Re: on machine with CPU -> 100%, lots of avc's

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



--- On Wed, 2/4/09, Christopher Beland <beland@xxxxxxxxxxxx> wrote:

> From: Christopher Beland <beland@xxxxxxxxxxxx>
> Subject: Re: on machine with CPU -> 100%, lots of avc's
> To: olivares14031@xxxxxxxxx
> Cc: "For testers of Fedora Core development releases" <fedora-test-list@xxxxxxxxxx>
> Date: Wednesday, February 4, 2009, 7:45 PM
> Try (as root):
> 
> service auditd restart
> 
> and see if auditd returns OK or FAIL?  It might spit out
> some errors, or
> put something in /var/log/messages.  If it complains about
> the log not
> being writable by owner, then  "chmod u+w
> /var/log/audit/*" is what
> fixed it for me.
> 
> It could also be an SELinux problem, but only if you have
> SELINUX=enforcing in /etc/selinux/config.  On my test
> machine, I
> generally set SELINUX=permissive there so I see avc
> denials, but
> everything continues working even if there is an SELinux
> misconfiguration.
> 
> > Disable SELinux and AVCs will be gone. Forever.
> 
> I agree SELinux can be quite frustrating once you start
> customizing
> services, and I have been known to turn it off entirely for
> that reason.
> But for testing purpose, it's extremely useful to have
> people like us
> stumble across avc denials so the general public
> doesn't have to, and
> they can enjoy the security benefits.
> 
> -B.

Thank you for your help, I am now seeing setroubleshooter kick in :)

[olivares@localhost ~]$ su -
Password:                   
[root@localhost ~]# service auditd restart
Stopping auditd:                                           [FAILED]
Starting auditd:                                           [FAILED]
[root@localhost ~]# tail -f /var/log/messages                      
Feb  5 11:00:39 localhost kernel: type=1400 audit(1233853239.594:5): avc:  denied  { read write } for  pid=3871 comm="consoletype" path="socket:[12370]" dev=sockfs ino=12370 scontext=unconfined_u:system_r:consoletype_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket          
Feb  5 11:00:39 localhost kernel: type=1400 audit(1233853239.594:6): avc:  denied  { read write } for  pid=3871 comm="consoletype" path="socket:[12370]" dev=sockfs ino=12370 scontext=unconfined_u:system_r:consoletype_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket          
Feb  5 11:00:40 localhost kernel: type=1400 audit(1233853240.081:7): avc:  denied  { read write } for  pid=3881 comm="auditctl" path="socket:[12370]" dev=sockfs ino=12370 scontext=unconfined_u:system_r:auditctl_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket                
Feb  5 11:00:40 localhost kernel: type=1400 audit(1233853240.081:8): avc:  denied  { read write } for  pid=3881 comm="auditctl" path="socket:[12370]" dev=sockfs ino=12370 scontext=unconfined_u:system_r:auditctl_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket                
Feb  5 11:00:40 localhost kernel: type=1400 audit(1233853240.122:9): avc:  denied  { read write } for  pid=3885 comm="auditd" path="socket:[12370]" dev=sockfs ino=12370 scontext=unconfined_u:system_r:auditd_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket                    
Feb  5 11:00:40 localhost kernel: type=1400 audit(1233853240.122:10): avc:  denied  { read write } for  pid=3885 comm="auditd" path="socket:[12370]" dev=sockfs ino=12370 scontext=unconfined_u:system_r:auditd_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket
Feb  5 11:00:40 localhost auditd: audit log is not writable by owner
Feb  5 11:00:40 localhost auditd: The audit daemon is exiting.
Feb  5 11:00:40 localhost kernel: type=1400 audit(1233853240.159:11): avc:  denied  { read write } for  pid=3887 comm="auditctl" path="socket:[12370]" dev=sockfs ino=12370 scontext=unconfined_u:system_r:auditctl_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket
Feb  5 11:00:40 localhost kernel: type=1400 audit(1233853240.159:12): avc:  denied  { read write } for  pid=3887 comm="auditctl" path="socket:[12370]" dev=sockfs ino=12370 scontext=unconfined_u:system_r:auditctl_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket
^C
[root@localhost ~]# chmod u+w /var/log/audit/*
You have new mail in /var/spool/mail/root
[root@localhost ~]# service auditd restart
Stopping auditd:                                           [FAILED]
Starting auditd:                                           [  OK  ]
[root@localhost ~]# service auditd status
auditd (pid  3930) is running...
[root@localhost ~]#

Now I get to see the alerts:


Summary:

SELinux is preventing consoletype (consoletype_t) "read write" unconfined_t.

Detailed Description:

SELinux denied access requested by consoletype. It is not expected that this
access is required by consoletype and this access may signal an intrusion
attempt. It is also possible that the specific version or configuration of the
application is causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Additional Information:

Source Context                unconfined_u:system_r:consoletype_t
Target Context                unconfined_u:unconfined_r:unconfined_t:SystemLow-
                              SystemHigh
Target Objects                socket [ unix_stream_socket ]
Source                        consoletype
Source Path                   /sbin/consoletype
Port                          <Unknown>
Host                          localhost
Source RPM Packages           initscripts-8.89-1
Target RPM Packages           
Policy RPM                    selinux-policy-3.6.4-2.fc11
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   catchall
Host Name                     localhost
Platform                      Linux localhost 2.6.29-0.78.rc3.git5.fc11.i686 #1
                              SMP Tue Feb 3 16:45:12 EST 2009 i686 athlon
Alert Count                   2
First Seen                    Thu 05 Feb 2009 11:02:08 AM CST
Last Seen                     Thu 05 Feb 2009 11:02:08 AM CST
Local ID                      f1514423-f554-4573-bbbc-be7e2ea49653
Line Numbers                  

Raw Audit Messages            

node=localhost type=AVC msg=audit(1233853328.116:21): avc:  denied  { read write } for  pid=3961 comm="consoletype" path="socket:[12370]" dev=sockfs ino=12370 scontext=unconfined_u:system_r:consoletype_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket

node=localhost type=AVC msg=audit(1233853328.116:21): avc:  denied  { read write } for  pid=3961 comm="consoletype" path="socket:[12370]" dev=sockfs ino=12370 scontext=unconfined_u:system_r:consoletype_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket

node=localhost type=SYSCALL msg=audit(1233853328.116:21): arch=40000003 syscall=11 success=yes exit=0 a0=8401580 a1=84015e0 a2=84012e8 a3=84015e0 items=0 ppid=3960 pid=3961 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=1 comm="consoletype" exe="/sbin/consoletype" subj=unconfined_u:system_r:consoletype_t:s0 key=(null)




Summary:

SELinux is preventing auditctl (auditctl_t) "read write" unconfined_t.

Detailed Description:

SELinux denied access requested by auditctl. It is not expected that this access
is required by auditctl and this access may signal an intrusion attempt. It is
also possible that the specific version or configuration of the application is
causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Additional Information:

Source Context                unconfined_u:system_r:auditctl_t
Target Context                unconfined_u:unconfined_r:unconfined_t:SystemLow-
                              SystemHigh
Target Objects                socket [ unix_stream_socket ]
Source                        auditctl
Source Path                   /sbin/auditctl
Port                          <Unknown>
Host                          localhost
Source RPM Packages           audit-1.7.11-2.fc11
Target RPM Packages           
Policy RPM                    selinux-policy-3.6.4-2.fc11
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   catchall
Host Name                     localhost
Platform                      Linux localhost 2.6.29-0.78.rc3.git5.fc11.i686 #1
                              SMP Tue Feb 3 16:45:12 EST 2009 i686 athlon
Alert Count                   2
First Seen                    Thu 05 Feb 2009 11:01:56 AM CST
Last Seen                     Thu 05 Feb 2009 11:01:56 AM CST
Local ID                      57e3c37f-6698-456e-9d2f-86ad2b68220a
Line Numbers                  

Raw Audit Messages            

node=localhost type=AVC msg=audit(1233853316.292:19): avc:  denied  { read write } for  pid=3936 comm="auditctl" path="socket:[12370]" dev=sockfs ino=12370 scontext=unconfined_u:system_r:auditctl_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket

node=localhost type=AVC msg=audit(1233853316.292:19): avc:  denied  { read write } for  pid=3936 comm="auditctl" path="socket:[12370]" dev=sockfs ino=12370 scontext=unconfined_u:system_r:auditctl_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket

node=localhost type=SYSCALL msg=audit(1233853316.292:19): arch=40000003 syscall=11 success=yes exit=0 a0=83a4c40 a1=83a4e38 a2=83a8350 a3=83a4e38 items=0 ppid=3913 pid=3936 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=1 comm="auditctl" exe="/sbin/auditctl" subj=unconfined_u:system_r:auditctl_t:s0 key=(null)



I will now check my other two machines to see if auditd is running or not and apply the same fix.

Thank you for helping out again with this problem. 

Regards,

Antonio 






      

-- 
fedora-test-list mailing list
fedora-test-list@xxxxxxxxxx
To unsubscribe: 
https://www.redhat.com/mailman/listinfo/fedora-test-list

[Index of Archives]     [Fedora Desktop]     [Fedora SELinux]     [Photo Sharing]     [Yosemite Forum]     [KDE Users]

  Powered by Linux