knotify4, NetworkManager (NetworkManager_t) "read write" unconfined_t., ..

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Dear all(selinux experts and testers) ,

despite updating selinux-policy packages and relabeling, I am still seeing denied avcs from setroubleshoot 

Selinux preventing all of the above plus ip (ifconfig_t) "read write" unconfined_t :( 

Summary:

SELinux is preventing ip (ifconfig_t) "read write" unconfined_t.

Detailed Description:

SELinux denied access requested by ip. It is not expected that this access is
required by ip and this access may signal an intrusion attempt. It is also
possible that the specific version or configuration of the application is
causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Additional Information:

Source Context                unconfined_u:system_r:ifconfig_t
Target Context                unconfined_u:unconfined_r:unconfined_t:SystemLow-
                              SystemHigh
Target Objects                socket [ unix_stream_socket ]
Source                        ip
Source Path                   /sbin/ip
Port                          <Unknown>
Host                          localhost.localdomain
Source RPM Packages           iproute-2.6.26-1.fc10
Target RPM Packages           
Policy RPM                    selinux-policy-3.5.13-3.fc10
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   catchall
Host Name                     localhost.localdomain
Platform                      Linux localhost.localdomain
                              2.6.27.3-34.rc1.fc10.i686 #1 SMP Tue Oct 21
                              01:39:53 EDT 2008 i686 i686
Alert Count                   43
First Seen                    Fri 24 Oct 2008 01:33:46 PM CDT
Last Seen                     Fri 24 Oct 2008 01:33:53 PM CDT
Local ID                      16290580-6020-4615-908e-c7b32e828a7a
Line Numbers                  

Raw Audit Messages            

node=localhost.localdomain type=AVC msg=audit(1224873233.717:83): avc:  denied  { read write } for  pid=3912 comm="ip" path="socket:[11145]" dev=sockfs ino=11145 scontext=unconfined_u:system_r:ifconfig_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket

node=localhost.localdomain type=AVC msg=audit(1224873233.717:83): avc:  denied  { read write } for  pid=3912 comm="ip" path="socket:[11145]" dev=sockfs ino=11145 scontext=unconfined_u:system_r:ifconfig_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket

node=localhost.localdomain type=AVC msg=audit(1224873233.717:83): avc:  denied  { read write } for  pid=3912 comm="ip" path="socket:[11145]" dev=sockfs ino=11145 scontext=unconfined_u:system_r:ifconfig_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket

node=localhost.localdomain type=AVC msg=audit(1224873233.717:83): avc:  denied  { read write } for  pid=3912 comm="ip" path="socket:[11145]" dev=sockfs ino=11145 scontext=unconfined_u:system_r:ifconfig_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket

node=localhost.localdomain type=AVC msg=audit(1224873233.717:83): avc:  denied  { read write } for  pid=3912 comm="ip" path="socket:[11145]" dev=sockfs ino=11145 scontext=unconfined_u:system_r:ifconfig_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket

node=localhost.localdomain type=SYSCALL msg=audit(1224873233.717:83): arch=40000003 syscall=11 success=yes exit=0 a0=9ddcb98 a1=9dadeb0 a2=9ddcd60 a3=0 items=0 ppid=3901 pid=3912 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=1 comm="ip" exe="/sbin/ip" subj=unconfined_u:system_r:ifconfig_t:s0 key=(null)



Summary:

SELinux is preventing NetworkManager (NetworkManager_t) "read write"
unconfined_t.

Detailed Description:

SELinux denied access requested by NetworkManager. It is not expected that this
access is required by NetworkManager and this access may signal an intrusion
attempt. It is also possible that the specific version or configuration of the
application is causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Additional Information:

Source Context                unconfined_u:system_r:NetworkManager_t
Target Context                unconfined_u:unconfined_r:unconfined_t:SystemLow-
                              SystemHigh
Target Objects                socket [ unix_stream_socket ]
Source                        NetworkManager
Source Path                   /usr/sbin/NetworkManager
Port                          <Unknown>
Host                          localhost.localdomain
Source RPM Packages           NetworkManager-0.7.0-0.11.svn4201.fc10
Target RPM Packages           
Policy RPM                    selinux-policy-3.5.13-3.fc10
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   catchall
Host Name                     localhost.localdomain
Platform                      Linux localhost.localdomain
                              2.6.27.3-34.rc1.fc10.i686 #1 SMP Tue Oct 21
                              01:39:53 EDT 2008 i686 i686
Alert Count                   1
First Seen                    Fri 24 Oct 2008 01:35:56 PM CDT
Last Seen                     Fri 24 Oct 2008 01:35:56 PM CDT
Local ID                      6f715f57-6bca-45b3-aa02-dc34581b3423
Line Numbers                  

Raw Audit Messages            

node=localhost.localdomain type=AVC msg=audit(1224873356.766:92): avc:  denied  { read write } for  pid=4004 comm="NetworkManager" path="socket:[11145]" dev=sockfs ino=11145 scontext=unconfined_u:system_r:NetworkManager_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket

node=localhost.localdomain type=AVC msg=audit(1224873356.766:92): avc:  denied  { read write } for  pid=4004 comm="NetworkManager" path="socket:[11145]" dev=sockfs ino=11145 scontext=unconfined_u:system_r:NetworkManager_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket

node=localhost.localdomain type=AVC msg=audit(1224873356.766:92): avc:  denied  { read write } for  pid=4004 comm="NetworkManager" path="socket:[11145]" dev=sockfs ino=11145 scontext=unconfined_u:system_r:NetworkManager_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket

node=localhost.localdomain type=AVC msg=audit(1224873356.766:92): avc:  denied  { read write } for  pid=4004 comm="NetworkManager" path="socket:[11145]" dev=sockfs ino=11145 scontext=unconfined_u:system_r:NetworkManager_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket

node=localhost.localdomain type=AVC msg=audit(1224873356.766:92): avc:  denied  { read write } for  pid=4004 comm="NetworkManager" path="socket:[11145]" dev=sockfs ino=11145 scontext=unconfined_u:system_r:NetworkManager_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket

node=localhost.localdomain type=SYSCALL msg=audit(1224873356.766:92): arch=40000003 syscall=11 success=yes exit=0 a0=8642bd8 a1=8642a20 a2=8642ee8 a3=0 items=0 ppid=4003 pid=4004 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=1 comm="NetworkManager" exe="/usr/sbin/NetworkManager" subj=unconfined_u:system_r:NetworkManager_t:s0 key=(null)


Summary:

SELinux is preventing knotify4 from making the program stack executable.

Detailed Description:

The knotify4 application attempted to make its stack executable. This is a
potential security problem. This should never ever be necessary. Stack memory is
not executable on most OSes these days and this will not change. Executable
stack memory is one of the biggest security problems. An execstack error might
in fact be most likely raised by malicious code. Applications are sometimes
coded incorrectly and request this permission. The SELinux Memory Protection
Tests (http://people.redhat.com/drepper/selinux-mem.html) web page explains how
to remove this requirement. If knotify4 does not work and you need it to work,
you can configure SELinux temporarily to allow this access until the application
is fixed. Please file a bug report
(http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package.

Allowing Access:

Sometimes a library is accidentally marked with the execstack flag, if you find
a library with this flag you can clear it with the execstack -c LIBRARY_PATH.
Then retry your application. If the app continues to not work, you can turn the
flag back on with execstack -s LIBRARY_PATH. Otherwise, if you trust knotify4 to
run correctly, you can change the context of the executable to
unconfined_execmem_exec_t. "chcon -t unconfined_execmem_exec_t
'/usr/bin/knotify4'" You must also change the default file context files on the
system in order to preserve them even on a full relabel. "semanage fcontext -a
-t unconfined_execmem_exec_t '/usr/bin/knotify4'"

Fix Command:

chcon -t unconfined_execmem_exec_t '/usr/bin/knotify4'

Additional Information:

Source Context                unconfined_u:unconfined_r:unconfined_t:SystemLow-
                              SystemHigh
Target Context                unconfined_u:unconfined_r:unconfined_t:SystemLow-
                              SystemHigh
Target Objects                None [ process ]
Source                        nspluginscan
Source Path                   /usr/bin/nspluginscan
Port                          <Unknown>
Host                          localhost.localdomain
Source RPM Packages           kdebase-runtime-4.1.2-5.fc10
Target RPM Packages           
Policy RPM                    selinux-policy-3.5.13-5.fc10
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   allow_execstack
Host Name                     localhost.localdomain
Platform                      Linux localhost.localdomain 2.6.27.3-39.fc10.i686
                              #1 SMP Wed Oct 22 21:35:19 EDT 2008 i686 i686
Alert Count                   38
First Seen                    Mon 28 Jul 2008 10:50:50 PM CDT
Last Seen                     Fri 24 Oct 2008 03:15:46 PM CDT
Local ID                      d1193200-ba21-44ee-bdf0-5b24a80cdb04
Line Numbers                  

Raw Audit Messages            

node=localhost.localdomain type=AVC msg=audit(1224879346.180:21): avc:  denied  { execstack } for  pid=2823 comm="knotify4" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process

node=localhost.localdomain type=SYSCALL msg=audit(1224879346.180:21): arch=40000003 syscall=125 success=no exit=-13 a0=bfdef000 a1=1000 a2=1000007 a3=fffff000 items=0 ppid=1 pid=2823 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm="knotify4" exe="/usr/bin/knotify4" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)


Summary:

SELinux is preventing dhclient (dhcpc_t) "read write" unconfined_t.

Detailed Description:

SELinux denied access requested by dhclient. It is not expected that this access
is required by dhclient and this access may signal an intrusion attempt. It is
also possible that the specific version or configuration of the application is
causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Additional Information:

Source Context                unconfined_u:system_r:dhcpc_t:SystemLow-SystemHigh
Target Context                unconfined_u:unconfined_r:unconfined_t:SystemLow-
                              SystemHigh
Target Objects                socket [ unix_stream_socket ]
Source                        dhclient
Source Path                   /sbin/dhclient
Port                          <Unknown>
Host                          localhost.localdomain
Source RPM Packages           dhclient-4.0.0-30.fc10
Target RPM Packages           
Policy RPM                    selinux-policy-3.5.13-5.fc10
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   catchall
Host Name                     localhost.localdomain
Platform                      Linux localhost.localdomain 2.6.27.3-39.fc10.i686
                              #1 SMP Wed Oct 22 21:35:19 EDT 2008 i686 i686
Alert Count                   2
First Seen                    Fri 24 Oct 2008 01:45:01 PM CDT
Last Seen                     Fri 24 Oct 2008 03:17:34 PM CDT
Local ID                      4c789a6b-2778-4d68-bb82-4fa4b8547db5
Line Numbers                  

Raw Audit Messages            

node=localhost.localdomain type=AVC msg=audit(1224879454.396:26): avc:  denied  { read write } for  pid=3115 comm="dhclient" path="socket:[10645]" dev=sockfs ino=10645 scontext=unconfined_u:system_r:dhcpc_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket

node=localhost.localdomain type=AVC msg=audit(1224879454.396:26): avc:  denied  { read write } for  pid=3115 comm="dhclient" path="socket:[10645]" dev=sockfs ino=10645 scontext=unconfined_u:system_r:dhcpc_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket

node=localhost.localdomain type=AVC msg=audit(1224879454.396:26): avc:  denied  { read write } for  pid=3115 comm="dhclient" path="socket:[10645]" dev=sockfs ino=10645 scontext=unconfined_u:system_r:dhcpc_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket

node=localhost.localdomain type=AVC msg=audit(1224879454.396:26): avc:  denied  { read write } for  pid=3115 comm="dhclient" path="socket:[10645]" dev=sockfs ino=10645 scontext=unconfined_u:system_r:dhcpc_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket

node=localhost.localdomain type=SYSCALL msg=audit(1224879454.396:26): arch=40000003 syscall=11 success=yes exit=0 a0=96aa660 a1=96aa6d0 a2=96a4b68 a3=0 items=0 ppid=3066 pid=3115 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=1 comm="dhclient" exe="/sbin/dhclient" subj=unconfined_u:system_r:dhcpc_t:s0-s0:c0.c1023 key=(null)



I had a very difficult time updating this machine because i could not get a connection.  

[olivares@localhost ~]$ su -
Password:                   
[root@localhost ~]# ifconfig -a
eth0      Link encap:Ethernet  HWaddr 00:00:00:00:00:00  
          BROADCAST MULTICAST  MTU:1500  Metric:1        
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000                        
          RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)              
          Interrupt:18 Base address:0xe000                    

lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host     
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:32 errors:0 dropped:0 overruns:0 frame:0
          TX packets:32 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0                            
          RX bytes:1760 (1.7 KiB)  TX bytes:1760 (1.7 KiB)     

pan0      Link encap:Ethernet  HWaddr 36:F3:C2:B0:9B:46  
          BROADCAST MULTICAST  MTU:1500  Metric:1        
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0                           
          RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)              

wlan0     Link encap:Ethernet  HWaddr 00:16:E3:F3:09:DB  
          UP BROADCAST MULTICAST  MTU:1500  Metric:1     
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000                        
          RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)              

wmaster0  Link encap:UNSPEC  HWaddr 00-16-E3-F3-09-DB-F4-EF-00-00-00-00-00-00-00-00                                                                             
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1                    
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0                    
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0                  
          collisions:0 txqueuelen:1000                                          
          RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)                                

[root@localhost ~]# ifconfig -a | more
eth0      Link encap:Ethernet  HWaddr 00:00:00:00:00:00  
          BROADCAST MULTICAST  MTU:1500  Metric:1        
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000                        
          RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)              
          Interrupt:18 Base address:0xe000                    

lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host     
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:32 errors:0 dropped:0 overruns:0 frame:0
          TX packets:32 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0                            
          RX bytes:1760 (1.7 KiB)  TX bytes:1760 (1.7 KiB)     

pan0      Link encap:Ethernet  HWaddr 36:F3:C2:B0:9B:46  
          BROADCAST MULTICAST  MTU:1500  Metric:1        
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
[root@localhost ~]# dhclient eth0                           
Nothing to flush.                                           
PING 10.154.19.1 (10.154.19.1) from 10.154.19.179 eth0: 56(84) bytes of data.

--- 10.154.19.1 ping statistics ---
4 packets transmitted, 0 received, +3 errors, 100% packet loss, time 3000ms
pipe 3                                                                     
[root@localhost ~]# ifconfig -a | more
eth0      Link encap:Ethernet  HWaddr 00:00:00:00:00:00  
          BROADCAST MULTICAST  MTU:1500  Metric:1        
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000                        
          RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)              
          Interrupt:18 Base address:0xe000                    

lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host     
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:35 errors:0 dropped:0 overruns:0 frame:0
          TX packets:35 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0                            
          RX bytes:2096 (2.0 KiB)  TX bytes:2096 (2.0 KiB)     

pan0      Link encap:Ethernet  HWaddr 36:F3:C2:B0:9B:46  
          BROADCAST MULTICAST  MTU:1500  Metric:1        
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0


I had to change the mac address of the machine to another one that could get access so that I could apply the updates.

First one knotify is a bug that I have reported:

https://bugzilla.redhat.com/show_bug.cgi?id=467210

but was closed because it was not an selinux bug, who has the hot potato now?  I keep seeing this on two of my three machines :(  
Has someone else seen this?  

Thanks,

Antonio 



      

-- 
fedora-test-list mailing list
fedora-test-list@xxxxxxxxxx
To unsubscribe: 
https://www.redhat.com/mailman/listinfo/fedora-test-list

[Index of Archives]     [Fedora Desktop]     [Fedora SELinux]     [Photo Sharing]     [Yosemite Forum]     [KDE Users]

  Powered by Linux