SELinux Alerts Help

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi Team,

I just Subscribed to the SELinux mailing list. my id is : manojhanse@xxxxxxxxx

I have been seeing some SELinux Alerts recently. I have attached These alert logs to the mail.

It would be very helpful if you could suggest relevant action on it. I am new to it.

Thanks & Regards,

 Manoj Hanse | +91-8600626185

 Pune, India-411017
Alert 1:

-------------------------------------------------------------------------------------

Summary:

Your system may be seriously compromised! /usr/sbin/NetworkManager tried to load
a kernel module.

Detailed Description:

SELinux has prevented NetworkManager from loading a kernel module. All confined
programs that need to load kernel modules should have already had policy written
for them. If a compromised application tries to modify the kernel this AVC will
be generated. This is a serious issue. Your system may very well be compromised.

Allowing Access:

Contact your security administrator and report this issue.

Additional Information:

Source Context                system_u:system_r:NetworkManager_t:s0
Target Context                system_u:system_r:NetworkManager_t:s0
Target Objects                None [ capability ]
Source                        NetworkManager
Source Path                   /usr/sbin/NetworkManager
Port                          <Unknown>
Host                          RHEL01
Source RPM Packages           NetworkManager-0.8.1-5.el6
Target RPM Packages           
Policy RPM                    selinux-policy-3.7.19-54.el6
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Plugin Name                   sys_module
Host Name                     RHEL01
Platform                      Linux RHEL01 2.6.32-358.el6.i686 #1 SMP Thu Feb 21
                              21:50:49 UTC 2013 i686 i686
Alert Count                   2
First Seen                    Sat 28 Sep 2013 09:50:19 PM IST
Last Seen                     Sat 28 Sep 2013 09:50:19 PM IST
Local ID                      f65c3572-b348-4bba-b82f-2b43efc785a0
Line Numbers                  

Raw Audit Messages            

node=RHEL01 type=AVC msg=audit(1380385219.916:103): avc:  denied  { sys_module } for  pid=2191 comm="NetworkManager" capability=16  scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:system_r:NetworkManager_t:s0 tclass=capability

node=RHEL01 type=SYSCALL msg=audit(1380385219.916:103): arch=40000003 syscall=54 success=no exit=-19 a0=d a1=8913 a2=bfb6354c a3=bfb6354c items=0 ppid=1 pid=2191 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="NetworkManager" exe="/usr/sbin/NetworkManager" subj=system_u:system_r:NetworkManager_t:s0 key=(null)

------------------------------------------------------------------------------------------

Alert 2:

---------------------------------------------------------------------------------------

Summary:

SELinux is preventing /usr/bin/virsh "read" access on random.

Detailed Description:

SELinux denied access requested by virsh. It is not expected that this access is
required by virsh and this access may signal an intrusion attempt. It is also
possible that the specific version or configuration of the application is
causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Please file a bug
report.

Additional Information:

Source Context                system_u:system_r:xm_t:s0
Target Context                system_u:object_r:random_device_t:s0
Target Objects                random [ chr_file ]
Source                        virsh
Source Path                   /usr/bin/virsh
Port                          <Unknown>
Host                          RHEL01
Source RPM Packages           libvirt-client-0.10.2-18.el6
Target RPM Packages           
Policy RPM                    selinux-policy-3.7.19-54.el6
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Plugin Name                   catchall
Host Name                     RHEL01
Platform                      Linux RHEL01 2.6.32-358.el6.i686 #1 SMP Thu Feb 21
                              21:50:49 UTC 2013 i686 i686
Alert Count                   2
First Seen                    Sat 28 Sep 2013 10:39:47 PM IST
Last Seen                     Sun 29 Sep 2013 05:59:20 PM IST
Local ID                      6589364e-74bb-4e16-be7d-02314a834726
Line Numbers                  

Raw Audit Messages            

node=RHEL01 type=AVC msg=audit(1380457760.279:39013): avc:  denied  { read } for  pid=11004 comm="virsh" name="random" dev=devtmpfs ino=3781 scontext=system_u:system_r:xm_t:s0 tcontext=system_u:object_r:random_device_t:s0 tclass=chr_file

node=RHEL01 type=SYSCALL msg=audit(1380457760.279:39013): arch=40000003 syscall=33 success=no exit=-13 a0=53719ec a1=4 a2=537ee94 a3=1 items=0 ppid=11001 pid=11004 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="virsh" exe="/usr/bin/virsh" subj=system_u:system_r:xm_t:s0 key=(null)

------------------------------------------------------------------------------------------

Alert 3:

---------------------------------------------------------------------------------------

Summary:

SELinux is preventing /usr/sbin/dnsmasq "write" access on network.

Detailed Description:

SELinux denied access requested by dnsmasq. It is not expected that this access
is required by dnsmasq and this access may signal an intrusion attempt. It is
also possible that the specific version or configuration of the application is
causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Please file a bug
report.

Additional Information:

Source Context                system_u:system_r:dnsmasq_t:s0-s0:c0.c1023
Target Context                system_u:object_r:virt_var_run_t:s0
Target Objects                network [ dir ]
Source                        dnsmasq
Source Path                   /usr/sbin/dnsmasq
Port                          <Unknown>
Host                          RHEL01
Source RPM Packages           dnsmasq-2.48-4.el6
Target RPM Packages           
Policy RPM                    selinux-policy-3.7.19-54.el6
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Plugin Name                   catchall
Host Name                     RHEL01
Platform                      Linux RHEL01 2.6.32-358.el6.i686 #1 SMP Thu Feb 21
                              21:50:49 UTC 2013 i686 i686
Alert Count                   5
First Seen                    Sun 29 Sep 2013 05:59:58 AM IST
Last Seen                     Tue 01 Oct 2013 03:29:16 AM IST
Local ID                      74e9f64e-4ef1-45fa-ae30-18ff3b4e885f
Line Numbers                  

Raw Audit Messages            

node=RHEL01 type=AVC msg=audit(1380578356.144:26): avc:  denied  { write } for  pid=2897 comm="dnsmasq" name="network" dev=dm-0 ino=545060 scontext=system_u:system_r:dnsmasq_t:s0-s0:c0.c1023 tcontext=system_u:object_r:virt_var_run_t:s0 tclass=dir

node=RHEL01 type=SYSCALL msg=audit(1380578356.144:26): arch=40000003 syscall=5 success=no exit=-13 a0=9de6938 a1=8241 a2=1b6 a3=806ba38 items=0 ppid=1 pid=2897 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="dnsmasq" exe="/usr/sbin/dnsmasq" subj=system_u:system_r:dnsmasq_t:s0-s0:c0.c1023 key=(null)

-----------------------------------------------------------------------------------------

Alert 4:

---------------------------------------------------------------------------------------

Summary:

SELinux is preventing /usr/libexec/gdm-session-worker "write" access on root.

Detailed Description:

SELinux denied access requested by gdm-session-wor. It is not expected that this
access is required by gdm-session-wor and this access may signal an intrusion
attempt. It is also possible that the specific version or configuration of the
application is causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Please file a bug
report.

Additional Information:

Source Context                system_u:system_r:xdm_t:s0-s0:c0.c1023
Target Context                system_u:object_r:admin_home_t:s0
Target Objects                root [ dir ]
Source                        gdm-session-wor
Source Path                   /usr/libexec/gdm-session-worker
Port                          <Unknown>
Host                          RHEL01
Source RPM Packages           gdm-2.30.4-21.el6
Target RPM Packages           filesystem-2.4.30-2.1.el6
Policy RPM                    selinux-policy-3.7.19-54.el6
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Plugin Name                   catchall
Host Name                     RHEL01
Platform                      Linux RHEL01 2.6.32-358.el6.i686 #1 SMP Thu Feb 21
                              21:50:49 UTC 2013 i686 i686
Alert Count                   2
First Seen                    Tue 01 Oct 2013 03:31:13 AM IST
Last Seen                     Tue 01 Oct 2013 03:31:13 AM IST
Local ID                      bfcc74ad-0397-46b0-bcc9-d544b6cd469b
Line Numbers                  

Raw Audit Messages            

node=RHEL01 type=AVC msg=audit(1380578473.938:58): avc:  denied  { write } for  pid=3165 comm="gdm-session-wor" name="root" dev=dm-0 ino=651521 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:admin_home_t:s0 tclass=dir

node=RHEL01 type=SYSCALL msg=audit(1380578473.938:58): arch=40000003 syscall=5 success=no exit=-13 a0=820c680 a1=80c2 a2=180 a3=1d items=0 ppid=3140 pid=3165 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=2 comm="gdm-session-wor" exe="/usr/libexec/gdm-session-worker" subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null)

-----------------------------------------------------------------------------------------

Alert 5:

------------------------------------------------------------------------------------

Summary:

SELinux is preventing /usr/libexec/gdm-session-worker "read write" access on
root.

Detailed Description:

SELinux denied access requested by gdm-session-wor. It is not expected that this
access is required by gdm-session-wor and this access may signal an intrusion
attempt. It is also possible that the specific version or configuration of the
application is causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Please file a bug
report.

Additional Information:

Source Context                system_u:system_r:xdm_t:s0-s0:c0.c1023
Target Context                system_u:object_r:admin_home_t:s0
Target Objects                root [ dir ]
Source                        gdm-session-wor
Source Path                   /usr/libexec/gdm-session-worker
Port                          <Unknown>
Host                          RHEL01
Source RPM Packages           gdm-2.30.4-21.el6
Target RPM Packages           filesystem-2.4.30-2.1.el6
Policy RPM                    selinux-policy-3.7.19-54.el6
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Plugin Name                   catchall
Host Name                     RHEL01
Platform                      Linux RHEL01 2.6.32-358.el6.i686 #1 SMP Thu Feb 21
                              21:50:49 UTC 2013 i686 i686
Alert Count                   1
First Seen                    Tue 01 Oct 2013 03:31:13 AM IST
Last Seen                     Tue 01 Oct 2013 03:31:13 AM IST
Local ID                      02caea5e-c1b1-496a-9f47-9ff352c91539
Line Numbers                  

Raw Audit Messages            

node=RHEL01 type=AVC msg=audit(1380578473.929:56): avc:  denied  { read write } for  pid=3165 comm="gdm-session-wor" name="root" dev=dm-0 ino=651521 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:admin_home_t:s0 tclass=dir

node=RHEL01 type=SYSCALL msg=audit(1380578473.929:56): arch=40000003 syscall=33 success=no exit=-13 a0=81aff18 a1=7 a2=d201a4 a3=820dd50 items=0 ppid=3140 pid=3165 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=2 comm="gdm-session-wor" exe="/usr/libexec/gdm-session-worker" subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null)

-----------------------------------------------------------------------------------------

Alert 6:
---------------------------------------------------------------------------------------


Summary:

SELinux is preventing /usr/libexec/gdm-session-worker "read write" access on
root.

Detailed Description:

SELinux denied access requested by gdm-session-wor. It is not expected that this
access is required by gdm-session-wor and this access may signal an intrusion
attempt. It is also possible that the specific version or configuration of the
application is causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Please file a bug
report.

Additional Information:

Source Context                system_u:system_r:xdm_t:s0-s0:c0.c1023
Target Context                system_u:object_r:admin_home_t:s0
Target Objects                root [ dir ]
Source                        gdm-session-wor
Source Path                   /usr/libexec/gdm-session-worker
Port                          <Unknown>
Host                          RHEL01
Source RPM Packages           gdm-2.30.4-21.el6
Target RPM Packages           filesystem-2.4.30-2.1.el6
Policy RPM                    selinux-policy-3.7.19-54.el6
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Plugin Name                   catchall
Host Name                     RHEL01
Platform                      Linux RHEL01 2.6.32-358.el6.i686 #1 SMP Thu Feb 21
                              21:50:49 UTC 2013 i686 i686
Alert Count                   1
First Seen                    Tue 01 Oct 2013 03:31:13 AM IST
Last Seen                     Tue 01 Oct 2013 03:31:13 AM IST
Local ID                      02caea5e-c1b1-496a-9f47-9ff352c91539
Line Numbers                  

Raw Audit Messages            

node=RHEL01 type=AVC msg=audit(1380578473.929:56): avc:  denied  { read write } for  pid=3165 comm="gdm-session-wor" name="root" dev=dm-0 ino=651521 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:admin_home_t:s0 tclass=dir

node=RHEL01 type=SYSCALL msg=audit(1380578473.929:56): arch=40000003 syscall=33 success=no exit=-13 a0=81aff18 a1=7 a2=d201a4 a3=820dd50 items=0 ppid=3140 pid=3165 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=2 comm="gdm-session-wor" exe="/usr/libexec/gdm-session-worker" subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null)

--------------------------------------------------------------------------------------

The end.

--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux

[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux