knotify4, NetworkManager (NetworkManager_t) "read write" unconfined_t., ..
Daniel J Walsh
dwalsh at redhat.com
Sat Oct 25 10:26:04 UTC 2008
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Antonio Olivares wrote:
> Dear all(selinux experts and testers) ,
>
> despite updating selinux-policy packages and relabeling, I am still seeing denied avcs from setroubleshoot
>
> Selinux preventing all of the above plus ip (ifconfig_t) "read write" unconfined_t :(
>
> Summary:
>
> SELinux is preventing ip (ifconfig_t) "read write" unconfined_t.
>
> Detailed Description:
>
> SELinux denied access requested by ip. It is not expected that this access is
> required by ip and this access may signal an intrusion attempt. It is also
> possible that the specific version or configuration of the application is
> causing it to require additional access.
>
> Allowing Access:
>
> You can generate a local policy module to allow this access - see FAQ
> (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
> SELinux protection altogether. Disabling SELinux protection is not recommended.
> Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
> against this package.
>
> Additional Information:
>
> Source Context unconfined_u:system_r:ifconfig_t
> Target Context unconfined_u:unconfined_r:unconfined_t:SystemLow-
> SystemHigh
> Target Objects socket [ unix_stream_socket ]
> Source ip
> Source Path /sbin/ip
> Port <Unknown>
> Host localhost.localdomain
> Source RPM Packages iproute-2.6.26-1.fc10
> Target RPM Packages
> Policy RPM selinux-policy-3.5.13-3.fc10
> Selinux Enabled True
> Policy Type targeted
> MLS Enabled True
> Enforcing Mode Enforcing
> Plugin Name catchall
> Host Name localhost.localdomain
> Platform Linux localhost.localdomain
> 2.6.27.3-34.rc1.fc10.i686 #1 SMP Tue Oct 21
> 01:39:53 EDT 2008 i686 i686
> Alert Count 43
> First Seen Fri 24 Oct 2008 01:33:46 PM CDT
> Last Seen Fri 24 Oct 2008 01:33:53 PM CDT
> Local ID 16290580-6020-4615-908e-c7b32e828a7a
> Line Numbers
>
> Raw Audit Messages
>
> node=localhost.localdomain type=AVC msg=audit(1224873233.717:83): avc: denied { read write } for pid=3912 comm="ip" path="socket:[11145]" dev=sockfs ino=11145 scontext=unconfined_u:system_r:ifconfig_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket
>
> node=localhost.localdomain type=AVC msg=audit(1224873233.717:83): avc: denied { read write } for pid=3912 comm="ip" path="socket:[11145]" dev=sockfs ino=11145 scontext=unconfined_u:system_r:ifconfig_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket
>
> node=localhost.localdomain type=AVC msg=audit(1224873233.717:83): avc: denied { read write } for pid=3912 comm="ip" path="socket:[11145]" dev=sockfs ino=11145 scontext=unconfined_u:system_r:ifconfig_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket
>
> node=localhost.localdomain type=AVC msg=audit(1224873233.717:83): avc: denied { read write } for pid=3912 comm="ip" path="socket:[11145]" dev=sockfs ino=11145 scontext=unconfined_u:system_r:ifconfig_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket
>
> node=localhost.localdomain type=AVC msg=audit(1224873233.717:83): avc: denied { read write } for pid=3912 comm="ip" path="socket:[11145]" dev=sockfs ino=11145 scontext=unconfined_u:system_r:ifconfig_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket
>
> node=localhost.localdomain type=SYSCALL msg=audit(1224873233.717:83): arch=40000003 syscall=11 success=yes exit=0 a0=9ddcb98 a1=9dadeb0 a2=9ddcd60 a3=0 items=0 ppid=3901 pid=3912 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=1 comm="ip" exe="/sbin/ip" subj=unconfined_u:system_r:ifconfig_t:s0 key=(null)
>
>
>
> Summary:
>
> SELinux is preventing NetworkManager (NetworkManager_t) "read write"
> unconfined_t.
>
> Detailed Description:
>
> SELinux denied access requested by NetworkManager. It is not expected that this
> access is required by NetworkManager and this access may signal an intrusion
> attempt. It is also possible that the specific version or configuration of the
> application is causing it to require additional access.
>
> Allowing Access:
>
> You can generate a local policy module to allow this access - see FAQ
> (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
> SELinux protection altogether. Disabling SELinux protection is not recommended.
> Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
> against this package.
>
> Additional Information:
>
> Source Context unconfined_u:system_r:NetworkManager_t
> Target Context unconfined_u:unconfined_r:unconfined_t:SystemLow-
> SystemHigh
> Target Objects socket [ unix_stream_socket ]
> Source NetworkManager
> Source Path /usr/sbin/NetworkManager
> Port <Unknown>
> Host localhost.localdomain
> Source RPM Packages NetworkManager-0.7.0-0.11.svn4201.fc10
> Target RPM Packages
> Policy RPM selinux-policy-3.5.13-3.fc10
> Selinux Enabled True
> Policy Type targeted
> MLS Enabled True
> Enforcing Mode Enforcing
> Plugin Name catchall
> Host Name localhost.localdomain
> Platform Linux localhost.localdomain
> 2.6.27.3-34.rc1.fc10.i686 #1 SMP Tue Oct 21
> 01:39:53 EDT 2008 i686 i686
> Alert Count 1
> First Seen Fri 24 Oct 2008 01:35:56 PM CDT
> Last Seen Fri 24 Oct 2008 01:35:56 PM CDT
> Local ID 6f715f57-6bca-45b3-aa02-dc34581b3423
> Line Numbers
>
> Raw Audit Messages
>
> node=localhost.localdomain type=AVC msg=audit(1224873356.766:92): avc: denied { read write } for pid=4004 comm="NetworkManager" path="socket:[11145]" dev=sockfs ino=11145 scontext=unconfined_u:system_r:NetworkManager_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket
>
> node=localhost.localdomain type=AVC msg=audit(1224873356.766:92): avc: denied { read write } for pid=4004 comm="NetworkManager" path="socket:[11145]" dev=sockfs ino=11145 scontext=unconfined_u:system_r:NetworkManager_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket
>
> node=localhost.localdomain type=AVC msg=audit(1224873356.766:92): avc: denied { read write } for pid=4004 comm="NetworkManager" path="socket:[11145]" dev=sockfs ino=11145 scontext=unconfined_u:system_r:NetworkManager_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket
>
> node=localhost.localdomain type=AVC msg=audit(1224873356.766:92): avc: denied { read write } for pid=4004 comm="NetworkManager" path="socket:[11145]" dev=sockfs ino=11145 scontext=unconfined_u:system_r:NetworkManager_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket
>
> node=localhost.localdomain type=AVC msg=audit(1224873356.766:92): avc: denied { read write } for pid=4004 comm="NetworkManager" path="socket:[11145]" dev=sockfs ino=11145 scontext=unconfined_u:system_r:NetworkManager_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket
>
> node=localhost.localdomain type=SYSCALL msg=audit(1224873356.766:92): arch=40000003 syscall=11 success=yes exit=0 a0=8642bd8 a1=8642a20 a2=8642ee8 a3=0 items=0 ppid=4003 pid=4004 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=1 comm="NetworkManager" exe="/usr/sbin/NetworkManager" subj=unconfined_u:system_r:NetworkManager_t:s0 key=(null)
>
>
> Summary:
>
> SELinux is preventing knotify4 from making the program stack executable.
>
> Detailed Description:
>
> The knotify4 application attempted to make its stack executable. This is a
> potential security problem. This should never ever be necessary. Stack memory is
> not executable on most OSes these days and this will not change. Executable
> stack memory is one of the biggest security problems. An execstack error might
> in fact be most likely raised by malicious code. Applications are sometimes
> coded incorrectly and request this permission. The SELinux Memory Protection
> Tests (http://people.redhat.com/drepper/selinux-mem.html) web page explains how
> to remove this requirement. If knotify4 does not work and you need it to work,
> you can configure SELinux temporarily to allow this access until the application
> is fixed. Please file a bug report
> (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package.
>
> Allowing Access:
>
> Sometimes a library is accidentally marked with the execstack flag, if you find
> a library with this flag you can clear it with the execstack -c LIBRARY_PATH.
> Then retry your application. If the app continues to not work, you can turn the
> flag back on with execstack -s LIBRARY_PATH. Otherwise, if you trust knotify4 to
> run correctly, you can change the context of the executable to
> unconfined_execmem_exec_t. "chcon -t unconfined_execmem_exec_t
> '/usr/bin/knotify4'" You must also change the default file context files on the
> system in order to preserve them even on a full relabel. "semanage fcontext -a
> -t unconfined_execmem_exec_t '/usr/bin/knotify4'"
>
> Fix Command:
>
> chcon -t unconfined_execmem_exec_t '/usr/bin/knotify4'
>
> Additional Information:
>
> Source Context unconfined_u:unconfined_r:unconfined_t:SystemLow-
> SystemHigh
> Target Context unconfined_u:unconfined_r:unconfined_t:SystemLow-
> SystemHigh
> Target Objects None [ process ]
> Source nspluginscan
> Source Path /usr/bin/nspluginscan
> Port <Unknown>
> Host localhost.localdomain
> Source RPM Packages kdebase-runtime-4.1.2-5.fc10
> Target RPM Packages
> Policy RPM selinux-policy-3.5.13-5.fc10
> Selinux Enabled True
> Policy Type targeted
> MLS Enabled True
> Enforcing Mode Enforcing
> Plugin Name allow_execstack
> Host Name localhost.localdomain
> Platform Linux localhost.localdomain 2.6.27.3-39.fc10.i686
> #1 SMP Wed Oct 22 21:35:19 EDT 2008 i686 i686
> Alert Count 38
> First Seen Mon 28 Jul 2008 10:50:50 PM CDT
> Last Seen Fri 24 Oct 2008 03:15:46 PM CDT
> Local ID d1193200-ba21-44ee-bdf0-5b24a80cdb04
> Line Numbers
>
> Raw Audit Messages
>
> node=localhost.localdomain type=AVC msg=audit(1224879346.180:21): avc: denied { execstack } for pid=2823 comm="knotify4" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process
>
> node=localhost.localdomain type=SYSCALL msg=audit(1224879346.180:21): arch=40000003 syscall=125 success=no exit=-13 a0=bfdef000 a1=1000 a2=1000007 a3=fffff000 items=0 ppid=1 pid=2823 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm="knotify4" exe="/usr/bin/knotify4" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
>
>
> Summary:
>
> SELinux is preventing dhclient (dhcpc_t) "read write" unconfined_t.
>
> Detailed Description:
>
> SELinux denied access requested by dhclient. It is not expected that this access
> is required by dhclient and this access may signal an intrusion attempt. It is
> also possible that the specific version or configuration of the application is
> causing it to require additional access.
>
> Allowing Access:
>
> You can generate a local policy module to allow this access - see FAQ
> (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
> SELinux protection altogether. Disabling SELinux protection is not recommended.
> Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
> against this package.
>
> Additional Information:
>
> Source Context unconfined_u:system_r:dhcpc_t:SystemLow-SystemHigh
> Target Context unconfined_u:unconfined_r:unconfined_t:SystemLow-
> SystemHigh
> Target Objects socket [ unix_stream_socket ]
> Source dhclient
> Source Path /sbin/dhclient
> Port <Unknown>
> Host localhost.localdomain
> Source RPM Packages dhclient-4.0.0-30.fc10
> Target RPM Packages
> Policy RPM selinux-policy-3.5.13-5.fc10
> Selinux Enabled True
> Policy Type targeted
> MLS Enabled True
> Enforcing Mode Enforcing
> Plugin Name catchall
> Host Name localhost.localdomain
> Platform Linux localhost.localdomain 2.6.27.3-39.fc10.i686
> #1 SMP Wed Oct 22 21:35:19 EDT 2008 i686 i686
> Alert Count 2
> First Seen Fri 24 Oct 2008 01:45:01 PM CDT
> Last Seen Fri 24 Oct 2008 03:17:34 PM CDT
> Local ID 4c789a6b-2778-4d68-bb82-4fa4b8547db5
> Line Numbers
>
> Raw Audit Messages
>
> node=localhost.localdomain type=AVC msg=audit(1224879454.396:26): avc: denied { read write } for pid=3115 comm="dhclient" path="socket:[10645]" dev=sockfs ino=10645 scontext=unconfined_u:system_r:dhcpc_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket
>
> node=localhost.localdomain type=AVC msg=audit(1224879454.396:26): avc: denied { read write } for pid=3115 comm="dhclient" path="socket:[10645]" dev=sockfs ino=10645 scontext=unconfined_u:system_r:dhcpc_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket
>
> node=localhost.localdomain type=AVC msg=audit(1224879454.396:26): avc: denied { read write } for pid=3115 comm="dhclient" path="socket:[10645]" dev=sockfs ino=10645 scontext=unconfined_u:system_r:dhcpc_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket
>
> node=localhost.localdomain type=AVC msg=audit(1224879454.396:26): avc: denied { read write } for pid=3115 comm="dhclient" path="socket:[10645]" dev=sockfs ino=10645 scontext=unconfined_u:system_r:dhcpc_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket
>
> node=localhost.localdomain type=SYSCALL msg=audit(1224879454.396:26): arch=40000003 syscall=11 success=yes exit=0 a0=96aa660 a1=96aa6d0 a2=96a4b68 a3=0 items=0 ppid=3066 pid=3115 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=1 comm="dhclient" exe="/sbin/dhclient" subj=unconfined_u:system_r:dhcpc_t:s0-s0:c0.c1023 key=(null)
>
>
>
> I had a very difficult time updating this machine because i could not get a connection.
>
> [olivares at localhost ~]$ su -
> Password:
> [root at localhost ~]# ifconfig -a
> eth0 Link encap:Ethernet HWaddr 00:00:00:00:00:00
> BROADCAST MULTICAST MTU:1500 Metric:1
> RX packets:0 errors:0 dropped:0 overruns:0 frame:0
> TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
> collisions:0 txqueuelen:1000
> RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
> Interrupt:18 Base address:0xe000
>
> lo Link encap:Local Loopback
> inet addr:127.0.0.1 Mask:255.0.0.0
> inet6 addr: ::1/128 Scope:Host
> UP LOOPBACK RUNNING MTU:16436 Metric:1
> RX packets:32 errors:0 dropped:0 overruns:0 frame:0
> TX packets:32 errors:0 dropped:0 overruns:0 carrier:0
> collisions:0 txqueuelen:0
> RX bytes:1760 (1.7 KiB) TX bytes:1760 (1.7 KiB)
>
> pan0 Link encap:Ethernet HWaddr 36:F3:C2:B0:9B:46
> BROADCAST MULTICAST MTU:1500 Metric:1
> RX packets:0 errors:0 dropped:0 overruns:0 frame:0
> TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
> collisions:0 txqueuelen:0
> RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
>
> wlan0 Link encap:Ethernet HWaddr 00:16:E3:F3:09:DB
> UP BROADCAST MULTICAST MTU:1500 Metric:1
> RX packets:0 errors:0 dropped:0 overruns:0 frame:0
> TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
> collisions:0 txqueuelen:1000
> RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
>
> wmaster0 Link encap:UNSPEC HWaddr 00-16-E3-F3-09-DB-F4-EF-00-00-00-00-00-00-00-00
> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
> RX packets:0 errors:0 dropped:0 overruns:0 frame:0
> TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
> collisions:0 txqueuelen:1000
> RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
>
> [root at localhost ~]# ifconfig -a | more
> eth0 Link encap:Ethernet HWaddr 00:00:00:00:00:00
> BROADCAST MULTICAST MTU:1500 Metric:1
> RX packets:0 errors:0 dropped:0 overruns:0 frame:0
> TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
> collisions:0 txqueuelen:1000
> RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
> Interrupt:18 Base address:0xe000
>
> lo Link encap:Local Loopback
> inet addr:127.0.0.1 Mask:255.0.0.0
> inet6 addr: ::1/128 Scope:Host
> UP LOOPBACK RUNNING MTU:16436 Metric:1
> RX packets:32 errors:0 dropped:0 overruns:0 frame:0
> TX packets:32 errors:0 dropped:0 overruns:0 carrier:0
> collisions:0 txqueuelen:0
> RX bytes:1760 (1.7 KiB) TX bytes:1760 (1.7 KiB)
>
> pan0 Link encap:Ethernet HWaddr 36:F3:C2:B0:9B:46
> BROADCAST MULTICAST MTU:1500 Metric:1
> RX packets:0 errors:0 dropped:0 overruns:0 frame:0
> [root at localhost ~]# dhclient eth0
> Nothing to flush.
> PING 10.154.19.1 (10.154.19.1) from 10.154.19.179 eth0: 56(84) bytes of data.
>
> --- 10.154.19.1 ping statistics ---
> 4 packets transmitted, 0 received, +3 errors, 100% packet loss, time 3000ms
> pipe 3
> [root at localhost ~]# ifconfig -a | more
> eth0 Link encap:Ethernet HWaddr 00:00:00:00:00:00
> BROADCAST MULTICAST MTU:1500 Metric:1
> RX packets:0 errors:0 dropped:0 overruns:0 frame:0
> TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
> collisions:0 txqueuelen:1000
> RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
> Interrupt:18 Base address:0xe000
>
> lo Link encap:Local Loopback
> inet addr:127.0.0.1 Mask:255.0.0.0
> inet6 addr: ::1/128 Scope:Host
> UP LOOPBACK RUNNING MTU:16436 Metric:1
> RX packets:35 errors:0 dropped:0 overruns:0 frame:0
> TX packets:35 errors:0 dropped:0 overruns:0 carrier:0
> collisions:0 txqueuelen:0
> RX bytes:2096 (2.0 KiB) TX bytes:2096 (2.0 KiB)
>
> pan0 Link encap:Ethernet HWaddr 36:F3:C2:B0:9B:46
> BROADCAST MULTICAST MTU:1500 Metric:1
> RX packets:0 errors:0 dropped:0 overruns:0 frame:0
>
>
> I had to change the mac address of the machine to another one that could get access so that I could apply the updates.
>
> First one knotify is a bug that I have reported:
>
> https://bugzilla.redhat.com/show_bug.cgi?id=467210
>
> but was closed because it was not an selinux bug, who has the hot potato now? I keep seeing this on two of my three machines :(
> Has someone else seen this?
>
> Thanks,
>
> Antonio
>
>
>
>
>
The unix_stream_socket is a leaked file descriptor.
node=localhost.localdomain type=AVC msg=audit(1224873233.717:83): avc:
denied { read write } for pid=3912 comm="ip" path="socket:[11145]"
dev=sockfs ino=11145 scontext=unconfined_u:system_r:ifconfig_t:s0
tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
tclass=unix_stream_socket
These can be dontaudited or allowed using
# grep ifconfig /var/log/audit/audit.log | audit2allow -m mypol
# semodule -i mypol.pp
Probably a bug in one of the kde routines that should be calling
fcntl(fd, F_SETFD, FD_CLOEXEC) before executing the script to bring up
the network.
The execstack one is caused by nvidia library? Do you have a libGL on
the system somewhere which is causing this. I think you will have to
turn on the allow_execstack boolean to get this one to go away, or
remove the proprietary software.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
iEYEARECAAYFAkkC9DwACgkQrlYvE4MpobNKlQCfTmGPlBluyLvIW/3Is0MaDSFT
b50AnRvmGC8OMNp2uRRY0otv603FO6KQ
=GQN1
-----END PGP SIGNATURE-----
More information about the selinux
mailing list