-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Antonio Olivares wrote: > Dear all(selinux experts and testers) , > > despite updating selinux-policy packages and relabeling, I am still seeing denied avcs from setroubleshoot > > Selinux preventing all of the above plus ip (ifconfig_t) "read write" unconfined_t :( > > Summary: > > SELinux is preventing ip (ifconfig_t) "read write" unconfined_t. > > Detailed Description: > > SELinux denied access requested by ip. It is not expected that this access is > required by ip and this access may signal an intrusion attempt. It is also > possible that the specific version or configuration of the application is > causing it to require additional access. > > Allowing Access: > > You can generate a local policy module to allow this access - see FAQ > (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable > SELinux protection altogether. Disabling SELinux protection is not recommended. > Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) > against this package. > > Additional Information: > > Source Context unconfined_u:system_r:ifconfig_t > Target Context unconfined_u:unconfined_r:unconfined_t:SystemLow- > SystemHigh > Target Objects socket [ unix_stream_socket ] > Source ip > Source Path /sbin/ip > Port <Unknown> > Host localhost.localdomain > Source RPM Packages iproute-2.6.26-1.fc10 > Target RPM Packages > Policy RPM selinux-policy-3.5.13-3.fc10 > Selinux Enabled True > Policy Type targeted > MLS Enabled True > Enforcing Mode Enforcing > Plugin Name catchall > Host Name localhost.localdomain > Platform Linux localhost.localdomain > 2.6.27.3-34.rc1.fc10.i686 #1 SMP Tue Oct 21 > 01:39:53 EDT 2008 i686 i686 > Alert Count 43 > First Seen Fri 24 Oct 2008 01:33:46 PM CDT > Last Seen Fri 24 Oct 2008 01:33:53 PM CDT > Local ID 16290580-6020-4615-908e-c7b32e828a7a > Line Numbers > > Raw Audit Messages > > node=localhost.localdomain type=AVC msg=audit(1224873233.717:83): avc: denied { read write } for pid=3912 comm="ip" path="socket:[11145]" dev=sockfs ino=11145 scontext=unconfined_u:system_r:ifconfig_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket > > node=localhost.localdomain type=AVC msg=audit(1224873233.717:83): avc: denied { read write } for pid=3912 comm="ip" path="socket:[11145]" dev=sockfs ino=11145 scontext=unconfined_u:system_r:ifconfig_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket > > node=localhost.localdomain type=AVC msg=audit(1224873233.717:83): avc: denied { read write } for pid=3912 comm="ip" path="socket:[11145]" dev=sockfs ino=11145 scontext=unconfined_u:system_r:ifconfig_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket > > node=localhost.localdomain type=AVC msg=audit(1224873233.717:83): avc: denied { read write } for pid=3912 comm="ip" path="socket:[11145]" dev=sockfs ino=11145 scontext=unconfined_u:system_r:ifconfig_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket > > node=localhost.localdomain type=AVC msg=audit(1224873233.717:83): avc: denied { read write } for pid=3912 comm="ip" path="socket:[11145]" dev=sockfs ino=11145 scontext=unconfined_u:system_r:ifconfig_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket > > node=localhost.localdomain type=SYSCALL msg=audit(1224873233.717:83): arch=40000003 syscall=11 success=yes exit=0 a0=9ddcb98 a1=9dadeb0 a2=9ddcd60 a3=0 items=0 ppid=3901 pid=3912 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=1 comm="ip" exe="/sbin/ip" subj=unconfined_u:system_r:ifconfig_t:s0 key=(null) > > > > Summary: > > SELinux is preventing NetworkManager (NetworkManager_t) "read write" > unconfined_t. > > Detailed Description: > > SELinux denied access requested by NetworkManager. It is not expected that this > access is required by NetworkManager and this access may signal an intrusion > attempt. It is also possible that the specific version or configuration of the > application is causing it to require additional access. > > Allowing Access: > > You can generate a local policy module to allow this access - see FAQ > (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable > SELinux protection altogether. Disabling SELinux protection is not recommended. > Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) > against this package. > > Additional Information: > > Source Context unconfined_u:system_r:NetworkManager_t > Target Context unconfined_u:unconfined_r:unconfined_t:SystemLow- > SystemHigh > Target Objects socket [ unix_stream_socket ] > Source NetworkManager > Source Path /usr/sbin/NetworkManager > Port <Unknown> > Host localhost.localdomain > Source RPM Packages NetworkManager-0.7.0-0.11.svn4201.fc10 > Target RPM Packages > Policy RPM selinux-policy-3.5.13-3.fc10 > Selinux Enabled True > Policy Type targeted > MLS Enabled True > Enforcing Mode Enforcing > Plugin Name catchall > Host Name localhost.localdomain > Platform Linux localhost.localdomain > 2.6.27.3-34.rc1.fc10.i686 #1 SMP Tue Oct 21 > 01:39:53 EDT 2008 i686 i686 > Alert Count 1 > First Seen Fri 24 Oct 2008 01:35:56 PM CDT > Last Seen Fri 24 Oct 2008 01:35:56 PM CDT > Local ID 6f715f57-6bca-45b3-aa02-dc34581b3423 > Line Numbers > > Raw Audit Messages > > node=localhost.localdomain type=AVC msg=audit(1224873356.766:92): avc: denied { read write } for pid=4004 comm="NetworkManager" path="socket:[11145]" dev=sockfs ino=11145 scontext=unconfined_u:system_r:NetworkManager_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket > > node=localhost.localdomain type=AVC msg=audit(1224873356.766:92): avc: denied { read write } for pid=4004 comm="NetworkManager" path="socket:[11145]" dev=sockfs ino=11145 scontext=unconfined_u:system_r:NetworkManager_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket > > node=localhost.localdomain type=AVC msg=audit(1224873356.766:92): avc: denied { read write } for pid=4004 comm="NetworkManager" path="socket:[11145]" dev=sockfs ino=11145 scontext=unconfined_u:system_r:NetworkManager_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket > > node=localhost.localdomain type=AVC msg=audit(1224873356.766:92): avc: denied { read write } for pid=4004 comm="NetworkManager" path="socket:[11145]" dev=sockfs ino=11145 scontext=unconfined_u:system_r:NetworkManager_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket > > node=localhost.localdomain type=AVC msg=audit(1224873356.766:92): avc: denied { read write } for pid=4004 comm="NetworkManager" path="socket:[11145]" dev=sockfs ino=11145 scontext=unconfined_u:system_r:NetworkManager_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket > > node=localhost.localdomain type=SYSCALL msg=audit(1224873356.766:92): arch=40000003 syscall=11 success=yes exit=0 a0=8642bd8 a1=8642a20 a2=8642ee8 a3=0 items=0 ppid=4003 pid=4004 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=1 comm="NetworkManager" exe="/usr/sbin/NetworkManager" subj=unconfined_u:system_r:NetworkManager_t:s0 key=(null) > > > Summary: > > SELinux is preventing knotify4 from making the program stack executable. > > Detailed Description: > > The knotify4 application attempted to make its stack executable. This is a > potential security problem. This should never ever be necessary. Stack memory is > not executable on most OSes these days and this will not change. Executable > stack memory is one of the biggest security problems. An execstack error might > in fact be most likely raised by malicious code. Applications are sometimes > coded incorrectly and request this permission. The SELinux Memory Protection > Tests (http://people.redhat.com/drepper/selinux-mem.html) web page explains how > to remove this requirement. If knotify4 does not work and you need it to work, > you can configure SELinux temporarily to allow this access until the application > is fixed. Please file a bug report > (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package. > > Allowing Access: > > Sometimes a library is accidentally marked with the execstack flag, if you find > a library with this flag you can clear it with the execstack -c LIBRARY_PATH. > Then retry your application. If the app continues to not work, you can turn the > flag back on with execstack -s LIBRARY_PATH. Otherwise, if you trust knotify4 to > run correctly, you can change the context of the executable to > unconfined_execmem_exec_t. "chcon -t unconfined_execmem_exec_t > '/usr/bin/knotify4'" You must also change the default file context files on the > system in order to preserve them even on a full relabel. "semanage fcontext -a > -t unconfined_execmem_exec_t '/usr/bin/knotify4'" > > Fix Command: > > chcon -t unconfined_execmem_exec_t '/usr/bin/knotify4' > > Additional Information: > > Source Context unconfined_u:unconfined_r:unconfined_t:SystemLow- > SystemHigh > Target Context unconfined_u:unconfined_r:unconfined_t:SystemLow- > SystemHigh > Target Objects None [ process ] > Source nspluginscan > Source Path /usr/bin/nspluginscan > Port <Unknown> > Host localhost.localdomain > Source RPM Packages kdebase-runtime-4.1.2-5.fc10 > Target RPM Packages > Policy RPM selinux-policy-3.5.13-5.fc10 > Selinux Enabled True > Policy Type targeted > MLS Enabled True > Enforcing Mode Enforcing > Plugin Name allow_execstack > Host Name localhost.localdomain > Platform Linux localhost.localdomain 2.6.27.3-39.fc10.i686 > #1 SMP Wed Oct 22 21:35:19 EDT 2008 i686 i686 > Alert Count 38 > First Seen Mon 28 Jul 2008 10:50:50 PM CDT > Last Seen Fri 24 Oct 2008 03:15:46 PM CDT > Local ID d1193200-ba21-44ee-bdf0-5b24a80cdb04 > Line Numbers > > Raw Audit Messages > > node=localhost.localdomain type=AVC msg=audit(1224879346.180:21): avc: denied { execstack } for pid=2823 comm="knotify4" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process > > node=localhost.localdomain type=SYSCALL msg=audit(1224879346.180:21): arch=40000003 syscall=125 success=no exit=-13 a0=bfdef000 a1=1000 a2=1000007 a3=fffff000 items=0 ppid=1 pid=2823 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm="knotify4" exe="/usr/bin/knotify4" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null) > > > Summary: > > SELinux is preventing dhclient (dhcpc_t) "read write" unconfined_t. > > Detailed Description: > > SELinux denied access requested by dhclient. It is not expected that this access > is required by dhclient and this access may signal an intrusion attempt. It is > also possible that the specific version or configuration of the application is > causing it to require additional access. > > Allowing Access: > > You can generate a local policy module to allow this access - see FAQ > (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable > SELinux protection altogether. Disabling SELinux protection is not recommended. > Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) > against this package. > > Additional Information: > > Source Context unconfined_u:system_r:dhcpc_t:SystemLow-SystemHigh > Target Context unconfined_u:unconfined_r:unconfined_t:SystemLow- > SystemHigh > Target Objects socket [ unix_stream_socket ] > Source dhclient > Source Path /sbin/dhclient > Port <Unknown> > Host localhost.localdomain > Source RPM Packages dhclient-4.0.0-30.fc10 > Target RPM Packages > Policy RPM selinux-policy-3.5.13-5.fc10 > Selinux Enabled True > Policy Type targeted > MLS Enabled True > Enforcing Mode Enforcing > Plugin Name catchall > Host Name localhost.localdomain > Platform Linux localhost.localdomain 2.6.27.3-39.fc10.i686 > #1 SMP Wed Oct 22 21:35:19 EDT 2008 i686 i686 > Alert Count 2 > First Seen Fri 24 Oct 2008 01:45:01 PM CDT > Last Seen Fri 24 Oct 2008 03:17:34 PM CDT > Local ID 4c789a6b-2778-4d68-bb82-4fa4b8547db5 > Line Numbers > > Raw Audit Messages > > node=localhost.localdomain type=AVC msg=audit(1224879454.396:26): avc: denied { read write } for pid=3115 comm="dhclient" path="socket:[10645]" dev=sockfs ino=10645 scontext=unconfined_u:system_r:dhcpc_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket > > node=localhost.localdomain type=AVC msg=audit(1224879454.396:26): avc: denied { read write } for pid=3115 comm="dhclient" path="socket:[10645]" dev=sockfs ino=10645 scontext=unconfined_u:system_r:dhcpc_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket > > node=localhost.localdomain type=AVC msg=audit(1224879454.396:26): avc: denied { read write } for pid=3115 comm="dhclient" path="socket:[10645]" dev=sockfs ino=10645 scontext=unconfined_u:system_r:dhcpc_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket > > node=localhost.localdomain type=AVC msg=audit(1224879454.396:26): avc: denied { read write } for pid=3115 comm="dhclient" path="socket:[10645]" dev=sockfs ino=10645 scontext=unconfined_u:system_r:dhcpc_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket > > node=localhost.localdomain type=SYSCALL msg=audit(1224879454.396:26): arch=40000003 syscall=11 success=yes exit=0 a0=96aa660 a1=96aa6d0 a2=96a4b68 a3=0 items=0 ppid=3066 pid=3115 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=1 comm="dhclient" exe="/sbin/dhclient" subj=unconfined_u:system_r:dhcpc_t:s0-s0:c0.c1023 key=(null) > > > > I had a very difficult time updating this machine because i could not get a connection. > > [olivares@localhost ~]$ su - > Password: > [root@localhost ~]# ifconfig -a > eth0 Link encap:Ethernet HWaddr 00:00:00:00:00:00 > BROADCAST MULTICAST MTU:1500 Metric:1 > RX packets:0 errors:0 dropped:0 overruns:0 frame:0 > TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 > collisions:0 txqueuelen:1000 > RX bytes:0 (0.0 b) TX bytes:0 (0.0 b) > Interrupt:18 Base address:0xe000 > > lo Link encap:Local Loopback > inet addr:127.0.0.1 Mask:255.0.0.0 > inet6 addr: ::1/128 Scope:Host > UP LOOPBACK RUNNING MTU:16436 Metric:1 > RX packets:32 errors:0 dropped:0 overruns:0 frame:0 > TX packets:32 errors:0 dropped:0 overruns:0 carrier:0 > collisions:0 txqueuelen:0 > RX bytes:1760 (1.7 KiB) TX bytes:1760 (1.7 KiB) > > pan0 Link encap:Ethernet HWaddr 36:F3:C2:B0:9B:46 > BROADCAST MULTICAST MTU:1500 Metric:1 > RX packets:0 errors:0 dropped:0 overruns:0 frame:0 > TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 > collisions:0 txqueuelen:0 > RX bytes:0 (0.0 b) TX bytes:0 (0.0 b) > > wlan0 Link encap:Ethernet HWaddr 00:16:E3:F3:09:DB > UP BROADCAST MULTICAST MTU:1500 Metric:1 > RX packets:0 errors:0 dropped:0 overruns:0 frame:0 > TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 > collisions:0 txqueuelen:1000 > RX bytes:0 (0.0 b) TX bytes:0 (0.0 b) > > wmaster0 Link encap:UNSPEC HWaddr 00-16-E3-F3-09-DB-F4-EF-00-00-00-00-00-00-00-00 > UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 > RX packets:0 errors:0 dropped:0 overruns:0 frame:0 > TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 > collisions:0 txqueuelen:1000 > RX bytes:0 (0.0 b) TX bytes:0 (0.0 b) > > [root@localhost ~]# ifconfig -a | more > eth0 Link encap:Ethernet HWaddr 00:00:00:00:00:00 > BROADCAST MULTICAST MTU:1500 Metric:1 > RX packets:0 errors:0 dropped:0 overruns:0 frame:0 > TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 > collisions:0 txqueuelen:1000 > RX bytes:0 (0.0 b) TX bytes:0 (0.0 b) > Interrupt:18 Base address:0xe000 > > lo Link encap:Local Loopback > inet addr:127.0.0.1 Mask:255.0.0.0 > inet6 addr: ::1/128 Scope:Host > UP LOOPBACK RUNNING MTU:16436 Metric:1 > RX packets:32 errors:0 dropped:0 overruns:0 frame:0 > TX packets:32 errors:0 dropped:0 overruns:0 carrier:0 > collisions:0 txqueuelen:0 > RX bytes:1760 (1.7 KiB) TX bytes:1760 (1.7 KiB) > > pan0 Link encap:Ethernet HWaddr 36:F3:C2:B0:9B:46 > BROADCAST MULTICAST MTU:1500 Metric:1 > RX packets:0 errors:0 dropped:0 overruns:0 frame:0 > [root@localhost ~]# dhclient eth0 > Nothing to flush. > PING 10.154.19.1 (10.154.19.1) from 10.154.19.179 eth0: 56(84) bytes of data. > > --- 10.154.19.1 ping statistics --- > 4 packets transmitted, 0 received, +3 errors, 100% packet loss, time 3000ms > pipe 3 > [root@localhost ~]# ifconfig -a | more > eth0 Link encap:Ethernet HWaddr 00:00:00:00:00:00 > BROADCAST MULTICAST MTU:1500 Metric:1 > RX packets:0 errors:0 dropped:0 overruns:0 frame:0 > TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 > collisions:0 txqueuelen:1000 > RX bytes:0 (0.0 b) TX bytes:0 (0.0 b) > Interrupt:18 Base address:0xe000 > > lo Link encap:Local Loopback > inet addr:127.0.0.1 Mask:255.0.0.0 > inet6 addr: ::1/128 Scope:Host > UP LOOPBACK RUNNING MTU:16436 Metric:1 > RX packets:35 errors:0 dropped:0 overruns:0 frame:0 > TX packets:35 errors:0 dropped:0 overruns:0 carrier:0 > collisions:0 txqueuelen:0 > RX bytes:2096 (2.0 KiB) TX bytes:2096 (2.0 KiB) > > pan0 Link encap:Ethernet HWaddr 36:F3:C2:B0:9B:46 > BROADCAST MULTICAST MTU:1500 Metric:1 > RX packets:0 errors:0 dropped:0 overruns:0 frame:0 > > > I had to change the mac address of the machine to another one that could get access so that I could apply the updates. > > First one knotify is a bug that I have reported: > > https://bugzilla.redhat.com/show_bug.cgi?id=467210 > > but was closed because it was not an selinux bug, who has the hot potato now? I keep seeing this on two of my three machines :( > Has someone else seen this? > > Thanks, > > Antonio > > > > > The unix_stream_socket is a leaked file descriptor. node=localhost.localdomain type=AVC msg=audit(1224873233.717:83): avc: denied { read write } for pid=3912 comm="ip" path="socket:[11145]" dev=sockfs ino=11145 scontext=unconfined_u:system_r:ifconfig_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket These can be dontaudited or allowed using # grep ifconfig /var/log/audit/audit.log | audit2allow -m mypol # semodule -i mypol.pp Probably a bug in one of the kde routines that should be calling fcntl(fd, F_SETFD, FD_CLOEXEC) before executing the script to bring up the network. The execstack one is caused by nvidia library? Do you have a libGL on the system somewhere which is causing this. I think you will have to turn on the allow_execstack boolean to get this one to go away, or remove the proprietary software. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkkC9DwACgkQrlYvE4MpobNKlQCfTmGPlBluyLvIW/3Is0MaDSFT b50AnRvmGC8OMNp2uRRY0otv603FO6KQ =GQN1 -----END PGP SIGNATURE----- -- fedora-test-list mailing list fedora-test-list@xxxxxxxxxx To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-test-list
