-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
- ------------A snip from the logwatch included at end-----------------
Summary:
SELinux is preventing netstat (logwatch_t) "search" to <Unknown> (sysctl_net_t).
Detailed Description:
SELinux denied access requested by netstat. It is not expected that this access is required by netstat and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access.
Allowing Access:
Sometimes labeling problems can cause SELinux denials. You could try to restore the default system file context for <Unknown>,
restorecon -v '<Unknown>'
If this does not work, there is currently no automatic way to allow this access. Instead, you can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package.
Additional Information:
Source Context system_u:system_r:logwatch_t:s0 Target Context system_u:object_r:sysctl_net_t:s0 Target Objects None [ dir ] Source ifconfig Source Path /sbin/ifconfig Port <Unknown> Host frank-01 Source RPM Packages net-tools-1.60-91.fc10 Target RPM Packages Policy RPM selinux-policy-3.5.13-18.fc10 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name catchall_file Host Name frank-01 Platform Linux frank-01 2.6.27.5-117.fc10.i686 #1 SMP Tue Nov 18 12:19:59 EST 2008 i686 i686 Alert Count 4 First Seen Sat 22 Nov 2008 09:17:13 GMT Last Seen Sat 22 Nov 2008 09:17:13 GMT Local ID 144ff94f-abf9-47ba-8ab6-bda6cceb41e8 Line Numbers
Raw Audit Messages
node=frank-01 type=AVC msg=audit(1227345433.820:48): avc: denied { search } for pid=4085 comm="netstat" scontext=system_u:system_r:logwatch_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=dir
node=frank-01 type=SYSCALL msg=audit(1227345433.820:48): arch=40000003 syscall=33 success=no exit=-13 a0=805f195 a1=4 a2=ffffffff a3=8064020 items=0 ppid=4084 pid=4085 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="netstat" exe="/bin/netstat" subj=system_u:system_r:logwatch_t:s0 key=(null)
Summary:
SELinux is preventing netstat (logwatch_t) "read" to ./unix (proc_net_t).
Detailed Description:
SELinux denied access requested by netstat. It is not expected that this access is required by netstat and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access.
Allowing Access:
Sometimes labeling problems can cause SELinux denials. You could try to restore the default system file context for ./unix,
restorecon -v './unix'
If this does not work, there is currently no automatic way to allow this access. Instead, you can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package.
Additional Information:
Source Context system_u:system_r:logwatch_t:s0 Target Context system_u:object_r:proc_net_t:s0 Target Objects ./unix [ file ] Source ifconfig Source Path /sbin/ifconfig Port <Unknown> Host frank-01 Source RPM Packages net-tools-1.60-91.fc10 Target RPM Packages Policy RPM selinux-policy-3.5.13-18.fc10 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name catchall_file Host Name frank-01 Platform Linux frank-01 2.6.27.5-117.fc10.i686 #1 SMP Tue Nov 18 12:19:59 EST 2008 i686 i686 Alert Count 2 First Seen Sat 22 Nov 2008 09:17:13 GMT Last Seen Sat 22 Nov 2008 09:17:13 GMT Local ID c323266d-4b2a-4e47-9b13-eeb640939573 Line Numbers
Raw Audit Messages
node=frank-01 type=AVC msg=audit(1227345433.820:45): avc: denied { read } for pid=4085 comm="netstat" name="unix" dev=proc ino=4026531984 scontext=system_u:system_r:logwatch_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=file
node=frank-01 type=SYSCALL msg=audit(1227345433.820:45): arch=40000003 syscall=33 success=no exit=-13 a0=805c8b9 a1=4 a2=ffffffff a3=8064360 items=0 ppid=4084 pid=4085 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="netstat" exe="/bin/netstat" subj=system_u:system_r:logwatch_t:s0 key=(null)
Summary:
SELinux is preventing netstat (logwatch_t) "read" to ./if_inet6 (proc_net_t).
Detailed Description:
SELinux denied access requested by netstat. It is not expected that this access is required by netstat and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access.
Allowing Access:
Sometimes labeling problems can cause SELinux denials. You could try to restore the default system file context for ./if_inet6,
restorecon -v './if_inet6'
If this does not work, there is currently no automatic way to allow this access. Instead, you can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package.
Additional Information:
Source Context system_u:system_r:logwatch_t:s0 Target Context system_u:object_r:proc_net_t:s0 Target Objects ./if_inet6 [ file ] Source ifconfig Source Path /sbin/ifconfig Port <Unknown> Host frank-01 Source RPM Packages net-tools-1.60-91.fc10 Target RPM Packages Policy RPM selinux-policy-3.5.13-18.fc10 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name catchall_file Host Name frank-01 Platform Linux frank-01 2.6.27.5-117.fc10.i686 #1 SMP Tue Nov 18 12:19:59 EST 2008 i686 i686 Alert Count 4 First Seen Sat 22 Nov 2008 09:17:13 GMT Last Seen Sat 22 Nov 2008 09:17:13 GMT Local ID 9de63b84-aff8-4a49-bc45-510abd4637b3 Line Numbers
Raw Audit Messages
node=frank-01 type=AVC msg=audit(1227345433.820:46): avc: denied { read } for pid=4085 comm="netstat" name="if_inet6" dev=proc ino=4026532168 scontext=system_u:system_r:logwatch_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=file
node=frank-01 type=SYSCALL msg=audit(1227345433.820:46): arch=40000003 syscall=33 success=no exit=-13 a0=805f29e a1=4 a2=ffffffff a3=8064180 items=0 ppid=4084 pid=4085 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="netstat" exe="/bin/netstat" subj=system_u:system_r:logwatch_t:s0 key=(null)
Summary:
SELinux is preventing netstat (logwatch_t) "read" to ./dev (proc_net_t).
Detailed Description:
SELinux denied access requested by netstat. It is not expected that this access is required by netstat and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access.
Allowing Access:
Sometimes labeling problems can cause SELinux denials. You could try to restore the default system file context for ./dev,
restorecon -v './dev'
If this does not work, there is currently no automatic way to allow this access. Instead, you can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package.
Additional Information:
Source Context system_u:system_r:logwatch_t:s0 Target Context system_u:object_r:proc_net_t:s0 Target Objects ./dev [ file ] Source ifconfig Source Path /sbin/ifconfig Port <Unknown> Host frank-01 Source RPM Packages net-tools-1.60-91.fc10 Target RPM Packages filesystem-2.4.19-1.fc10 Policy RPM selinux-policy-3.5.13-18.fc10 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name catchall_file Host Name frank-01 Platform Linux frank-01 2.6.27.5-117.fc10.i686 #1 SMP Tue Nov 18 12:19:59 EST 2008 i686 i686 Alert Count 6 First Seen Sat 22 Nov 2008 09:17:13 GMT Last Seen Sat 22 Nov 2008 09:17:13 GMT Local ID 44eb7259-6162-4669-9b01-b5d48a63aaa5 Line Numbers
Raw Audit Messages
node=frank-01 type=AVC msg=audit(1227345433.855:51): avc: denied { read } for pid=4085 comm="netstat" name="dev" dev=proc ino=4026531957 scontext=system_u:system_r:logwatch_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=file
node=frank-01 type=SYSCALL msg=audit(1227345433.855:51): arch=40000003 syscall=5 success=no exit=-13 a0=805ff47 a1=0 a2=1b6 a3=0 items=0 ppid=4084 pid=4085 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="netstat" exe="/bin/netstat" subj=system_u:system_r:logwatch_t:s0 key=(null)
Logwatch: --------------------- Network Report Begin ------------------------
Warning: cannot open /proc/net/dev (Permission denied). Limited output. Warning: cannot open /proc/net/dev (Permission denied). Limited output. Warning: cannot open /proc/net/dev (Permission denied). Limited output.
------------- Network Interfaces ---------------
Ethernet : 1 Other : 1 Total : 2
------------- Ethernet -------------------------
eth1 Link encap:Ethernet HWaddr 00:19:E0:7A:40:4C
------------- Other ----------------------------
lo Link encap:Local Loopback
------------- Network Interfaces ---------------
------------- Network statistics ---------------
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo inet6 ::1/128 scope host valid_lft forever preferred_lft forever 2: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 1000 link/ether 00:19:e0:7a:40:4c brd ff:ff:ff:ff:ff:ff inet 192.168.0.5/24 brd 192.168.0.255 scope global eth1 inet6 fe80::219:e0ff:fe7a:404c/64 scope link valid_lft forever preferred_lft forever
Warning: cannot open /proc/net/dev (Permission denied). Limited output. Warning: cannot open /proc/net/dev (Permission denied). Limited output. Warning: cannot open /proc/net/dev (Permission denied). Limited output. Iface MTU RX-ERR TX-ERR eth1 1500 no BMRU lo 16436 no LRU
------------- Network statistics ---------------
---------------------- Network Report End -------------------------
- -- gpg id EB547226 Revoked Forgot Password :( aMSN: Frankly3D http://www.frankly3d.com
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Frank Murphy wrote:
------------A snip from the logwatch included at end-----------------
Summary:
SELinux is preventing netstat (logwatch_t) "search" to <Unknown> (sysctl_net_t).
Detailed Description:
SELinux denied access requested by netstat. It is not expected that this access is required by netstat and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access.
Allowing Access:
Sometimes labeling problems can cause SELinux denials. You could try to restore the default system file context for <Unknown>,
restorecon -v '<Unknown>'
If this does not work, there is currently no automatic way to allow this access. Instead, you can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package.
Additional Information:
Source Context system_u:system_r:logwatch_t:s0 Target Context system_u:object_r:sysctl_net_t:s0 Target Objects None [ dir ] Source ifconfig Source Path /sbin/ifconfig Port <Unknown> Host frank-01 Source RPM Packages net-tools-1.60-91.fc10 Target RPM Packages Policy RPM selinux-policy-3.5.13-18.fc10 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name catchall_file Host Name frank-01 Platform Linux frank-01 2.6.27.5-117.fc10.i686 #1 SMP Tue Nov 18 12:19:59 EST 2008 i686 i686 Alert Count 4 First Seen Sat 22 Nov 2008 09:17:13 GMT Last Seen Sat 22 Nov 2008 09:17:13 GMT Local ID 144ff94f-abf9-47ba-8ab6-bda6cceb41e8 Line Numbers
Raw Audit Messages
node=frank-01 type=AVC msg=audit(1227345433.820:48): avc: denied { search } for pid=4085 comm="netstat" scontext=system_u:system_r:logwatch_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=dir
node=frank-01 type=SYSCALL msg=audit(1227345433.820:48): arch=40000003 syscall=33 success=no exit=-13 a0=805f195 a1=4 a2=ffffffff a3=8064020 items=0 ppid=4084 pid=4085 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="netstat" exe="/bin/netstat" subj=system_u:system_r:logwatch_t:s0 key=(null)
Summary:
SELinux is preventing netstat (logwatch_t) "read" to ./unix (proc_net_t).
Detailed Description:
SELinux denied access requested by netstat. It is not expected that this access is required by netstat and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access.
Allowing Access:
Sometimes labeling problems can cause SELinux denials. You could try to restore the default system file context for ./unix,
restorecon -v './unix'
If this does not work, there is currently no automatic way to allow this access. Instead, you can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package.
Additional Information:
Source Context system_u:system_r:logwatch_t:s0 Target Context system_u:object_r:proc_net_t:s0 Target Objects ./unix [ file ] Source ifconfig Source Path /sbin/ifconfig Port <Unknown> Host frank-01 Source RPM Packages net-tools-1.60-91.fc10 Target RPM Packages Policy RPM selinux-policy-3.5.13-18.fc10 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name catchall_file Host Name frank-01 Platform Linux frank-01 2.6.27.5-117.fc10.i686 #1 SMP Tue Nov 18 12:19:59 EST 2008 i686 i686 Alert Count 2 First Seen Sat 22 Nov 2008 09:17:13 GMT Last Seen Sat 22 Nov 2008 09:17:13 GMT Local ID c323266d-4b2a-4e47-9b13-eeb640939573 Line Numbers
Raw Audit Messages
node=frank-01 type=AVC msg=audit(1227345433.820:45): avc: denied { read } for pid=4085 comm="netstat" name="unix" dev=proc ino=4026531984 scontext=system_u:system_r:logwatch_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=file
node=frank-01 type=SYSCALL msg=audit(1227345433.820:45): arch=40000003 syscall=33 success=no exit=-13 a0=805c8b9 a1=4 a2=ffffffff a3=8064360 items=0 ppid=4084 pid=4085 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="netstat" exe="/bin/netstat" subj=system_u:system_r:logwatch_t:s0 key=(null)
Summary:
SELinux is preventing netstat (logwatch_t) "read" to ./if_inet6 (proc_net_t).
Detailed Description:
SELinux denied access requested by netstat. It is not expected that this access is required by netstat and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access.
Allowing Access:
Sometimes labeling problems can cause SELinux denials. You could try to restore the default system file context for ./if_inet6,
restorecon -v './if_inet6'
If this does not work, there is currently no automatic way to allow this access. Instead, you can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package.
Additional Information:
Source Context system_u:system_r:logwatch_t:s0 Target Context system_u:object_r:proc_net_t:s0 Target Objects ./if_inet6 [ file ] Source ifconfig Source Path /sbin/ifconfig Port <Unknown> Host frank-01 Source RPM Packages net-tools-1.60-91.fc10 Target RPM Packages Policy RPM selinux-policy-3.5.13-18.fc10 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name catchall_file Host Name frank-01 Platform Linux frank-01 2.6.27.5-117.fc10.i686 #1 SMP Tue Nov 18 12:19:59 EST 2008 i686 i686 Alert Count 4 First Seen Sat 22 Nov 2008 09:17:13 GMT Last Seen Sat 22 Nov 2008 09:17:13 GMT Local ID 9de63b84-aff8-4a49-bc45-510abd4637b3 Line Numbers
Raw Audit Messages
node=frank-01 type=AVC msg=audit(1227345433.820:46): avc: denied { read } for pid=4085 comm="netstat" name="if_inet6" dev=proc ino=4026532168 scontext=system_u:system_r:logwatch_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=file
node=frank-01 type=SYSCALL msg=audit(1227345433.820:46): arch=40000003 syscall=33 success=no exit=-13 a0=805f29e a1=4 a2=ffffffff a3=8064180 items=0 ppid=4084 pid=4085 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="netstat" exe="/bin/netstat" subj=system_u:system_r:logwatch_t:s0 key=(null)
Summary:
SELinux is preventing netstat (logwatch_t) "read" to ./dev (proc_net_t).
Detailed Description:
SELinux denied access requested by netstat. It is not expected that this access is required by netstat and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access.
Allowing Access:
Sometimes labeling problems can cause SELinux denials. You could try to restore the default system file context for ./dev,
restorecon -v './dev'
If this does not work, there is currently no automatic way to allow this access. Instead, you can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package.
Additional Information:
Source Context system_u:system_r:logwatch_t:s0 Target Context system_u:object_r:proc_net_t:s0 Target Objects ./dev [ file ] Source ifconfig Source Path /sbin/ifconfig Port <Unknown> Host frank-01 Source RPM Packages net-tools-1.60-91.fc10 Target RPM Packages filesystem-2.4.19-1.fc10 Policy RPM selinux-policy-3.5.13-18.fc10 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name catchall_file Host Name frank-01 Platform Linux frank-01 2.6.27.5-117.fc10.i686 #1 SMP Tue Nov 18 12:19:59 EST 2008 i686 i686 Alert Count 6 First Seen Sat 22 Nov 2008 09:17:13 GMT Last Seen Sat 22 Nov 2008 09:17:13 GMT Local ID 44eb7259-6162-4669-9b01-b5d48a63aaa5 Line Numbers
Raw Audit Messages
node=frank-01 type=AVC msg=audit(1227345433.855:51): avc: denied { read } for pid=4085 comm="netstat" name="dev" dev=proc ino=4026531957 scontext=system_u:system_r:logwatch_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=file
node=frank-01 type=SYSCALL msg=audit(1227345433.855:51): arch=40000003 syscall=5 success=no exit=-13 a0=805ff47 a1=0 a2=1b6 a3=0 items=0 ppid=4084 pid=4085 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="netstat" exe="/bin/netstat" subj=system_u:system_r:logwatch_t:s0 key=(null)
Logwatch: --------------------- Network Report Begin ------------------------
Warning: cannot open /proc/net/dev (Permission denied). Limited output. Warning: cannot open /proc/net/dev (Permission denied). Limited output. Warning: cannot open /proc/net/dev (Permission denied). Limited output.
------------- Network Interfaces ---------------
Ethernet : 1 Other : 1 Total : 2
------------- Ethernet -------------------------
eth1 Link encap:Ethernet HWaddr 00:19:E0:7A:40:4C
------------- Other ----------------------------
lo Link encap:Local Loopback
------------- Network Interfaces ---------------
------------- Network statistics ---------------
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo inet6 ::1/128 scope host valid_lft forever preferred_lft forever 2: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 1000 link/ether 00:19:e0:7a:40:4c brd ff:ff:ff:ff:ff:ff inet 192.168.0.5/24 brd 192.168.0.255 scope global eth1 inet6 fe80::219:e0ff:fe7a:404c/64 scope link valid_lft forever preferred_lft forever
Warning: cannot open /proc/net/dev (Permission denied). Limited output. Warning: cannot open /proc/net/dev (Permission denied). Limited output. Warning: cannot open /proc/net/dev (Permission denied). Limited output. Iface MTU RX-ERR TX-ERR eth1 1500 no BMRU lo 16436 no LRU
------------- Network statistics ---------------
---------------------- Network Report End -------------------------
So you have logwatch execing netstat? Do you know what script is doing this? - -- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list
Daniel J Walsh wrote:
So you have logwatch execing netstat? Do you know what script is doing this?
/usr/share/logwatch/default.conf/logwatch.conf pasteed to:
The only real change is a #Service = "-zz-network", and Detail = Med
Frank
On Sat, Nov 22, 2008 at 01:10:44PM +0000, Frank Murphy wrote:
Daniel J Walsh wrote:
So you have logwatch execing netstat? Do you know what script is doing this?
/usr/share/logwatch/default.conf/logwatch.conf pasteed to:
The only real change is a #Service = "-zz-network", and Detail = Med
There are a few scripts that are disabled by default. The "-zz-network" means "disable the zz-network script". By commenting that out, you are reenabling the zz-network script. Here are the services which are disabled by default which probably don't have SELinux rules for them yet:
Service = "-zz-network" # Prevents execution of zz-network service, which # prints useful network configuration info. Service = "-zz-sys" # Prevents execution of zz-sys service, which # prints useful system configuration info. Service = "-eximstats" # Prevents execution of eximstats service, which # is a wrapper for the eximstats program.
The scripts that run when these are re-enabled are in /usr/share/logwatch/scripts/services/. From my reading of the zz-network script, it calls the following programs:
/sbin/chkconfig /usr/bin/vtysh /usr/sbin/routeadm /sbin/ip netstat ifconfig
and reads the following files:
/etc/sysctl.conf /proc/sys/net/ipv4/ip_forward
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Frank Murphy wrote:
------------A snip from the logwatch included at end-----------------
Summary:
SELinux is preventing netstat (logwatch_t) "search" to <Unknown> (sysctl_net_t).
Detailed Description:
SELinux denied access requested by netstat. It is not expected that this access is required by netstat and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access.
Allowing Access:
Sometimes labeling problems can cause SELinux denials. You could try to restore the default system file context for <Unknown>,
restorecon -v '<Unknown>'
If this does not work, there is currently no automatic way to allow this access. Instead, you can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package.
Additional Information:
Source Context system_u:system_r:logwatch_t:s0 Target Context system_u:object_r:sysctl_net_t:s0 Target Objects None [ dir ] Source ifconfig Source Path /sbin/ifconfig Port <Unknown> Host frank-01 Source RPM Packages net-tools-1.60-91.fc10 Target RPM Packages Policy RPM selinux-policy-3.5.13-18.fc10 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name catchall_file Host Name frank-01 Platform Linux frank-01 2.6.27.5-117.fc10.i686 #1 SMP Tue Nov 18 12:19:59 EST 2008 i686 i686 Alert Count 4 First Seen Sat 22 Nov 2008 09:17:13 GMT Last Seen Sat 22 Nov 2008 09:17:13 GMT Local ID 144ff94f-abf9-47ba-8ab6-bda6cceb41e8 Line Numbers
Raw Audit Messages
node=frank-01 type=AVC msg=audit(1227345433.820:48): avc: denied { search } for pid=4085 comm="netstat" scontext=system_u:system_r:logwatch_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=dir
node=frank-01 type=SYSCALL msg=audit(1227345433.820:48): arch=40000003 syscall=33 success=no exit=-13 a0=805f195 a1=4 a2=ffffffff a3=8064020 items=0 ppid=4084 pid=4085 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="netstat" exe="/bin/netstat" subj=system_u:system_r:logwatch_t:s0 key=(null)
Summary:
SELinux is preventing netstat (logwatch_t) "read" to ./unix (proc_net_t).
Detailed Description:
SELinux denied access requested by netstat. It is not expected that this access is required by netstat and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access.
Allowing Access:
Sometimes labeling problems can cause SELinux denials. You could try to restore the default system file context for ./unix,
restorecon -v './unix'
If this does not work, there is currently no automatic way to allow this access. Instead, you can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package.
Additional Information:
Source Context system_u:system_r:logwatch_t:s0 Target Context system_u:object_r:proc_net_t:s0 Target Objects ./unix [ file ] Source ifconfig Source Path /sbin/ifconfig Port <Unknown> Host frank-01 Source RPM Packages net-tools-1.60-91.fc10 Target RPM Packages Policy RPM selinux-policy-3.5.13-18.fc10 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name catchall_file Host Name frank-01 Platform Linux frank-01 2.6.27.5-117.fc10.i686 #1 SMP Tue Nov 18 12:19:59 EST 2008 i686 i686 Alert Count 2 First Seen Sat 22 Nov 2008 09:17:13 GMT Last Seen Sat 22 Nov 2008 09:17:13 GMT Local ID c323266d-4b2a-4e47-9b13-eeb640939573 Line Numbers
Raw Audit Messages
node=frank-01 type=AVC msg=audit(1227345433.820:45): avc: denied { read } for pid=4085 comm="netstat" name="unix" dev=proc ino=4026531984 scontext=system_u:system_r:logwatch_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=file
node=frank-01 type=SYSCALL msg=audit(1227345433.820:45): arch=40000003 syscall=33 success=no exit=-13 a0=805c8b9 a1=4 a2=ffffffff a3=8064360 items=0 ppid=4084 pid=4085 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="netstat" exe="/bin/netstat" subj=system_u:system_r:logwatch_t:s0 key=(null)
Summary:
SELinux is preventing netstat (logwatch_t) "read" to ./if_inet6 (proc_net_t).
Detailed Description:
SELinux denied access requested by netstat. It is not expected that this access is required by netstat and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access.
Allowing Access:
Sometimes labeling problems can cause SELinux denials. You could try to restore the default system file context for ./if_inet6,
restorecon -v './if_inet6'
If this does not work, there is currently no automatic way to allow this access. Instead, you can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package.
Additional Information:
Source Context system_u:system_r:logwatch_t:s0 Target Context system_u:object_r:proc_net_t:s0 Target Objects ./if_inet6 [ file ] Source ifconfig Source Path /sbin/ifconfig Port <Unknown> Host frank-01 Source RPM Packages net-tools-1.60-91.fc10 Target RPM Packages Policy RPM selinux-policy-3.5.13-18.fc10 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name catchall_file Host Name frank-01 Platform Linux frank-01 2.6.27.5-117.fc10.i686 #1 SMP Tue Nov 18 12:19:59 EST 2008 i686 i686 Alert Count 4 First Seen Sat 22 Nov 2008 09:17:13 GMT Last Seen Sat 22 Nov 2008 09:17:13 GMT Local ID 9de63b84-aff8-4a49-bc45-510abd4637b3 Line Numbers
Raw Audit Messages
node=frank-01 type=AVC msg=audit(1227345433.820:46): avc: denied { read } for pid=4085 comm="netstat" name="if_inet6" dev=proc ino=4026532168 scontext=system_u:system_r:logwatch_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=file
node=frank-01 type=SYSCALL msg=audit(1227345433.820:46): arch=40000003 syscall=33 success=no exit=-13 a0=805f29e a1=4 a2=ffffffff a3=8064180 items=0 ppid=4084 pid=4085 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="netstat" exe="/bin/netstat" subj=system_u:system_r:logwatch_t:s0 key=(null)
Summary:
SELinux is preventing netstat (logwatch_t) "read" to ./dev (proc_net_t).
Detailed Description:
SELinux denied access requested by netstat. It is not expected that this access is required by netstat and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access.
Allowing Access:
Sometimes labeling problems can cause SELinux denials. You could try to restore the default system file context for ./dev,
restorecon -v './dev'
If this does not work, there is currently no automatic way to allow this access. Instead, you can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package.
Additional Information:
Source Context system_u:system_r:logwatch_t:s0 Target Context system_u:object_r:proc_net_t:s0 Target Objects ./dev [ file ] Source ifconfig Source Path /sbin/ifconfig Port <Unknown> Host frank-01 Source RPM Packages net-tools-1.60-91.fc10 Target RPM Packages filesystem-2.4.19-1.fc10 Policy RPM selinux-policy-3.5.13-18.fc10 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name catchall_file Host Name frank-01 Platform Linux frank-01 2.6.27.5-117.fc10.i686 #1 SMP Tue Nov 18 12:19:59 EST 2008 i686 i686 Alert Count 6 First Seen Sat 22 Nov 2008 09:17:13 GMT Last Seen Sat 22 Nov 2008 09:17:13 GMT Local ID 44eb7259-6162-4669-9b01-b5d48a63aaa5 Line Numbers
Raw Audit Messages
node=frank-01 type=AVC msg=audit(1227345433.855:51): avc: denied { read } for pid=4085 comm="netstat" name="dev" dev=proc ino=4026531957 scontext=system_u:system_r:logwatch_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=file
node=frank-01 type=SYSCALL msg=audit(1227345433.855:51): arch=40000003 syscall=5 success=no exit=-13 a0=805ff47 a1=0 a2=1b6 a3=0 items=0 ppid=4084 pid=4085 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="netstat" exe="/bin/netstat" subj=system_u:system_r:logwatch_t:s0 key=(null)
Logwatch: --------------------- Network Report Begin ------------------------
Warning: cannot open /proc/net/dev (Permission denied). Limited output. Warning: cannot open /proc/net/dev (Permission denied). Limited output. Warning: cannot open /proc/net/dev (Permission denied). Limited output.
------------- Network Interfaces ---------------
Ethernet : 1 Other : 1 Total : 2
------------- Ethernet -------------------------
eth1 Link encap:Ethernet HWaddr 00:19:E0:7A:40:4C
------------- Other ----------------------------
lo Link encap:Local Loopback
------------- Network Interfaces ---------------
------------- Network statistics ---------------
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo inet6 ::1/128 scope host valid_lft forever preferred_lft forever 2: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 1000 link/ether 00:19:e0:7a:40:4c brd ff:ff:ff:ff:ff:ff inet 192.168.0.5/24 brd 192.168.0.255 scope global eth1 inet6 fe80::219:e0ff:fe7a:404c/64 scope link valid_lft forever preferred_lft forever
Warning: cannot open /proc/net/dev (Permission denied). Limited output. Warning: cannot open /proc/net/dev (Permission denied). Limited output. Warning: cannot open /proc/net/dev (Permission denied). Limited output. Iface MTU RX-ERR TX-ERR eth1 1500 no BMRU lo 16436 no LRU
------------- Network statistics ---------------
---------------------- Network Report End -------------------------
- -- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list
Added allow rules to selinux-policy-3.5.13-22
selinux@lists.fedoraproject.org
-
Chuck Anderson -
Daniel J Walsh -
Frank Murphy