Hi Team,
I just Subscribed to the SELinux mailing list. my id is : manojhanse@xxxxxxxxx
I have been seeing some SELinux Alerts recently. I have attached These alert logs to the mail.
It would be very helpful if you could suggest relevant action on it. I am new to it.
Thanks & Regards,
Manoj Hanse | +91-8600626185
Pune, India-411017
Alert 1: ------------------------------------------------------------------------------------- Summary: Your system may be seriously compromised! /usr/sbin/NetworkManager tried to load a kernel module. Detailed Description: SELinux has prevented NetworkManager from loading a kernel module. All confined programs that need to load kernel modules should have already had policy written for them. If a compromised application tries to modify the kernel this AVC will be generated. This is a serious issue. Your system may very well be compromised. Allowing Access: Contact your security administrator and report this issue. Additional Information: Source Context system_u:system_r:NetworkManager_t:s0 Target Context system_u:system_r:NetworkManager_t:s0 Target Objects None [ capability ] Source NetworkManager Source Path /usr/sbin/NetworkManager Port <Unknown> Host RHEL01 Source RPM Packages NetworkManager-0.8.1-5.el6 Target RPM Packages Policy RPM selinux-policy-3.7.19-54.el6 Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Plugin Name sys_module Host Name RHEL01 Platform Linux RHEL01 2.6.32-358.el6.i686 #1 SMP Thu Feb 21 21:50:49 UTC 2013 i686 i686 Alert Count 2 First Seen Sat 28 Sep 2013 09:50:19 PM IST Last Seen Sat 28 Sep 2013 09:50:19 PM IST Local ID f65c3572-b348-4bba-b82f-2b43efc785a0 Line Numbers Raw Audit Messages node=RHEL01 type=AVC msg=audit(1380385219.916:103): avc: denied { sys_module } for pid=2191 comm="NetworkManager" capability=16 scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:system_r:NetworkManager_t:s0 tclass=capability node=RHEL01 type=SYSCALL msg=audit(1380385219.916:103): arch=40000003 syscall=54 success=no exit=-19 a0=d a1=8913 a2=bfb6354c a3=bfb6354c items=0 ppid=1 pid=2191 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="NetworkManager" exe="/usr/sbin/NetworkManager" subj=system_u:system_r:NetworkManager_t:s0 key=(null) ------------------------------------------------------------------------------------------ Alert 2: --------------------------------------------------------------------------------------- Summary: SELinux is preventing /usr/bin/virsh "read" access on random. Detailed Description: SELinux denied access requested by virsh. It is not expected that this access is required by virsh and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: You can generate a local policy module to allow this access - see FAQ (http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Please file a bug report. Additional Information: Source Context system_u:system_r:xm_t:s0 Target Context system_u:object_r:random_device_t:s0 Target Objects random [ chr_file ] Source virsh Source Path /usr/bin/virsh Port <Unknown> Host RHEL01 Source RPM Packages libvirt-client-0.10.2-18.el6 Target RPM Packages Policy RPM selinux-policy-3.7.19-54.el6 Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Plugin Name catchall Host Name RHEL01 Platform Linux RHEL01 2.6.32-358.el6.i686 #1 SMP Thu Feb 21 21:50:49 UTC 2013 i686 i686 Alert Count 2 First Seen Sat 28 Sep 2013 10:39:47 PM IST Last Seen Sun 29 Sep 2013 05:59:20 PM IST Local ID 6589364e-74bb-4e16-be7d-02314a834726 Line Numbers Raw Audit Messages node=RHEL01 type=AVC msg=audit(1380457760.279:39013): avc: denied { read } for pid=11004 comm="virsh" name="random" dev=devtmpfs ino=3781 scontext=system_u:system_r:xm_t:s0 tcontext=system_u:object_r:random_device_t:s0 tclass=chr_file node=RHEL01 type=SYSCALL msg=audit(1380457760.279:39013): arch=40000003 syscall=33 success=no exit=-13 a0=53719ec a1=4 a2=537ee94 a3=1 items=0 ppid=11001 pid=11004 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="virsh" exe="/usr/bin/virsh" subj=system_u:system_r:xm_t:s0 key=(null) ------------------------------------------------------------------------------------------ Alert 3: --------------------------------------------------------------------------------------- Summary: SELinux is preventing /usr/sbin/dnsmasq "write" access on network. Detailed Description: SELinux denied access requested by dnsmasq. It is not expected that this access is required by dnsmasq and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: You can generate a local policy module to allow this access - see FAQ (http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Please file a bug report. Additional Information: Source Context system_u:system_r:dnsmasq_t:s0-s0:c0.c1023 Target Context system_u:object_r:virt_var_run_t:s0 Target Objects network [ dir ] Source dnsmasq Source Path /usr/sbin/dnsmasq Port <Unknown> Host RHEL01 Source RPM Packages dnsmasq-2.48-4.el6 Target RPM Packages Policy RPM selinux-policy-3.7.19-54.el6 Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Plugin Name catchall Host Name RHEL01 Platform Linux RHEL01 2.6.32-358.el6.i686 #1 SMP Thu Feb 21 21:50:49 UTC 2013 i686 i686 Alert Count 5 First Seen Sun 29 Sep 2013 05:59:58 AM IST Last Seen Tue 01 Oct 2013 03:29:16 AM IST Local ID 74e9f64e-4ef1-45fa-ae30-18ff3b4e885f Line Numbers Raw Audit Messages node=RHEL01 type=AVC msg=audit(1380578356.144:26): avc: denied { write } for pid=2897 comm="dnsmasq" name="network" dev=dm-0 ino=545060 scontext=system_u:system_r:dnsmasq_t:s0-s0:c0.c1023 tcontext=system_u:object_r:virt_var_run_t:s0 tclass=dir node=RHEL01 type=SYSCALL msg=audit(1380578356.144:26): arch=40000003 syscall=5 success=no exit=-13 a0=9de6938 a1=8241 a2=1b6 a3=806ba38 items=0 ppid=1 pid=2897 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="dnsmasq" exe="/usr/sbin/dnsmasq" subj=system_u:system_r:dnsmasq_t:s0-s0:c0.c1023 key=(null) ----------------------------------------------------------------------------------------- Alert 4: --------------------------------------------------------------------------------------- Summary: SELinux is preventing /usr/libexec/gdm-session-worker "write" access on root. Detailed Description: SELinux denied access requested by gdm-session-wor. It is not expected that this access is required by gdm-session-wor and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: You can generate a local policy module to allow this access - see FAQ (http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Please file a bug report. Additional Information: Source Context system_u:system_r:xdm_t:s0-s0:c0.c1023 Target Context system_u:object_r:admin_home_t:s0 Target Objects root [ dir ] Source gdm-session-wor Source Path /usr/libexec/gdm-session-worker Port <Unknown> Host RHEL01 Source RPM Packages gdm-2.30.4-21.el6 Target RPM Packages filesystem-2.4.30-2.1.el6 Policy RPM selinux-policy-3.7.19-54.el6 Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Plugin Name catchall Host Name RHEL01 Platform Linux RHEL01 2.6.32-358.el6.i686 #1 SMP Thu Feb 21 21:50:49 UTC 2013 i686 i686 Alert Count 2 First Seen Tue 01 Oct 2013 03:31:13 AM IST Last Seen Tue 01 Oct 2013 03:31:13 AM IST Local ID bfcc74ad-0397-46b0-bcc9-d544b6cd469b Line Numbers Raw Audit Messages node=RHEL01 type=AVC msg=audit(1380578473.938:58): avc: denied { write } for pid=3165 comm="gdm-session-wor" name="root" dev=dm-0 ino=651521 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:admin_home_t:s0 tclass=dir node=RHEL01 type=SYSCALL msg=audit(1380578473.938:58): arch=40000003 syscall=5 success=no exit=-13 a0=820c680 a1=80c2 a2=180 a3=1d items=0 ppid=3140 pid=3165 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=2 comm="gdm-session-wor" exe="/usr/libexec/gdm-session-worker" subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null) ----------------------------------------------------------------------------------------- Alert 5: ------------------------------------------------------------------------------------ Summary: SELinux is preventing /usr/libexec/gdm-session-worker "read write" access on root. Detailed Description: SELinux denied access requested by gdm-session-wor. It is not expected that this access is required by gdm-session-wor and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: You can generate a local policy module to allow this access - see FAQ (http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Please file a bug report. Additional Information: Source Context system_u:system_r:xdm_t:s0-s0:c0.c1023 Target Context system_u:object_r:admin_home_t:s0 Target Objects root [ dir ] Source gdm-session-wor Source Path /usr/libexec/gdm-session-worker Port <Unknown> Host RHEL01 Source RPM Packages gdm-2.30.4-21.el6 Target RPM Packages filesystem-2.4.30-2.1.el6 Policy RPM selinux-policy-3.7.19-54.el6 Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Plugin Name catchall Host Name RHEL01 Platform Linux RHEL01 2.6.32-358.el6.i686 #1 SMP Thu Feb 21 21:50:49 UTC 2013 i686 i686 Alert Count 1 First Seen Tue 01 Oct 2013 03:31:13 AM IST Last Seen Tue 01 Oct 2013 03:31:13 AM IST Local ID 02caea5e-c1b1-496a-9f47-9ff352c91539 Line Numbers Raw Audit Messages node=RHEL01 type=AVC msg=audit(1380578473.929:56): avc: denied { read write } for pid=3165 comm="gdm-session-wor" name="root" dev=dm-0 ino=651521 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:admin_home_t:s0 tclass=dir node=RHEL01 type=SYSCALL msg=audit(1380578473.929:56): arch=40000003 syscall=33 success=no exit=-13 a0=81aff18 a1=7 a2=d201a4 a3=820dd50 items=0 ppid=3140 pid=3165 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=2 comm="gdm-session-wor" exe="/usr/libexec/gdm-session-worker" subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null) ----------------------------------------------------------------------------------------- Alert 6: --------------------------------------------------------------------------------------- Summary: SELinux is preventing /usr/libexec/gdm-session-worker "read write" access on root. Detailed Description: SELinux denied access requested by gdm-session-wor. It is not expected that this access is required by gdm-session-wor and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: You can generate a local policy module to allow this access - see FAQ (http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Please file a bug report. Additional Information: Source Context system_u:system_r:xdm_t:s0-s0:c0.c1023 Target Context system_u:object_r:admin_home_t:s0 Target Objects root [ dir ] Source gdm-session-wor Source Path /usr/libexec/gdm-session-worker Port <Unknown> Host RHEL01 Source RPM Packages gdm-2.30.4-21.el6 Target RPM Packages filesystem-2.4.30-2.1.el6 Policy RPM selinux-policy-3.7.19-54.el6 Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Plugin Name catchall Host Name RHEL01 Platform Linux RHEL01 2.6.32-358.el6.i686 #1 SMP Thu Feb 21 21:50:49 UTC 2013 i686 i686 Alert Count 1 First Seen Tue 01 Oct 2013 03:31:13 AM IST Last Seen Tue 01 Oct 2013 03:31:13 AM IST Local ID 02caea5e-c1b1-496a-9f47-9ff352c91539 Line Numbers Raw Audit Messages node=RHEL01 type=AVC msg=audit(1380578473.929:56): avc: denied { read write } for pid=3165 comm="gdm-session-wor" name="root" dev=dm-0 ino=651521 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:admin_home_t:s0 tclass=dir node=RHEL01 type=SYSCALL msg=audit(1380578473.929:56): arch=40000003 syscall=33 success=no exit=-13 a0=81aff18 a1=7 a2=d201a4 a3=820dd50 items=0 ppid=3140 pid=3165 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=2 comm="gdm-session-wor" exe="/usr/libexec/gdm-session-worker" subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null) -------------------------------------------------------------------------------------- The end.
-- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux