Dear all(selinux experts and testers) ,
despite updating selinux-policy packages and relabeling, I am still seeing denied avcs
from setroubleshoot
Selinux preventing all of the above plus ip (ifconfig_t) "read write"
unconfined_t :(
Summary:
SELinux is preventing ip (ifconfig_t) "read write" unconfined_t.
Detailed Description:
SELinux denied access requested by ip. It is not expected that this access is
required by ip and this access may signal an intrusion attempt. It is also
possible that the specific version or configuration of the application is
causing it to require additional access.
Allowing Access:
You can generate a local policy module to allow this access - see FAQ
(
http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (
http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.
Additional Information:
Source Context unconfined_u:system_r:ifconfig_t
Target Context unconfined_u:unconfined_r:unconfined_t:SystemLow-
SystemHigh
Target Objects socket [ unix_stream_socket ]
Source ip
Source Path /sbin/ip
Port <Unknown>
Host localhost.localdomain
Source RPM Packages iproute-2.6.26-1.fc10
Target RPM Packages
Policy RPM selinux-policy-3.5.13-3.fc10
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name catchall
Host Name localhost.localdomain
Platform Linux localhost.localdomain
2.6.27.3-34.rc1.fc10.i686 #1 SMP Tue Oct 21
01:39:53 EDT 2008 i686 i686
Alert Count 43
First Seen Fri 24 Oct 2008 01:33:46 PM CDT
Last Seen Fri 24 Oct 2008 01:33:53 PM CDT
Local ID 16290580-6020-4615-908e-c7b32e828a7a
Line Numbers
Raw Audit Messages
node=localhost.localdomain type=AVC msg=audit(1224873233.717:83): avc: denied { read
write } for pid=3912 comm="ip" path="socket:[11145]" dev=sockfs
ino=11145 scontext=unconfined_u:system_r:ifconfig_t:s0
tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket
node=localhost.localdomain type=AVC msg=audit(1224873233.717:83): avc: denied { read
write } for pid=3912 comm="ip" path="socket:[11145]" dev=sockfs
ino=11145 scontext=unconfined_u:system_r:ifconfig_t:s0
tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket
node=localhost.localdomain type=AVC msg=audit(1224873233.717:83): avc: denied { read
write } for pid=3912 comm="ip" path="socket:[11145]" dev=sockfs
ino=11145 scontext=unconfined_u:system_r:ifconfig_t:s0
tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket
node=localhost.localdomain type=AVC msg=audit(1224873233.717:83): avc: denied { read
write } for pid=3912 comm="ip" path="socket:[11145]" dev=sockfs
ino=11145 scontext=unconfined_u:system_r:ifconfig_t:s0
tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket
node=localhost.localdomain type=AVC msg=audit(1224873233.717:83): avc: denied { read
write } for pid=3912 comm="ip" path="socket:[11145]" dev=sockfs
ino=11145 scontext=unconfined_u:system_r:ifconfig_t:s0
tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket
node=localhost.localdomain type=SYSCALL msg=audit(1224873233.717:83): arch=40000003
syscall=11 success=yes exit=0 a0=9ddcb98 a1=9dadeb0 a2=9ddcd60 a3=0 items=0 ppid=3901
pid=3912 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=1
comm="ip" exe="/sbin/ip" subj=unconfined_u:system_r:ifconfig_t:s0
key=(null)
Summary:
SELinux is preventing NetworkManager (NetworkManager_t) "read write"
unconfined_t.
Detailed Description:
SELinux denied access requested by NetworkManager. It is not expected that this
access is required by NetworkManager and this access may signal an intrusion
attempt. It is also possible that the specific version or configuration of the
application is causing it to require additional access.
Allowing Access:
You can generate a local policy module to allow this access - see FAQ
(
http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (
http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.
Additional Information:
Source Context unconfined_u:system_r:NetworkManager_t
Target Context unconfined_u:unconfined_r:unconfined_t:SystemLow-
SystemHigh
Target Objects socket [ unix_stream_socket ]
Source NetworkManager
Source Path /usr/sbin/NetworkManager
Port <Unknown>
Host localhost.localdomain
Source RPM Packages NetworkManager-0.7.0-0.11.svn4201.fc10
Target RPM Packages
Policy RPM selinux-policy-3.5.13-3.fc10
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name catchall
Host Name localhost.localdomain
Platform Linux localhost.localdomain
2.6.27.3-34.rc1.fc10.i686 #1 SMP Tue Oct 21
01:39:53 EDT 2008 i686 i686
Alert Count 1
First Seen Fri 24 Oct 2008 01:35:56 PM CDT
Last Seen Fri 24 Oct 2008 01:35:56 PM CDT
Local ID 6f715f57-6bca-45b3-aa02-dc34581b3423
Line Numbers
Raw Audit Messages
node=localhost.localdomain type=AVC msg=audit(1224873356.766:92): avc: denied { read
write } for pid=4004 comm="NetworkManager" path="socket:[11145]"
dev=sockfs ino=11145 scontext=unconfined_u:system_r:NetworkManager_t:s0
tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket
node=localhost.localdomain type=AVC msg=audit(1224873356.766:92): avc: denied { read
write } for pid=4004 comm="NetworkManager" path="socket:[11145]"
dev=sockfs ino=11145 scontext=unconfined_u:system_r:NetworkManager_t:s0
tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket
node=localhost.localdomain type=AVC msg=audit(1224873356.766:92): avc: denied { read
write } for pid=4004 comm="NetworkManager" path="socket:[11145]"
dev=sockfs ino=11145 scontext=unconfined_u:system_r:NetworkManager_t:s0
tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket
node=localhost.localdomain type=AVC msg=audit(1224873356.766:92): avc: denied { read
write } for pid=4004 comm="NetworkManager" path="socket:[11145]"
dev=sockfs ino=11145 scontext=unconfined_u:system_r:NetworkManager_t:s0
tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket
node=localhost.localdomain type=AVC msg=audit(1224873356.766:92): avc: denied { read
write } for pid=4004 comm="NetworkManager" path="socket:[11145]"
dev=sockfs ino=11145 scontext=unconfined_u:system_r:NetworkManager_t:s0
tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket
node=localhost.localdomain type=SYSCALL msg=audit(1224873356.766:92): arch=40000003
syscall=11 success=yes exit=0 a0=8642bd8 a1=8642a20 a2=8642ee8 a3=0 items=0 ppid=4003
pid=4004 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=1
comm="NetworkManager" exe="/usr/sbin/NetworkManager"
subj=unconfined_u:system_r:NetworkManager_t:s0 key=(null)
Summary:
SELinux is preventing knotify4 from making the program stack executable.
Detailed Description:
The knotify4 application attempted to make its stack executable. This is a
potential security problem. This should never ever be necessary. Stack memory is
not executable on most OSes these days and this will not change. Executable
stack memory is one of the biggest security problems. An execstack error might
in fact be most likely raised by malicious code. Applications are sometimes
coded incorrectly and request this permission. The SELinux Memory Protection
Tests (
http://people.redhat.com/drepper/selinux-mem.html) web page explains how
to remove this requirement. If knotify4 does not work and you need it to work,
you can configure SELinux temporarily to allow this access until the application
is fixed. Please file a bug report
(
http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package.
Allowing Access:
Sometimes a library is accidentally marked with the execstack flag, if you find
a library with this flag you can clear it with the execstack -c LIBRARY_PATH.
Then retry your application. If the app continues to not work, you can turn the
flag back on with execstack -s LIBRARY_PATH. Otherwise, if you trust knotify4 to
run correctly, you can change the context of the executable to
unconfined_execmem_exec_t. "chcon -t unconfined_execmem_exec_t
'/usr/bin/knotify4'" You must also change the default file context files on
the
system in order to preserve them even on a full relabel. "semanage fcontext -a
-t unconfined_execmem_exec_t '/usr/bin/knotify4'"
Fix Command:
chcon -t unconfined_execmem_exec_t '/usr/bin/knotify4'
Additional Information:
Source Context unconfined_u:unconfined_r:unconfined_t:SystemLow-
SystemHigh
Target Context unconfined_u:unconfined_r:unconfined_t:SystemLow-
SystemHigh
Target Objects None [ process ]
Source nspluginscan
Source Path /usr/bin/nspluginscan
Port <Unknown>
Host localhost.localdomain
Source RPM Packages kdebase-runtime-4.1.2-5.fc10
Target RPM Packages
Policy RPM selinux-policy-3.5.13-5.fc10
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name allow_execstack
Host Name localhost.localdomain
Platform Linux localhost.localdomain 2.6.27.3-39.fc10.i686
#1 SMP Wed Oct 22 21:35:19 EDT 2008 i686 i686
Alert Count 38
First Seen Mon 28 Jul 2008 10:50:50 PM CDT
Last Seen Fri 24 Oct 2008 03:15:46 PM CDT
Local ID d1193200-ba21-44ee-bdf0-5b24a80cdb04
Line Numbers
Raw Audit Messages
node=localhost.localdomain type=AVC msg=audit(1224879346.180:21): avc: denied {
execstack } for pid=2823 comm="knotify4"
scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process
node=localhost.localdomain type=SYSCALL msg=audit(1224879346.180:21): arch=40000003
syscall=125 success=no exit=-13 a0=bfdef000 a1=1000 a2=1000007 a3=fffff000 items=0 ppid=1
pid=2823 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500
tty=(none) ses=1 comm="knotify4" exe="/usr/bin/knotify4"
subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
Summary:
SELinux is preventing dhclient (dhcpc_t) "read write" unconfined_t.
Detailed Description:
SELinux denied access requested by dhclient. It is not expected that this access
is required by dhclient and this access may signal an intrusion attempt. It is
also possible that the specific version or configuration of the application is
causing it to require additional access.
Allowing Access:
You can generate a local policy module to allow this access - see FAQ
(
http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (
http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.
Additional Information:
Source Context unconfined_u:system_r:dhcpc_t:SystemLow-SystemHigh
Target Context unconfined_u:unconfined_r:unconfined_t:SystemLow-
SystemHigh
Target Objects socket [ unix_stream_socket ]
Source dhclient
Source Path /sbin/dhclient
Port <Unknown>
Host localhost.localdomain
Source RPM Packages dhclient-4.0.0-30.fc10
Target RPM Packages
Policy RPM selinux-policy-3.5.13-5.fc10
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name catchall
Host Name localhost.localdomain
Platform Linux localhost.localdomain 2.6.27.3-39.fc10.i686
#1 SMP Wed Oct 22 21:35:19 EDT 2008 i686 i686
Alert Count 2
First Seen Fri 24 Oct 2008 01:45:01 PM CDT
Last Seen Fri 24 Oct 2008 03:17:34 PM CDT
Local ID 4c789a6b-2778-4d68-bb82-4fa4b8547db5
Line Numbers
Raw Audit Messages
node=localhost.localdomain type=AVC msg=audit(1224879454.396:26): avc: denied { read
write } for pid=3115 comm="dhclient" path="socket:[10645]" dev=sockfs
ino=10645 scontext=unconfined_u:system_r:dhcpc_t:s0-s0:c0.c1023
tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket
node=localhost.localdomain type=AVC msg=audit(1224879454.396:26): avc: denied { read
write } for pid=3115 comm="dhclient" path="socket:[10645]" dev=sockfs
ino=10645 scontext=unconfined_u:system_r:dhcpc_t:s0-s0:c0.c1023
tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket
node=localhost.localdomain type=AVC msg=audit(1224879454.396:26): avc: denied { read
write } for pid=3115 comm="dhclient" path="socket:[10645]" dev=sockfs
ino=10645 scontext=unconfined_u:system_r:dhcpc_t:s0-s0:c0.c1023
tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket
node=localhost.localdomain type=AVC msg=audit(1224879454.396:26): avc: denied { read
write } for pid=3115 comm="dhclient" path="socket:[10645]" dev=sockfs
ino=10645 scontext=unconfined_u:system_r:dhcpc_t:s0-s0:c0.c1023
tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket
node=localhost.localdomain type=SYSCALL msg=audit(1224879454.396:26): arch=40000003
syscall=11 success=yes exit=0 a0=96aa660 a1=96aa6d0 a2=96a4b68 a3=0 items=0 ppid=3066
pid=3115 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=1
comm="dhclient" exe="/sbin/dhclient"
subj=unconfined_u:system_r:dhcpc_t:s0-s0:c0.c1023 key=(null)
I had a very difficult time updating this machine because i could not get a connection.
[olivares@localhost ~]$ su -
Password:
[root@localhost ~]# ifconfig -a
eth0 Link encap:Ethernet HWaddr 00:00:00:00:00:00
BROADCAST MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
Interrupt:18 Base address:0xe000
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:32 errors:0 dropped:0 overruns:0 frame:0
TX packets:32 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:1760 (1.7 KiB) TX bytes:1760 (1.7 KiB)
pan0 Link encap:Ethernet HWaddr 36:F3:C2:B0:9B:46
BROADCAST MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
wlan0 Link encap:Ethernet HWaddr 00:16:E3:F3:09:DB
UP BROADCAST MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
wmaster0 Link encap:UNSPEC HWaddr 00-16-E3-F3-09-DB-F4-EF-00-00-00-00-00-00-00-00
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
[root@localhost ~]# ifconfig -a | more
eth0 Link encap:Ethernet HWaddr 00:00:00:00:00:00
BROADCAST MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
Interrupt:18 Base address:0xe000
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:32 errors:0 dropped:0 overruns:0 frame:0
TX packets:32 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:1760 (1.7 KiB) TX bytes:1760 (1.7 KiB)
pan0 Link encap:Ethernet HWaddr 36:F3:C2:B0:9B:46
BROADCAST MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
[root@localhost ~]# dhclient eth0
Nothing to flush.
PING 10.154.19.1 (10.154.19.1) from 10.154.19.179 eth0: 56(84) bytes of data.
--- 10.154.19.1 ping statistics ---
4 packets transmitted, 0 received, +3 errors, 100% packet loss, time 3000ms
pipe 3
[root@localhost ~]# ifconfig -a | more
eth0 Link encap:Ethernet HWaddr 00:00:00:00:00:00
BROADCAST MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
Interrupt:18 Base address:0xe000
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:35 errors:0 dropped:0 overruns:0 frame:0
TX packets:35 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:2096 (2.0 KiB) TX bytes:2096 (2.0 KiB)
pan0 Link encap:Ethernet HWaddr 36:F3:C2:B0:9B:46
BROADCAST MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
I had to change the mac address of the machine to another one that could get access so
that I could apply the updates.
First one knotify is a bug that I have reported:
https://bugzilla.redhat.com/show_bug.cgi?id=467210
but was closed because it was not an selinux bug, who has the hot potato now? I keep
seeing this on two of my three machines :(
Has someone else seen this?
Thanks,
Antonio