selinux September 2011

selinux@lists.fedoraproject.org

25 participants
23 discussions

Monitoring and prevention of MBR activity.
by Robb III, George B. 06 Sep '11

06 Sep '11

Hi All- Have an interesting problem in which monitoring and preventing activity on the MBR would be very useful. Has anyone used SELinux for this type of task? Thanks for any assistance, George

5 5

unix_stream_socket AVC
by Arthur Dent 01 Sep '11

01 Sep '11

Hello all, I did my monthly yum update on my F15 server yesterday. It brought down a bunch of updates including selinux-policy-3.9.16-35.fc15.noarch and selinux-policy-targeted-3.9.16-35.fc15.noarch. Since then I have been getting several AVCs related to "unix_stream_socket". They break into 2 types: SELinux is preventing /usr/libexec/fprintd from 'read, write' accesses on the unix_stream_socket unix_stream_socket. and SELinux is preventing /usr/sbin/sendmail.sendmail from 'read, write' accesses on the unix_stream_socket unix_stream_socket. I detail one example of each below. What should I do about these? I have no idea what might be causing them... Thanks Mark ==================8<============================================= SELinux is preventing /usr/libexec/fprintd from 'read, write' accesses on the unix_stream_socket unix_stream_socket. ***** Plugin catchall (50.5 confidence) suggests *************************** If you believe that fprintd should be allowed read write access on the unix_stream_socket unix_stream_socket by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep fprintd /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp ***** Plugin leaks (50.5 confidence) suggests ****************************** If you want to ignore fprintd trying to read write access the unix_stream_socket unix_stream_socket, because you believe it should not need this access. Then you should report this as a bug. You can generate a local policy module to dontaudit this access. Do # grep /usr/libexec/fprintd /var/log/audit/audit.log | audit2allow -D -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:fprintd_t:s0-s0:c0.c1023 Target Context system_u:system_r:init_t:s0 Target Objects unix_stream_socket [ unix_stream_socket ] Source fprintd Source Path /usr/libexec/fprintd Port <Unknown> Host troodos.org.uk Source RPM Packages fprintd-0.2.0-3.fc15 Target RPM Packages Policy RPM selinux-policy-3.9.16-35.fc15 Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name troodos.org.uk Platform Linux troodos.org.uk 2.6.40.3-0.fc15.i686.PAE #1 SMP Tue Aug 16 04:17:30 UTC 2011 i686 i686 Alert Count 8 First Seen Tue Aug 30 10:17:09 2011 Last Seen Thu Sep 1 09:14:32 2011 Local ID f5ca1075-789c-4c8f-971d-8919dd496044 Raw Audit Messages type=AVC msg=audit(1314864872.594:5072): avc: denied { read write } for pid=27863 comm="fprintd" path="socket:[14520]" dev=sockfs ino=14520 scontext=system_u:system_r:fprintd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:init_t:s0 tclass=unix_stream_socket type=AVC msg=audit(1314864872.594:5072): avc: denied { read write } for pid=27863 comm="fprintd" path="socket:[14520]" dev=sockfs ino=14520 scontext=system_u:system_r:fprintd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:init_t:s0 tclass=unix_stream_socket type=SYSCALL msg=audit(1314864872.594:5072): arch=i386 syscall=execve success=yes exit=0 a0=83a3bc0 a1=83a34e0 a2=83a3008 a3=83a61c0 items=0 ppid=27862 pid=27863 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=fprintd exe=/usr/libexec/fprintd subj=system_u:system_r:fprintd_t:s0-s0:c0.c1023 key=(null) Hash: fprintd,fprintd_t,init_t,unix_stream_socket,read,write audit2allow #============= fprintd_t ============== allow fprintd_t init_t:unix_stream_socket { read write }; audit2allow -R #============= fprintd_t ============== allow fprintd_t init_t:unix_stream_socket { read write }; ==================8<============================================= SELinux is preventing /usr/sbin/sendmail.sendmail from 'read, write' accesses on the unix_stream_socket unix_stream_socket. ***** Plugin catchall (50.5 confidence) suggests *************************** If you believe that sendmail.sendmail should be allowed read write access on the unix_stream_socket unix_stream_socket by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep sendmail /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp ***** Plugin leaks (50.5 confidence) suggests ****************************** If you want to ignore sendmail.sendmail trying to read write access the unix_stream_socket unix_stream_socket, because you believe it should not need this access. Then you should report this as a bug. You can generate a local policy module to dontaudit this access. Do # grep /usr/sbin/sendmail.sendmail /var/log/audit/audit.log | audit2allow -D -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:system_mail_t:s0-s0:c0.c1023 Target Context system_u:system_r:init_t:s0 Target Objects unix_stream_socket [ unix_stream_socket ] Source sendmail Source Path /usr/sbin/sendmail.sendmail Port <Unknown> Host troodos.org.uk Source RPM Packages sendmail-8.14.5-1.fc15 Target RPM Packages Policy RPM selinux-policy-3.9.16-35.fc15 Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name troodos.org.uk Platform Linux troodos.org.uk 2.6.40.3-0.fc15.i686.PAE #1 SMP Tue Aug 16 04:17:30 UTC 2011 i686 i686 Alert Count 14 First Seen Wed Aug 31 02:20:01 2011 Last Seen Thu Sep 1 06:40:01 2011 Local ID 45c301bb-43a3-4b46-b23b-549d56586333 Raw Audit Messages type=AVC msg=audit(1314855601.515:4541): avc: denied { read write } for pid=26981 comm="sendmail" path="socket:[13124]" dev=sockfs ino=13124 scontext=system_u:system_r:system_mail_t:s0-s0:c0.c1023 tcontext=system_u:system_r:init_t:s0 tclass=unix_stream_socket type=AVC msg=audit(1314855601.515:4541): avc: denied { read write } for pid=26981 comm="sendmail" path="socket:[13124]" dev=sockfs ino=13124 scontext=system_u:system_r:system_mail_t:s0-s0:c0.c1023 tcontext=system_u:system_r:init_t:s0 tclass=unix_stream_socket type=SYSCALL msg=audit(1314855601.515:4541): arch=i386 syscall=execve success=yes exit=0 a0=bfaa897c a1=bfaa67c8 a2=bfae8fd0 a3=bfae8fd0 items=0 ppid=26963 pid=26981 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=51 sgid=51 fsgid=51 tty=(none) ses=634 comm=sendmail exe=/usr/sbin/sendmail.sendmail subj=system_u:system_r:system_mail_t:s0-s0:c0.c1023 key=(null) Hash: sendmail,system_mail_t,init_t,unix_stream_socket,read,write audit2allow #============= system_mail_t ============== allow system_mail_t init_t:unix_stream_socket { read write }; audit2allow -R #============= system_mail_t ============== allow system_mail_t init_t:unix_stream_socket { read write };

2 1

sulogin
by jeremymiller＠ups.com 01 Sep '11

01 Sep '11

When I boot my box to single user mode I get this error when sulogin tries to run. type=1400 audit(1296260632.174:5): avc: denied { write } for pid=1544 comm="sulogin" path="/dev/pts/0" dev=devpts ino=3 scontext=system_u:system_r:sulogin_t:s0 tcontext=system_u:object_r:devpts_t:s0 tclass=chr_file Because of the policy denying the write to /dev/pts/0 I don't get the normal prompt: Give root password for maintenance (or type Control-D to continue): Any ideas if this is expected? I cannot replicate it once I'm in run-level 3. # sestatus SELinux status: enabled SELinuxfs mount: /selinux Current mode: enforcing Mode from config file: enforcing Policy version: 24 Policy from config file: targeted # ls -ldZ /dev/pts drwxr-xr-x. root root system_u:object_r:devpts_t:s0 /dev/pts Red Hat Enterprise Linux Server release 6.1 (Santiago -- JM

3 2

2026

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

selinux September 2011