F13: nautilus & mmap

Daniel B. Thurman dant at cdkkt.com
Tue Dec 14 23:52:35 UTC 2010 

On 12/14/2010 03:48 PM, Dominick Grift wrote:
> On 12/15/2010 12:41 AM, Daniel B. Thurman wrote:
> > On 12/14/2010 03:35 PM, Dominick Grift wrote:
> >> On 12/15/2010 12:32 AM, Daniel B. Thurman wrote:
> >>> On 12/14/2010 02:45 PM, Daniel J Walsh wrote:
> >>>> On 12/14/2010 05:02 PM, Daniel B. Thurman wrote:
> >>>>
> >>>>> Not sure what this means, but it sound omimous...
> >>>>> Using the latest updates.
> >>>>
> >>>>> ==================================================
> >>>>> Summary:
> >>>>
> >>>>> Your system may be seriously compromised! /usr/bin/nautilus
> (deleted)
> >>>>> attempted
> >>>>> to mmap low kernel memory.
> >>>>
> >>>>> Detailed Description:
> >>>>
> >>>>> SELinux has denied the nautilus the ability to mmap low area of the
> >>>> kernel
> >>>>> address space. The ability to mmap a low area of the address
> space, as
> >>>>> configured by /proc/sys/kernel/mmap_min_addr. Preventing such
> >>>> mappings helps
> >>>>> protect against exploiting null deref bugs in the kernel. All
> >>>>> applications that
> >>>>> need this access should have already had policy written for
> them. If a
> >>>>> compromised application tries modify the kernel this AVC would be
> >>>> generated.
> >>>>> This is a serious issue. Your system may very well be compromised.
> >>>>
> >>>>> Allowing Access:
> >>>>
> >>>>> Contact your security administrator and report this issue.
> >>>>
> >>>>> Additional Information:
> >>>>
> >>>>> Source Context               
> >>>>> unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1
> >>>>>                               023
> >>>>> Target Context               
> >>>>> unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1
> >>>>>                               023
> >>>>> Target Objects                None [ memprotect ]
> >>>>> Source                        nautilus
> >>>>> Source Path                   /usr/bin/nautilus (deleted)
> >>>>> Port                          <Unknown>
> >>>>> Host                          (removed)
> >>>>> Source RPM Packages          
> >>>>> Target RPM Packages          
> >>>>> Policy RPM                    selinux-policy-3.7.19-74.fc13
> >>>>> Selinux Enabled               True
> >>>>> Policy Type                   targeted
> >>>>> Enforcing Mode                Enforcing
> >>>>> Plugin Name                   mmap_zero
> >>>>> Host Name                     (removed)
> >>>>> Platform                      Linux <host>.<domain>.com
> >>>>> 2.6.34.7-61.fc13.i686 #1 SMP
> >>>>>                               Tue Oct 19 04:42:47 UTC 2010 i686 i686
> >>>>> Alert Count                   1186
> >>>>> First Seen                    Thu 09 Dec 2010 12:08:59 PM PST
> >>>>> Last Seen                     Thu 09 Dec 2010 12:13:09 PM PST
> >>>>> Local ID                      aba9eed1-e6cf-48cb-80c4-88ccf2d90f43
> >>>>> Line Numbers                 
> >>>>
> >>>>> Raw Audit Messages           
> >>>>
> >>>>> node=<host>.<domain>.com type=AVC msg=audit(1291925589.462:92406):
> >> avc:
> >>>>> denied  { mmap_zero } for  pid=26679 comm="nautilus"
> >>>>> scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
> >>>>> tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
> >>>>> tclass=memprotect
> >>>>
> >>>>> node=<host>.<domain>.com type=SYSCALL
> msg=audit(1291925589.462:92406):
> >>>>> arch=40000003 syscall=192 success=no exit=-13 a0=0 a1=a000 a2=3
> a3=22
> >>>>> items=0 ppid=2663 pid=26679 auid=500 uid=500 gid=500 euid=500
> suid=500
> >>>>> fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1
> comm="nautilus"
> >>>>> exe=2F7573722F62696E2F6E617574696C7573202864656C6574656429
> >>>>> subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
> key=(null)
> >>>>
> >>>>
> >>>>> --
> >>>>> selinux mailing list
> >>>>> selinux at lists.fedoraproject.org
> >>>>> https://admin.fedoraproject.org/mailman/listinfo/selinux
> >>>>
> >>>>
> >>>> THis is bad.  I have no idea why it would need this and it should be
> >>>> denied.  Did you try to execute a wine app?
> >>>>
> >>>>
> >>> Uh, I don't remember if I did, is there a way to tell if I did?
> >>
> >>> I have another related one, should I post it together with this
> >>> one or open a new post?  It is a Nautilus problem as well.
> >>
> >> use this thread. nautilus (most likely) should not be doing this
> >> somethings wrong here, question remains is it a bug in nautilus or an
> >> intrusion attempt (nautilus compromised), in my personal opinion.
>
> > OK, I added the other selinux error as a reply to my original posting.
>
> > I have no idea if it is a bug or an intrusion, but this system I am
> > on is not exposed AFAIK to the Internet, it is also behind a firewall
> > if that means anything...
>
> And you are the only user running nautilus?
Yes.
> The other AVC denial you posted looks similar to this one.
> I only took a quick look so i might be mistaken.
>
> I guess that might narrow us down to a but in nautilus (it could
> probably also be a misconfiguration maybe)
>
> Fact is i am running nautilus confined in my f14 system, and i have seen
> it doing a lot of stuff but never this...
>

More information about the selinux mailing list