tue Oct 19 04:42:47 UTC 2010 i686 i686
>>>>> Alert Count 1186
>>>>> First Seen Thu 09 Dec 2010 12:08:59 PM PST
>>>>> Last Seen Thu 09 Dec 2010 12:13:09 PM PST
>>>>> Local ID aba9eed1-e6cf-48cb-80c4-88ccf2d90f43
>>>>> Line Numbers
>>>>
>>>>> Raw Audit Messages
>>>>
>>>>> node=<host>.<domain>.com type=AVC msg=audit(1291925589.462:92406):
>> avc:
>>>>> denied { mmap_zero } for pid=26679 comm="nautilus"
>>>>> scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
>>>>> tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
>>>>> tclass=memprotect
>>>>
>>>>> node=<host>.<domain>.com type=SYSCALL msg=audit(1291925589.462:92406):
>>>>> arch=40000003 syscall=192 success=no exit=-13 a0=0 a1=a000 a2=3 a3=22
>>>>> items=0 ppid=2663 pid=26679 auid=500 uid=500 gid=500 euid=500 suid=500
>>>>> fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm="nautilus"
>>>>> exe=2F7573722F62696E2F6E617574696C7573202864656C6574656429
>>>>> subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
>>>>
>>>>
>>>>> --
>>>>> selinux mailing list
>>>>> selinux@xxxxxxxxxxxxxxxxxxxxxxx
>>>>> https://admin.fedoraproject.org/mailman/listinfo/selinux
>>>>
>>>>
>>>> THis is bad. I have no idea why it would need this and it should be
>>>> denied. Did you try to execute a wine app?
>>>>
>>>>
>>> Uh, I don't remember if I did, is there a way to tell if I did?
>>
>>> I have another related one, should I post it together with this
>>> one or open a new post? It is a Nautilus problem as well.
>>
>> use this thread. nautilus (most likely) should not be doing this
>> somethings wrong here, question remains is it a bug in nautilus or an
>> intrusion attempt (nautilus compromised), in my personal opinion.
>
> OK, I added the other selinux error as a reply to my original posting.
>
> I have no idea if it is a bug or an intrusion, but this system I am
> on is not exposed AFAIK to the Internet, it is also behind a firewall
> if that means anything...
And you are the only user running nautilus? The other AVC denial you
posted looks similar to this one. I only took a quick look so i might be
mistaken.
I guess that might narrow us down to a but in nautilus (it could
probably also be a misconfiguration maybe)
Fact is i am running nautilus confined in my f14 system, and i have seen
it doing a lot of stuff but never this...
> --
> selinux mailing list
> selinux@xxxxxxxxxxxxxxxxxxxxxxx
> https://admin.fedoraproject.org/mailman/listinfo/selinux
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.16 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
iEYEARECAAYFAk0IAjcACgkQMlxVo39jgT+yngCghIYCr+TbxZ0zze3+fC8q8o0a
cvwAmwVwgAih+o4KN3y1IuyAjELxG2zM
=asY6
-----END PGP SIGNATURE-----
--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux
