Monitoring and prevention of MBR activity.
by Robb III, George B.
Hi All-
Have an interesting problem in which monitoring and preventing activity on
the MBR would be very useful.
Has anyone used SELinux for this type of task?
Thanks for any assistance,
George
12 years, 8 months
unix_stream_socket AVC
by Arthur Dent
Hello all,
I did my monthly yum update on my F15 server yesterday. It brought down
a bunch of updates including selinux-policy-3.9.16-35.fc15.noarch and
selinux-policy-targeted-3.9.16-35.fc15.noarch.
Since then I have been getting several AVCs related to
"unix_stream_socket". They break into 2 types:
SELinux is preventing /usr/libexec/fprintd from 'read, write' accesses
on the unix_stream_socket unix_stream_socket.
and
SELinux is preventing /usr/sbin/sendmail.sendmail from 'read, write'
accesses on the unix_stream_socket unix_stream_socket.
I detail one example of each below.
What should I do about these? I have no idea what might be causing
them...
Thanks
Mark
==================8<=============================================
SELinux is preventing /usr/libexec/fprintd from 'read, write' accesses on the unix_stream_socket unix_stream_socket.
***** Plugin catchall (50.5 confidence) suggests ***************************
If you believe that fprintd should be allowed read write access on the unix_stream_socket unix_stream_socket by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep fprintd /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp
***** Plugin leaks (50.5 confidence) suggests ******************************
If you want to ignore fprintd trying to read write access the unix_stream_socket unix_stream_socket, because you believe it should not need this access.
Then you should report this as a bug.
You can generate a local policy module to dontaudit this access.
Do
# grep /usr/libexec/fprintd /var/log/audit/audit.log | audit2allow -D -M mypol
# semodule -i mypol.pp
Additional Information:
Source Context system_u:system_r:fprintd_t:s0-s0:c0.c1023
Target Context system_u:system_r:init_t:s0
Target Objects unix_stream_socket [ unix_stream_socket ]
Source fprintd
Source Path /usr/libexec/fprintd
Port <Unknown>
Host troodos.org.uk
Source RPM Packages fprintd-0.2.0-3.fc15
Target RPM Packages
Policy RPM selinux-policy-3.9.16-35.fc15
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name troodos.org.uk
Platform Linux troodos.org.uk 2.6.40.3-0.fc15.i686.PAE #1
SMP Tue Aug 16 04:17:30 UTC 2011 i686 i686
Alert Count 8
First Seen Tue Aug 30 10:17:09 2011
Last Seen Thu Sep 1 09:14:32 2011
Local ID f5ca1075-789c-4c8f-971d-8919dd496044
Raw Audit Messages
type=AVC msg=audit(1314864872.594:5072): avc: denied { read write } for pid=27863 comm="fprintd" path="socket:[14520]" dev=sockfs ino=14520 scontext=system_u:system_r:fprintd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:init_t:s0 tclass=unix_stream_socket
type=AVC msg=audit(1314864872.594:5072): avc: denied { read write } for pid=27863 comm="fprintd" path="socket:[14520]" dev=sockfs ino=14520 scontext=system_u:system_r:fprintd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:init_t:s0 tclass=unix_stream_socket
type=SYSCALL msg=audit(1314864872.594:5072): arch=i386 syscall=execve success=yes exit=0 a0=83a3bc0 a1=83a34e0 a2=83a3008 a3=83a61c0 items=0 ppid=27862 pid=27863 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=fprintd exe=/usr/libexec/fprintd subj=system_u:system_r:fprintd_t:s0-s0:c0.c1023 key=(null)
Hash: fprintd,fprintd_t,init_t,unix_stream_socket,read,write
audit2allow
#============= fprintd_t ==============
allow fprintd_t init_t:unix_stream_socket { read write };
audit2allow -R
#============= fprintd_t ==============
allow fprintd_t init_t:unix_stream_socket { read write };
==================8<=============================================
SELinux is preventing /usr/sbin/sendmail.sendmail from 'read, write' accesses on the unix_stream_socket unix_stream_socket.
***** Plugin catchall (50.5 confidence) suggests ***************************
If you believe that sendmail.sendmail should be allowed read write access on the unix_stream_socket unix_stream_socket by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep sendmail /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp
***** Plugin leaks (50.5 confidence) suggests ******************************
If you want to ignore sendmail.sendmail trying to read write access the unix_stream_socket unix_stream_socket, because you believe it should not need this access.
Then you should report this as a bug.
You can generate a local policy module to dontaudit this access.
Do
# grep /usr/sbin/sendmail.sendmail /var/log/audit/audit.log | audit2allow -D -M mypol
# semodule -i mypol.pp
Additional Information:
Source Context system_u:system_r:system_mail_t:s0-s0:c0.c1023
Target Context system_u:system_r:init_t:s0
Target Objects unix_stream_socket [ unix_stream_socket ]
Source sendmail
Source Path /usr/sbin/sendmail.sendmail
Port <Unknown>
Host troodos.org.uk
Source RPM Packages sendmail-8.14.5-1.fc15
Target RPM Packages
Policy RPM selinux-policy-3.9.16-35.fc15
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name troodos.org.uk
Platform Linux troodos.org.uk 2.6.40.3-0.fc15.i686.PAE #1
SMP Tue Aug 16 04:17:30 UTC 2011 i686 i686
Alert Count 14
First Seen Wed Aug 31 02:20:01 2011
Last Seen Thu Sep 1 06:40:01 2011
Local ID 45c301bb-43a3-4b46-b23b-549d56586333
Raw Audit Messages
type=AVC msg=audit(1314855601.515:4541): avc: denied { read write } for pid=26981 comm="sendmail" path="socket:[13124]" dev=sockfs ino=13124 scontext=system_u:system_r:system_mail_t:s0-s0:c0.c1023 tcontext=system_u:system_r:init_t:s0 tclass=unix_stream_socket
type=AVC msg=audit(1314855601.515:4541): avc: denied { read write } for pid=26981 comm="sendmail" path="socket:[13124]" dev=sockfs ino=13124 scontext=system_u:system_r:system_mail_t:s0-s0:c0.c1023 tcontext=system_u:system_r:init_t:s0 tclass=unix_stream_socket
type=SYSCALL msg=audit(1314855601.515:4541): arch=i386 syscall=execve success=yes exit=0 a0=bfaa897c a1=bfaa67c8 a2=bfae8fd0 a3=bfae8fd0 items=0 ppid=26963 pid=26981 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=51 sgid=51 fsgid=51 tty=(none) ses=634 comm=sendmail exe=/usr/sbin/sendmail.sendmail subj=system_u:system_r:system_mail_t:s0-s0:c0.c1023 key=(null)
Hash: sendmail,system_mail_t,init_t,unix_stream_socket,read,write
audit2allow
#============= system_mail_t ==============
allow system_mail_t init_t:unix_stream_socket { read write };
audit2allow -R
#============= system_mail_t ==============
allow system_mail_t init_t:unix_stream_socket { read write };
12 years, 8 months
sulogin
by jeremymiller@ups.com
When I boot my box to single user mode I get this error when sulogin tries to run.
type=1400 audit(1296260632.174:5): avc: denied { write } for pid=1544 comm="sulogin" path="/dev/pts/0" dev=devpts ino=3 scontext=system_u:system_r:sulogin_t:s0 tcontext=system_u:object_r:devpts_t:s0 tclass=chr_file
Because of the policy denying the write to /dev/pts/0 I don't get the normal prompt:
Give root password for maintenance
(or type Control-D to continue):
Any ideas if this is expected? I cannot replicate it once I'm in run-level 3.
# sestatus
SELinux status: enabled
SELinuxfs mount: /selinux
Current mode: enforcing
Mode from config file: enforcing
Policy version: 24
Policy from config file: targeted
# ls -ldZ /dev/pts
drwxr-xr-x. root root system_u:object_r:devpts_t:s0 /dev/pts
Red Hat Enterprise Linux Server release 6.1 (Santiago
--
JM
12 years, 8 months