Re: unix_stream_socket AVC

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 09/01/2011 04:33 AM, Arthur Dent wrote:
> Hello all,
> 
> I did my monthly yum update on my F15 server yesterday. It brought
> down a bunch of updates including
> selinux-policy-3.9.16-35.fc15.noarch and 
> selinux-policy-targeted-3.9.16-35.fc15.noarch.
> 
> Since then I have been getting several AVCs related to 
> "unix_stream_socket". They break into 2 types:
> 
> SELinux is preventing /usr/libexec/fprintd from 'read, write'
> accesses on the unix_stream_socket unix_stream_socket.
> 
> and
> 
> SELinux is preventing /usr/sbin/sendmail.sendmail from 'read,
> write' accesses on the unix_stream_socket unix_stream_socket.
> 
> I detail one example of each below.
> 
> What should I do about these? I have no idea what might be causing 
> them...
> 
> Thanks
> 
> Mark
> 
> ==================8<=============================================
> 
> 
> SELinux is preventing /usr/libexec/fprintd from 'read, write'
> accesses on the unix_stream_socket unix_stream_socket.
> 
> *****  Plugin catchall (50.5 confidence) suggests
> ***************************
> 
> If you believe that fprintd should be allowed read write access on
> the unix_stream_socket unix_stream_socket by default. Then you
> should report this as a bug. You can generate a local policy module
> to allow this access. Do allow this access for now by executing: #
> grep fprintd /var/log/audit/audit.log | audit2allow -M mypol #
> semodule -i mypol.pp
> 
> *****  Plugin leaks (50.5 confidence) suggests
> ******************************
> 
> If you want to ignore fprintd trying to read write access the
> unix_stream_socket unix_stream_socket, because you believe it
> should not need this access. Then you should report this as a bug.
>  You can generate a local policy module to dontaudit this access. 
> Do # grep /usr/libexec/fprintd /var/log/audit/audit.log |
> audit2allow -D -M mypol # semodule -i mypol.pp
> 
> Additional Information: Source Context
> system_u:system_r:fprintd_t:s0-s0:c0.c1023 Target Context
> system_u:system_r:init_t:s0 Target Objects
> unix_stream_socket [ unix_stream_socket ] Source
> fprintd Source Path                   /usr/libexec/fprintd Port
> <Unknown> Host                          troodos.org.uk Source RPM
> Packages           fprintd-0.2.0-3.fc15 Target RPM Packages
>  Policy RPM                    selinux-policy-3.9.16-35.fc15 
> Selinux Enabled               True Policy Type
> targeted Enforcing Mode                Enforcing Host Name
> troodos.org.uk Platform                      Linux troodos.org.uk
> 2.6.40.3-0.fc15.i686.PAE #1 SMP Tue Aug 16 04:17:30 UTC 2011 i686
> i686 Alert Count                   8 First Seen
> Tue Aug 30 10:17:09 2011 Last Seen                     Thu Sep  1
> 09:14:32 2011 Local ID
> f5ca1075-789c-4c8f-971d-8919dd496044
> 
> Raw Audit Messages type=AVC msg=audit(1314864872.594:5072): avc:
> denied  { read write } for  pid=27863 comm="fprintd"
> path="socket:[14520]" dev=sockfs ino=14520
> scontext=system_u:system_r:fprintd_t:s0-s0:c0.c1023
> tcontext=system_u:system_r:init_t:s0 tclass=unix_stream_socket
> 
> 
> type=AVC msg=audit(1314864872.594:5072): avc:  denied  { read write
> } for  pid=27863 comm="fprintd" path="socket:[14520]" dev=sockfs
> ino=14520 scontext=system_u:system_r:fprintd_t:s0-s0:c0.c1023
> tcontext=system_u:system_r:init_t:s0 tclass=unix_stream_socket
> 
> 
> type=SYSCALL msg=audit(1314864872.594:5072): arch=i386
> syscall=execve success=yes exit=0 a0=83a3bc0 a1=83a34e0 a2=83a3008
> a3=83a61c0 items=0 ppid=27862 pid=27863 auid=4294967295 uid=0 gid=0
> euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none)
> ses=4294967295 comm=fprintd exe=/usr/libexec/fprintd
> subj=system_u:system_r:fprintd_t:s0-s0:c0.c1023 key=(null)
> 
> Hash: fprintd,fprintd_t,init_t,unix_stream_socket,read,write
> 
> audit2allow
> 
> #============= fprintd_t ============== allow fprintd_t
> init_t:unix_stream_socket { read write };
> 
> audit2allow -R
> 
> #============= fprintd_t ============== allow fprintd_t
> init_t:unix_stream_socket { read write };
> 
> 
> ==================8<=============================================
> 
> 
> SELinux is preventing /usr/sbin/sendmail.sendmail from 'read,
> write' accesses on the unix_stream_socket unix_stream_socket.
> 
> *****  Plugin catchall (50.5 confidence) suggests
> ***************************
> 
> If you believe that sendmail.sendmail should be allowed read write
> access on the unix_stream_socket unix_stream_socket by default. 
> Then you should report this as a bug. You can generate a local
> policy module to allow this access. Do allow this access for now by
> executing: # grep sendmail /var/log/audit/audit.log | audit2allow
> -M mypol # semodule -i mypol.pp
> 
> *****  Plugin leaks (50.5 confidence) suggests
> ******************************
> 
> If you want to ignore sendmail.sendmail trying to read write access
> the unix_stream_socket unix_stream_socket, because you believe it
> should not need this access. Then you should report this as a bug.
>  You can generate a local policy module to dontaudit this access. 
> Do # grep /usr/sbin/sendmail.sendmail /var/log/audit/audit.log |
> audit2allow -D -M mypol # semodule -i mypol.pp
> 
> Additional Information: Source Context
> system_u:system_r:system_mail_t:s0-s0:c0.c1023 Target Context
> system_u:system_r:init_t:s0 Target Objects
> unix_stream_socket [ unix_stream_socket ] Source
> sendmail Source Path                   /usr/sbin/sendmail.sendmail 
> Port                          <Unknown> Host
> troodos.org.uk Source RPM Packages
> sendmail-8.14.5-1.fc15 Target RPM Packages Policy RPM
> selinux-policy-3.9.16-35.fc15 Selinux Enabled               True 
> Policy Type                   targeted Enforcing Mode
> Enforcing Host Name                     troodos.org.uk Platform
> Linux troodos.org.uk 2.6.40.3-0.fc15.i686.PAE #1 SMP Tue Aug 16
> 04:17:30 UTC 2011 i686 i686 Alert Count                   14 First
> Seen                    Wed Aug 31 02:20:01 2011 Last Seen
> Thu Sep  1 06:40:01 2011 Local ID
> 45c301bb-43a3-4b46-b23b-549d56586333
> 
> Raw Audit Messages type=AVC msg=audit(1314855601.515:4541): avc:
> denied  { read write } for  pid=26981 comm="sendmail"
> path="socket:[13124]" dev=sockfs ino=13124
> scontext=system_u:system_r:system_mail_t:s0-s0:c0.c1023
> tcontext=system_u:system_r:init_t:s0 tclass=unix_stream_socket
> 
> 
> type=AVC msg=audit(1314855601.515:4541): avc:  denied  { read write
> } for  pid=26981 comm="sendmail" path="socket:[13124]" dev=sockfs
> ino=13124 scontext=system_u:system_r:system_mail_t:s0-s0:c0.c1023
> tcontext=system_u:system_r:init_t:s0 tclass=unix_stream_socket
> 
> 
> type=SYSCALL msg=audit(1314855601.515:4541): arch=i386
> syscall=execve success=yes exit=0 a0=bfaa897c a1=bfaa67c8
> a2=bfae8fd0 a3=bfae8fd0 items=0 ppid=26963 pid=26981 auid=500
> uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=51 sgid=51
> fsgid=51 tty=(none) ses=634 comm=sendmail
> exe=/usr/sbin/sendmail.sendmail
> subj=system_u:system_r:system_mail_t:s0-s0:c0.c1023 key=(null)
> 
> Hash: sendmail,system_mail_t,init_t,unix_stream_socket,read,write
> 
> audit2allow
> 
> #============= system_mail_t ============== allow system_mail_t
> init_t:unix_stream_socket { read write };
> 
> audit2allow -R
> 
> #============= system_mail_t ============== allow system_mail_t
> init_t:unix_stream_socket { read write };
> 
> 
> 
> 
> 
> -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx 
> https://admin.fedoraproject.org/mailman/listinfo/selinux


The analysys is correct they are a leaked file descriptor.

# grep unix_stream_socket /var/log/audit/audit.log | audit2allow -D -M
mypol
# semodule -i mypol.pp

Will tell SELinux to ignore the access.

This is probably just init handing over a unix_stream_socket as stdin
to daemons it starts and these daemons passing the descriptor along.

We probably should just dontaudit them in general.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk5fzDsACgkQrlYvE4MpobNG0QCgwfg4VdjlnLdFYofTbX/x4Y2z
rCIAoIci2JXk/uHCSi9+JzMIDKAy/ZBw
=TsQO
-----END PGP SIGNATURE-----
--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux


[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux