Hi Team,
I just Subscribed to the SELinux mailing list. my id is : manojhanse@xxxxxxxxx
I have been seeing some SELinux Alerts recently. I have attached These alert logs to the mail.
It would be very helpful if you could suggest relevant action on it. I am new to it.
Thanks & Regards,
Manoj Hanse | +91-8600626185
Pune, India-411017
Alert 1:
-------------------------------------------------------------------------------------
Summary:
Your system may be seriously compromised! /usr/sbin/NetworkManager tried to load
a kernel module.
Detailed Description:
SELinux has prevented NetworkManager from loading a kernel module. All confined
programs that need to load kernel modules should have already had policy written
for them. If a compromised application tries to modify the kernel this AVC will
be generated. This is a serious issue. Your system may very well be compromised.
Allowing Access:
Contact your security administrator and report this issue.
Additional Information:
Source Context system_u:system_r:NetworkManager_t:s0
Target Context system_u:system_r:NetworkManager_t:s0
Target Objects None [ capability ]
Source NetworkManager
Source Path /usr/sbin/NetworkManager
Port <Unknown>
Host RHEL01
Source RPM Packages NetworkManager-0.8.1-5.el6
Target RPM Packages
Policy RPM selinux-policy-3.7.19-54.el6
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Plugin Name sys_module
Host Name RHEL01
Platform Linux RHEL01 2.6.32-358.el6.i686 #1 SMP Thu Feb 21
21:50:49 UTC 2013 i686 i686
Alert Count 2
First Seen Sat 28 Sep 2013 09:50:19 PM IST
Last Seen Sat 28 Sep 2013 09:50:19 PM IST
Local ID f65c3572-b348-4bba-b82f-2b43efc785a0
Line Numbers
Raw Audit Messages
node=RHEL01 type=AVC msg=audit(1380385219.916:103): avc: denied { sys_module } for pid=2191 comm="NetworkManager" capability=16 scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:system_r:NetworkManager_t:s0 tclass=capability
node=RHEL01 type=SYSCALL msg=audit(1380385219.916:103): arch=40000003 syscall=54 success=no exit=-19 a0=d a1=8913 a2=bfb6354c a3=bfb6354c items=0 ppid=1 pid=2191 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="NetworkManager" exe="/usr/sbin/NetworkManager" subj=system_u:system_r:NetworkManager_t:s0 key=(null)
------------------------------------------------------------------------------------------
Alert 2:
---------------------------------------------------------------------------------------
Summary:
SELinux is preventing /usr/bin/virsh "read" access on random.
Detailed Description:
SELinux denied access requested by virsh. It is not expected that this access is
required by virsh and this access may signal an intrusion attempt. It is also
possible that the specific version or configuration of the application is
causing it to require additional access.
Allowing Access:
You can generate a local policy module to allow this access - see FAQ
(http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Please file a bug
report.
Additional Information:
Source Context system_u:system_r:xm_t:s0
Target Context system_u:object_r:random_device_t:s0
Target Objects random [ chr_file ]
Source virsh
Source Path /usr/bin/virsh
Port <Unknown>
Host RHEL01
Source RPM Packages libvirt-client-0.10.2-18.el6
Target RPM Packages
Policy RPM selinux-policy-3.7.19-54.el6
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Plugin Name catchall
Host Name RHEL01
Platform Linux RHEL01 2.6.32-358.el6.i686 #1 SMP Thu Feb 21
21:50:49 UTC 2013 i686 i686
Alert Count 2
First Seen Sat 28 Sep 2013 10:39:47 PM IST
Last Seen Sun 29 Sep 2013 05:59:20 PM IST
Local ID 6589364e-74bb-4e16-be7d-02314a834726
Line Numbers
Raw Audit Messages
node=RHEL01 type=AVC msg=audit(1380457760.279:39013): avc: denied { read } for pid=11004 comm="virsh" name="random" dev=devtmpfs ino=3781 scontext=system_u:system_r:xm_t:s0 tcontext=system_u:object_r:random_device_t:s0 tclass=chr_file
node=RHEL01 type=SYSCALL msg=audit(1380457760.279:39013): arch=40000003 syscall=33 success=no exit=-13 a0=53719ec a1=4 a2=537ee94 a3=1 items=0 ppid=11001 pid=11004 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="virsh" exe="/usr/bin/virsh" subj=system_u:system_r:xm_t:s0 key=(null)
------------------------------------------------------------------------------------------
Alert 3:
---------------------------------------------------------------------------------------
Summary:
SELinux is preventing /usr/sbin/dnsmasq "write" access on network.
Detailed Description:
SELinux denied access requested by dnsmasq. It is not expected that this access
is required by dnsmasq and this access may signal an intrusion attempt. It is
also possible that the specific version or configuration of the application is
causing it to require additional access.
Allowing Access:
You can generate a local policy module to allow this access - see FAQ
(http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Please file a bug
report.
Additional Information:
Source Context system_u:system_r:dnsmasq_t:s0-s0:c0.c1023
Target Context system_u:object_r:virt_var_run_t:s0
Target Objects network [ dir ]
Source dnsmasq
Source Path /usr/sbin/dnsmasq
Port <Unknown>
Host RHEL01
Source RPM Packages dnsmasq-2.48-4.el6
Target RPM Packages
Policy RPM selinux-policy-3.7.19-54.el6
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Plugin Name catchall
Host Name RHEL01
Platform Linux RHEL01 2.6.32-358.el6.i686 #1 SMP Thu Feb 21
21:50:49 UTC 2013 i686 i686
Alert Count 5
First Seen Sun 29 Sep 2013 05:59:58 AM IST
Last Seen Tue 01 Oct 2013 03:29:16 AM IST
Local ID 74e9f64e-4ef1-45fa-ae30-18ff3b4e885f
Line Numbers
Raw Audit Messages
node=RHEL01 type=AVC msg=audit(1380578356.144:26): avc: denied { write } for pid=2897 comm="dnsmasq" name="network" dev=dm-0 ino=545060 scontext=system_u:system_r:dnsmasq_t:s0-s0:c0.c1023 tcontext=system_u:object_r:virt_var_run_t:s0 tclass=dir
node=RHEL01 type=SYSCALL msg=audit(1380578356.144:26): arch=40000003 syscall=5 success=no exit=-13 a0=9de6938 a1=8241 a2=1b6 a3=806ba38 items=0 ppid=1 pid=2897 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="dnsmasq" exe="/usr/sbin/dnsmasq" subj=system_u:system_r:dnsmasq_t:s0-s0:c0.c1023 key=(null)
-----------------------------------------------------------------------------------------
Alert 4:
---------------------------------------------------------------------------------------
Summary:
SELinux is preventing /usr/libexec/gdm-session-worker "write" access on root.
Detailed Description:
SELinux denied access requested by gdm-session-wor. It is not expected that this
access is required by gdm-session-wor and this access may signal an intrusion
attempt. It is also possible that the specific version or configuration of the
application is causing it to require additional access.
Allowing Access:
You can generate a local policy module to allow this access - see FAQ
(http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Please file a bug
report.
Additional Information:
Source Context system_u:system_r:xdm_t:s0-s0:c0.c1023
Target Context system_u:object_r:admin_home_t:s0
Target Objects root [ dir ]
Source gdm-session-wor
Source Path /usr/libexec/gdm-session-worker
Port <Unknown>
Host RHEL01
Source RPM Packages gdm-2.30.4-21.el6
Target RPM Packages filesystem-2.4.30-2.1.el6
Policy RPM selinux-policy-3.7.19-54.el6
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Plugin Name catchall
Host Name RHEL01
Platform Linux RHEL01 2.6.32-358.el6.i686 #1 SMP Thu Feb 21
21:50:49 UTC 2013 i686 i686
Alert Count 2
First Seen Tue 01 Oct 2013 03:31:13 AM IST
Last Seen Tue 01 Oct 2013 03:31:13 AM IST
Local ID bfcc74ad-0397-46b0-bcc9-d544b6cd469b
Line Numbers
Raw Audit Messages
node=RHEL01 type=AVC msg=audit(1380578473.938:58): avc: denied { write } for pid=3165 comm="gdm-session-wor" name="root" dev=dm-0 ino=651521 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:admin_home_t:s0 tclass=dir
node=RHEL01 type=SYSCALL msg=audit(1380578473.938:58): arch=40000003 syscall=5 success=no exit=-13 a0=820c680 a1=80c2 a2=180 a3=1d items=0 ppid=3140 pid=3165 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=2 comm="gdm-session-wor" exe="/usr/libexec/gdm-session-worker" subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null)
-----------------------------------------------------------------------------------------
Alert 5:
------------------------------------------------------------------------------------
Summary:
SELinux is preventing /usr/libexec/gdm-session-worker "read write" access on
root.
Detailed Description:
SELinux denied access requested by gdm-session-wor. It is not expected that this
access is required by gdm-session-wor and this access may signal an intrusion
attempt. It is also possible that the specific version or configuration of the
application is causing it to require additional access.
Allowing Access:
You can generate a local policy module to allow this access - see FAQ
(http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Please file a bug
report.
Additional Information:
Source Context system_u:system_r:xdm_t:s0-s0:c0.c1023
Target Context system_u:object_r:admin_home_t:s0
Target Objects root [ dir ]
Source gdm-session-wor
Source Path /usr/libexec/gdm-session-worker
Port <Unknown>
Host RHEL01
Source RPM Packages gdm-2.30.4-21.el6
Target RPM Packages filesystem-2.4.30-2.1.el6
Policy RPM selinux-policy-3.7.19-54.el6
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Plugin Name catchall
Host Name RHEL01
Platform Linux RHEL01 2.6.32-358.el6.i686 #1 SMP Thu Feb 21
21:50:49 UTC 2013 i686 i686
Alert Count 1
First Seen Tue 01 Oct 2013 03:31:13 AM IST
Last Seen Tue 01 Oct 2013 03:31:13 AM IST
Local ID 02caea5e-c1b1-496a-9f47-9ff352c91539
Line Numbers
Raw Audit Messages
node=RHEL01 type=AVC msg=audit(1380578473.929:56): avc: denied { read write } for pid=3165 comm="gdm-session-wor" name="root" dev=dm-0 ino=651521 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:admin_home_t:s0 tclass=dir
node=RHEL01 type=SYSCALL msg=audit(1380578473.929:56): arch=40000003 syscall=33 success=no exit=-13 a0=81aff18 a1=7 a2=d201a4 a3=820dd50 items=0 ppid=3140 pid=3165 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=2 comm="gdm-session-wor" exe="/usr/libexec/gdm-session-worker" subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null)
-----------------------------------------------------------------------------------------
Alert 6:
---------------------------------------------------------------------------------------
Summary:
SELinux is preventing /usr/libexec/gdm-session-worker "read write" access on
root.
Detailed Description:
SELinux denied access requested by gdm-session-wor. It is not expected that this
access is required by gdm-session-wor and this access may signal an intrusion
attempt. It is also possible that the specific version or configuration of the
application is causing it to require additional access.
Allowing Access:
You can generate a local policy module to allow this access - see FAQ
(http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Please file a bug
report.
Additional Information:
Source Context system_u:system_r:xdm_t:s0-s0:c0.c1023
Target Context system_u:object_r:admin_home_t:s0
Target Objects root [ dir ]
Source gdm-session-wor
Source Path /usr/libexec/gdm-session-worker
Port <Unknown>
Host RHEL01
Source RPM Packages gdm-2.30.4-21.el6
Target RPM Packages filesystem-2.4.30-2.1.el6
Policy RPM selinux-policy-3.7.19-54.el6
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Plugin Name catchall
Host Name RHEL01
Platform Linux RHEL01 2.6.32-358.el6.i686 #1 SMP Thu Feb 21
21:50:49 UTC 2013 i686 i686
Alert Count 1
First Seen Tue 01 Oct 2013 03:31:13 AM IST
Last Seen Tue 01 Oct 2013 03:31:13 AM IST
Local ID 02caea5e-c1b1-496a-9f47-9ff352c91539
Line Numbers
Raw Audit Messages
node=RHEL01 type=AVC msg=audit(1380578473.929:56): avc: denied { read write } for pid=3165 comm="gdm-session-wor" name="root" dev=dm-0 ino=651521 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:admin_home_t:s0 tclass=dir
node=RHEL01 type=SYSCALL msg=audit(1380578473.929:56): arch=40000003 syscall=33 success=no exit=-13 a0=81aff18 a1=7 a2=d201a4 a3=820dd50 items=0 ppid=3140 pid=3165 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=2 comm="gdm-session-wor" exe="/usr/libexec/gdm-session-worker" subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null)
--------------------------------------------------------------------------------------
The end.
-- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
