SELinux detecting suspicious behavior on my system
Daniel J Walsh
dwalsh at redhat.com
Thu Feb 4 20:00:35 UTC 2010
On 02/04/2010 01:50 PM, Kevin Kempter wrote:
> Hi All;
>
> I've seen several of the below SELinux messages recently, I do have root
> logins disables in my /etc/ssh/sshd_config file:
>
> <snip>
> PermitRootLogin no
> </snip>
>
>
>
> Any thoughts on this? Is it cause for concern?
>
>
>
>
> ======================================================
> SELinux message:
> ======================================================
>
> Summary:
>
> SELinux is preventing /usr/libexec/polkit-1/polkitd "search" access on
> /root/.config.
>
> Detailed Description:
>
> [SELinux is in permissive mode. This access was not denied.]
>
> SELinux denied access requested by polkitd. It is not expected that this
> access
> is required by polkitd and this access may signal an intrusion attempt. It is
> also possible that the specific version or configuration of the application is
> causing it to require additional access.
>
> Allowing Access:
>
> You can generate a local policy module to allow this access - see FAQ
> (http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Please file a bug
> report.
>
> Additional Information:
>
> Source Context system_u:system_r:policykit_t:s0-s0:c0.c1023
> Target Context system_u:object_r:gnome_home_t:s0
> Target Objects /root/.config [ dir ]
> Source polkitd
> Source Path /usr/libexec/polkit-1/polkitd
> Port <Unknown>
> Host Issac.consistentstate.com
> Source RPM Packages polkit-0.95-0.git20090913.3.fc12
> Target RPM Packages
> Policy RPM selinux-policy-3.6.32-78.fc12
> Selinux Enabled True
> Policy Type targeted
> Enforcing Mode Permissive
> Plugin Name catchall
> Host Name Issac.consistentstate.com
> Platform Linux Issac.consistentstate.com
> 2.6.31.12-174.2.3.fc12.x86_64 #1 SMP Mon Jan 18
> 19:52:07 UTC 2010 x86_64 x86_64
> Alert Count 11
> First Seen Wed 03 Feb 2010 05:13:02 PM MST
> Last Seen Thu 04 Feb 2010 08:00:56 AM MST
> Local ID 69fff773-fb91-4b4f-b309-25e3e2455071
> Line Numbers
>
> Raw Audit Messages
>
> node=Issac.consistentstate.com type=AVC msg=audit(1265295656.734:13): avc:
> denied { search } for pid=1831 comm="polkitd" name=".config" dev=sda1
> ino=5283846 scontext=system_u:system_r:policykit_t:s0-s0:c0.c1023
> tcontext=system_u:object_r:gnome_home_t:s0 tclass=dir
>
> node=Issac.consistentstate.com type=SYSCALL msg=audit(1265295656.734:13):
> arch=c000003e syscall=2 success=no exit=-2 a0=100e640 a1=0 a2=0 a3=1d items=0
> ppid=1830 pid=1831 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
> sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="polkitd"
> exe="/usr/libexec/polkit-1/polkitd" subj=system_u:system_r:policykit_t:s0-
> s0:c0.c1023 key=(null)
>
>
Fixed in selinux-policy-3.6.32-83.fc12
More information about the users
mailing list