Dear all(selinux experts and testers) , despite updating selinux-policy packages and relabeling, I am still seeing denied avcs from setroubleshoot Selinux preventing all of the above plus ip (ifconfig_t) "read write" unconfined_t :( Summary: SELinux is preventing ip (ifconfig_t) "read write" unconfined_t. Detailed Description: SELinux denied access requested by ip. It is not expected that this access is required by ip and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: You can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package. Additional Information: Source Context unconfined_u:system_r:ifconfig_t Target Context unconfined_u:unconfined_r:unconfined_t:SystemLow- SystemHigh Target Objects socket [ unix_stream_socket ] Source ip Source Path /sbin/ip Port <Unknown> Host localhost.localdomain Source RPM Packages iproute-2.6.26-1.fc10 Target RPM Packages Policy RPM selinux-policy-3.5.13-3.fc10 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name catchall Host Name localhost.localdomain Platform Linux localhost.localdomain 2.6.27.3-34.rc1.fc10.i686 #1 SMP Tue Oct 21 01:39:53 EDT 2008 i686 i686 Alert Count 43 First Seen Fri 24 Oct 2008 01:33:46 PM CDT Last Seen Fri 24 Oct 2008 01:33:53 PM CDT Local ID 16290580-6020-4615-908e-c7b32e828a7a Line Numbers Raw Audit Messages node=localhost.localdomain type=AVC msg=audit(1224873233.717:83): avc: denied { read write } for pid=3912 comm="ip" path="socket:[11145]" dev=sockfs ino=11145 scontext=unconfined_u:system_r:ifconfig_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket node=localhost.localdomain type=AVC msg=audit(1224873233.717:83): avc: denied { read write } for pid=3912 comm="ip" path="socket:[11145]" dev=sockfs ino=11145 scontext=unconfined_u:system_r:ifconfig_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket node=localhost.localdomain type=AVC msg=audit(1224873233.717:83): avc: denied { read write } for pid=3912 comm="ip" path="socket:[11145]" dev=sockfs ino=11145 scontext=unconfined_u:system_r:ifconfig_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket node=localhost.localdomain type=AVC msg=audit(1224873233.717:83): avc: denied { read write } for pid=3912 comm="ip" path="socket:[11145]" dev=sockfs ino=11145 scontext=unconfined_u:system_r:ifconfig_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket node=localhost.localdomain type=AVC msg=audit(1224873233.717:83): avc: denied { read write } for pid=3912 comm="ip" path="socket:[11145]" dev=sockfs ino=11145 scontext=unconfined_u:system_r:ifconfig_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket node=localhost.localdomain type=SYSCALL msg=audit(1224873233.717:83): arch=40000003 syscall=11 success=yes exit=0 a0=9ddcb98 a1=9dadeb0 a2=9ddcd60 a3=0 items=0 ppid=3901 pid=3912 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=1 comm="ip" exe="/sbin/ip" subj=unconfined_u:system_r:ifconfig_t:s0 key=(null) Summary: SELinux is preventing NetworkManager (NetworkManager_t) "read write" unconfined_t. Detailed Description: SELinux denied access requested by NetworkManager. It is not expected that this access is required by NetworkManager and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: You can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package. Additional Information: Source Context unconfined_u:system_r:NetworkManager_t Target Context unconfined_u:unconfined_r:unconfined_t:SystemLow- SystemHigh Target Objects socket [ unix_stream_socket ] Source NetworkManager Source Path /usr/sbin/NetworkManager Port <Unknown> Host localhost.localdomain Source RPM Packages NetworkManager-0.7.0-0.11.svn4201.fc10 Target RPM Packages Policy RPM selinux-policy-3.5.13-3.fc10 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name catchall Host Name localhost.localdomain Platform Linux localhost.localdomain 2.6.27.3-34.rc1.fc10.i686 #1 SMP Tue Oct 21 01:39:53 EDT 2008 i686 i686 Alert Count 1 First Seen Fri 24 Oct 2008 01:35:56 PM CDT Last Seen Fri 24 Oct 2008 01:35:56 PM CDT Local ID 6f715f57-6bca-45b3-aa02-dc34581b3423 Line Numbers Raw Audit Messages node=localhost.localdomain type=AVC msg=audit(1224873356.766:92): avc: denied { read write } for pid=4004 comm="NetworkManager" path="socket:[11145]" dev=sockfs ino=11145 scontext=unconfined_u:system_r:NetworkManager_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket node=localhost.localdomain type=AVC msg=audit(1224873356.766:92): avc: denied { read write } for pid=4004 comm="NetworkManager" path="socket:[11145]" dev=sockfs ino=11145 scontext=unconfined_u:system_r:NetworkManager_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket node=localhost.localdomain type=AVC msg=audit(1224873356.766:92): avc: denied { read write } for pid=4004 comm="NetworkManager" path="socket:[11145]" dev=sockfs ino=11145 scontext=unconfined_u:system_r:NetworkManager_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket node=localhost.localdomain type=AVC msg=audit(1224873356.766:92): avc: denied { read write } for pid=4004 comm="NetworkManager" path="socket:[11145]" dev=sockfs ino=11145 scontext=unconfined_u:system_r:NetworkManager_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket node=localhost.localdomain type=AVC msg=audit(1224873356.766:92): avc: denied { read write } for pid=4004 comm="NetworkManager" path="socket:[11145]" dev=sockfs ino=11145 scontext=unconfined_u:system_r:NetworkManager_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket node=localhost.localdomain type=SYSCALL msg=audit(1224873356.766:92): arch=40000003 syscall=11 success=yes exit=0 a0=8642bd8 a1=8642a20 a2=8642ee8 a3=0 items=0 ppid=4003 pid=4004 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=1 comm="NetworkManager" exe="/usr/sbin/NetworkManager" subj=unconfined_u:system_r:NetworkManager_t:s0 key=(null) Summary: SELinux is preventing knotify4 from making the program stack executable. Detailed Description: The knotify4 application attempted to make its stack executable. This is a potential security problem. This should never ever be necessary. Stack memory is not executable on most OSes these days and this will not change. Executable stack memory is one of the biggest security problems. An execstack error might in fact be most likely raised by malicious code. Applications are sometimes coded incorrectly and request this permission. The SELinux Memory Protection Tests (http://people.redhat.com/drepper/selinux-mem.html) web page explains how to remove this requirement. If knotify4 does not work and you need it to work, you can configure SELinux temporarily to allow this access until the application is fixed. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package. Allowing Access: Sometimes a library is accidentally marked with the execstack flag, if you find a library with this flag you can clear it with the execstack -c LIBRARY_PATH. Then retry your application. If the app continues to not work, you can turn the flag back on with execstack -s LIBRARY_PATH. Otherwise, if you trust knotify4 to run correctly, you can change the context of the executable to unconfined_execmem_exec_t. "chcon -t unconfined_execmem_exec_t '/usr/bin/knotify4'" You must also change the default file context files on the system in order to preserve them even on a full relabel. "semanage fcontext -a -t unconfined_execmem_exec_t '/usr/bin/knotify4'" Fix Command: chcon -t unconfined_execmem_exec_t '/usr/bin/knotify4' Additional Information: Source Context unconfined_u:unconfined_r:unconfined_t:SystemLow- SystemHigh Target Context unconfined_u:unconfined_r:unconfined_t:SystemLow- SystemHigh Target Objects None [ process ] Source nspluginscan Source Path /usr/bin/nspluginscan Port <Unknown> Host localhost.localdomain Source RPM Packages kdebase-runtime-4.1.2-5.fc10 Target RPM Packages Policy RPM selinux-policy-3.5.13-5.fc10 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name allow_execstack Host Name localhost.localdomain Platform Linux localhost.localdomain 2.6.27.3-39.fc10.i686 #1 SMP Wed Oct 22 21:35:19 EDT 2008 i686 i686 Alert Count 38 First Seen Mon 28 Jul 2008 10:50:50 PM CDT Last Seen Fri 24 Oct 2008 03:15:46 PM CDT Local ID d1193200-ba21-44ee-bdf0-5b24a80cdb04 Line Numbers Raw Audit Messages node=localhost.localdomain type=AVC msg=audit(1224879346.180:21): avc: denied { execstack } for pid=2823 comm="knotify4" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process node=localhost.localdomain type=SYSCALL msg=audit(1224879346.180:21): arch=40000003 syscall=125 success=no exit=-13 a0=bfdef000 a1=1000 a2=1000007 a3=fffff000 items=0 ppid=1 pid=2823 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm="knotify4" exe="/usr/bin/knotify4" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null) Summary: SELinux is preventing dhclient (dhcpc_t) "read write" unconfined_t. Detailed Description: SELinux denied access requested by dhclient. It is not expected that this access is required by dhclient and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: You can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package. Additional Information: Source Context unconfined_u:system_r:dhcpc_t:SystemLow-SystemHigh Target Context unconfined_u:unconfined_r:unconfined_t:SystemLow- SystemHigh Target Objects socket [ unix_stream_socket ] Source dhclient Source Path /sbin/dhclient Port <Unknown> Host localhost.localdomain Source RPM Packages dhclient-4.0.0-30.fc10 Target RPM Packages Policy RPM selinux-policy-3.5.13-5.fc10 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name catchall Host Name localhost.localdomain Platform Linux localhost.localdomain 2.6.27.3-39.fc10.i686 #1 SMP Wed Oct 22 21:35:19 EDT 2008 i686 i686 Alert Count 2 First Seen Fri 24 Oct 2008 01:45:01 PM CDT Last Seen Fri 24 Oct 2008 03:17:34 PM CDT Local ID 4c789a6b-2778-4d68-bb82-4fa4b8547db5 Line Numbers Raw Audit Messages node=localhost.localdomain type=AVC msg=audit(1224879454.396:26): avc: denied { read write } for pid=3115 comm="dhclient" path="socket:[10645]" dev=sockfs ino=10645 scontext=unconfined_u:system_r:dhcpc_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket node=localhost.localdomain type=AVC msg=audit(1224879454.396:26): avc: denied { read write } for pid=3115 comm="dhclient" path="socket:[10645]" dev=sockfs ino=10645 scontext=unconfined_u:system_r:dhcpc_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket node=localhost.localdomain type=AVC msg=audit(1224879454.396:26): avc: denied { read write } for pid=3115 comm="dhclient" path="socket:[10645]" dev=sockfs ino=10645 scontext=unconfined_u:system_r:dhcpc_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket node=localhost.localdomain type=AVC msg=audit(1224879454.396:26): avc: denied { read write } for pid=3115 comm="dhclient" path="socket:[10645]" dev=sockfs ino=10645 scontext=unconfined_u:system_r:dhcpc_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket node=localhost.localdomain type=SYSCALL msg=audit(1224879454.396:26): arch=40000003 syscall=11 success=yes exit=0 a0=96aa660 a1=96aa6d0 a2=96a4b68 a3=0 items=0 ppid=3066 pid=3115 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=1 comm="dhclient" exe="/sbin/dhclient" subj=unconfined_u:system_r:dhcpc_t:s0-s0:c0.c1023 key=(null) I had a very difficult time updating this machine because i could not get a connection. [olivares@localhost ~]$ su - Password: [root@localhost ~]# ifconfig -a eth0 Link encap:Ethernet HWaddr 00:00:00:00:00:00 BROADCAST MULTICAST MTU:1500 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:0 (0.0 b) TX bytes:0 (0.0 b) Interrupt:18 Base address:0xe000 lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 inet6 addr: ::1/128 Scope:Host UP LOOPBACK RUNNING MTU:16436 Metric:1 RX packets:32 errors:0 dropped:0 overruns:0 frame:0 TX packets:32 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:1760 (1.7 KiB) TX bytes:1760 (1.7 KiB) pan0 Link encap:Ethernet HWaddr 36:F3:C2:B0:9B:46 BROADCAST MULTICAST MTU:1500 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:0 (0.0 b) TX bytes:0 (0.0 b) wlan0 Link encap:Ethernet HWaddr 00:16:E3:F3:09:DB UP BROADCAST MULTICAST MTU:1500 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:0 (0.0 b) TX bytes:0 (0.0 b) wmaster0 Link encap:UNSPEC HWaddr 00-16-E3-F3-09-DB-F4-EF-00-00-00-00-00-00-00-00 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:0 (0.0 b) TX bytes:0 (0.0 b) [root@localhost ~]# ifconfig -a | more eth0 Link encap:Ethernet HWaddr 00:00:00:00:00:00 BROADCAST MULTICAST MTU:1500 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:0 (0.0 b) TX bytes:0 (0.0 b) Interrupt:18 Base address:0xe000 lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 inet6 addr: ::1/128 Scope:Host UP LOOPBACK RUNNING MTU:16436 Metric:1 RX packets:32 errors:0 dropped:0 overruns:0 frame:0 TX packets:32 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:1760 (1.7 KiB) TX bytes:1760 (1.7 KiB) pan0 Link encap:Ethernet HWaddr 36:F3:C2:B0:9B:46 BROADCAST MULTICAST MTU:1500 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 [root@localhost ~]# dhclient eth0 Nothing to flush. PING 10.154.19.1 (10.154.19.1) from 10.154.19.179 eth0: 56(84) bytes of data. --- 10.154.19.1 ping statistics --- 4 packets transmitted, 0 received, +3 errors, 100% packet loss, time 3000ms pipe 3 [root@localhost ~]# ifconfig -a | more eth0 Link encap:Ethernet HWaddr 00:00:00:00:00:00 BROADCAST MULTICAST MTU:1500 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:0 (0.0 b) TX bytes:0 (0.0 b) Interrupt:18 Base address:0xe000 lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 inet6 addr: ::1/128 Scope:Host UP LOOPBACK RUNNING MTU:16436 Metric:1 RX packets:35 errors:0 dropped:0 overruns:0 frame:0 TX packets:35 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:2096 (2.0 KiB) TX bytes:2096 (2.0 KiB) pan0 Link encap:Ethernet HWaddr 36:F3:C2:B0:9B:46 BROADCAST MULTICAST MTU:1500 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 I had to change the mac address of the machine to another one that could get access so that I could apply the updates. First one knotify is a bug that I have reported: https://bugzilla.redhat.com/show_bug.cgi?id=467210 but was closed because it was not an selinux bug, who has the hot potato now? I keep seeing this on two of my three machines :( Has someone else seen this? Thanks, Antonio -- fedora-test-list mailing list fedora-test-list@xxxxxxxxxx To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-test-list
