-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 09/01/2011 04:33 AM, Arthur Dent wrote:
Hello all,
I did my monthly yum update on my F15 server yesterday. It brought
down a bunch of updates including
selinux-policy-3.9.16-35.fc15.noarch and
selinux-policy-targeted-3.9.16-35.fc15.noarch.
Since then I have been getting several AVCs related to
"unix_stream_socket". They break into 2 types:
SELinux is preventing /usr/libexec/fprintd from 'read, write'
accesses on the unix_stream_socket unix_stream_socket.
and
SELinux is preventing /usr/sbin/sendmail.sendmail from 'read,
write' accesses on the unix_stream_socket unix_stream_socket.
I detail one example of each below.
What should I do about these? I have no idea what might be causing
them...
Thanks
Mark
==================8<=============================================
SELinux is preventing /usr/libexec/fprintd from 'read, write'
accesses on the unix_stream_socket unix_stream_socket.
***** Plugin catchall (50.5 confidence) suggests
***************************
If you believe that fprintd should be allowed read write access on
the unix_stream_socket unix_stream_socket by default. Then you
should report this as a bug. You can generate a local policy module
to allow this access. Do allow this access for now by executing: #
grep fprintd /var/log/audit/audit.log | audit2allow -M mypol #
semodule -i mypol.pp
***** Plugin leaks (50.5 confidence) suggests
******************************
If you want to ignore fprintd trying to read write access the
unix_stream_socket unix_stream_socket, because you believe it
should not need this access. Then you should report this as a bug.
You can generate a local policy module to dontaudit this access.
Do # grep /usr/libexec/fprintd /var/log/audit/audit.log |
audit2allow -D -M mypol # semodule -i mypol.pp
Additional Information: Source Context
system_u:system_r:fprintd_t:s0-s0:c0.c1023 Target Context
system_u:system_r:init_t:s0 Target Objects
unix_stream_socket [ unix_stream_socket ] Source
fprintd Source Path /usr/libexec/fprintd Port
<Unknown> Host troodos.org.uk Source RPM
Packages fprintd-0.2.0-3.fc15 Target RPM Packages
Policy RPM selinux-policy-3.9.16-35.fc15
Selinux Enabled True Policy Type
targeted Enforcing Mode Enforcing Host Name
troodos.org.uk Platform Linux troodos.org.uk
2.6.40.3-0.fc15.i686.PAE #1 SMP Tue Aug 16 04:17:30 UTC 2011 i686
i686 Alert Count 8 First Seen
Tue Aug 30 10:17:09 2011 Last Seen Thu Sep 1
09:14:32 2011 Local ID
f5ca1075-789c-4c8f-971d-8919dd496044
Raw Audit Messages type=AVC msg=audit(1314864872.594:5072): avc:
denied { read write } for pid=27863 comm="fprintd"
path="socket:[14520]" dev=sockfs ino=14520
scontext=system_u:system_r:fprintd_t:s0-s0:c0.c1023
tcontext=system_u:system_r:init_t:s0 tclass=unix_stream_socket
type=AVC msg=audit(1314864872.594:5072): avc: denied { read write
} for pid=27863 comm="fprintd" path="socket:[14520]" dev=sockfs
ino=14520 scontext=system_u:system_r:fprintd_t:s0-s0:c0.c1023
tcontext=system_u:system_r:init_t:s0 tclass=unix_stream_socket
type=SYSCALL msg=audit(1314864872.594:5072): arch=i386
syscall=execve success=yes exit=0 a0=83a3bc0 a1=83a34e0 a2=83a3008
a3=83a61c0 items=0 ppid=27862 pid=27863 auid=4294967295 uid=0 gid=0
euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none)
ses=4294967295 comm=fprintd exe=/usr/libexec/fprintd
subj=system_u:system_r:fprintd_t:s0-s0:c0.c1023 key=(null)
Hash: fprintd,fprintd_t,init_t,unix_stream_socket,read,write
audit2allow
#============= fprintd_t ============== allow fprintd_t
init_t:unix_stream_socket { read write };
audit2allow -R
#============= fprintd_t ============== allow fprintd_t
init_t:unix_stream_socket { read write };
==================8<=============================================
SELinux is preventing /usr/sbin/sendmail.sendmail from 'read,
write' accesses on the unix_stream_socket unix_stream_socket.
***** Plugin catchall (50.5 confidence) suggests
***************************
If you believe that sendmail.sendmail should be allowed read write
access on the unix_stream_socket unix_stream_socket by default.
Then you should report this as a bug. You can generate a local
policy module to allow this access. Do allow this access for now by
executing: # grep sendmail /var/log/audit/audit.log | audit2allow
-M mypol # semodule -i mypol.pp
***** Plugin leaks (50.5 confidence) suggests
******************************
If you want to ignore sendmail.sendmail trying to read write access
the unix_stream_socket unix_stream_socket, because you believe it
should not need this access. Then you should report this as a bug.
You can generate a local policy module to dontaudit this access.
Do # grep /usr/sbin/sendmail.sendmail /var/log/audit/audit.log |
audit2allow -D -M mypol # semodule -i mypol.pp
Additional Information: Source Context
system_u:system_r:system_mail_t:s0-s0:c0.c1023 Target Context
system_u:system_r:init_t:s0 Target Objects
unix_stream_socket [ unix_stream_socket ] Source
sendmail Source Path /usr/sbin/sendmail.sendmail
Port <Unknown> Host
troodos.org.uk Source RPM Packages
sendmail-8.14.5-1.fc15 Target RPM Packages Policy RPM
selinux-policy-3.9.16-35.fc15 Selinux Enabled True
Policy Type targeted Enforcing Mode
Enforcing Host Name troodos.org.uk Platform
Linux troodos.org.uk 2.6.40.3-0.fc15.i686.PAE #1 SMP Tue Aug 16
04:17:30 UTC 2011 i686 i686 Alert Count 14 First
Seen Wed Aug 31 02:20:01 2011 Last Seen
Thu Sep 1 06:40:01 2011 Local ID
45c301bb-43a3-4b46-b23b-549d56586333
Raw Audit Messages type=AVC msg=audit(1314855601.515:4541): avc:
denied { read write } for pid=26981 comm="sendmail"
path="socket:[13124]" dev=sockfs ino=13124
scontext=system_u:system_r:system_mail_t:s0-s0:c0.c1023
tcontext=system_u:system_r:init_t:s0 tclass=unix_stream_socket
type=AVC msg=audit(1314855601.515:4541): avc: denied { read write
} for pid=26981 comm="sendmail" path="socket:[13124]" dev=sockfs
ino=13124 scontext=system_u:system_r:system_mail_t:s0-s0:c0.c1023
tcontext=system_u:system_r:init_t:s0 tclass=unix_stream_socket
type=SYSCALL msg=audit(1314855601.515:4541): arch=i386
syscall=execve success=yes exit=0 a0=bfaa897c a1=bfaa67c8
a2=bfae8fd0 a3=bfae8fd0 items=0 ppid=26963 pid=26981 auid=500
uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=51 sgid=51
fsgid=51 tty=(none) ses=634 comm=sendmail
exe=/usr/sbin/sendmail.sendmail
subj=system_u:system_r:system_mail_t:s0-s0:c0.c1023 key=(null)
Hash: sendmail,system_mail_t,init_t,unix_stream_socket,read,write
audit2allow
#============= system_mail_t ============== allow system_mail_t
init_t:unix_stream_socket { read write };
audit2allow -R
#============= system_mail_t ============== allow system_mail_t
init_t:unix_stream_socket { read write };
-- selinux mailing list selinux(a)lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
The analysys is correct they are a leaked file descriptor.
# grep unix_stream_socket /var/log/audit/audit.log | audit2allow -D -M
mypol
# semodule -i mypol.pp
Will tell SELinux to ignore the access.
This is probably just init handing over a unix_stream_socket as stdin
to daemons it starts and these daemons passing the descriptor along.
We probably should just dontaudit them in general.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla -
http://enigmail.mozdev.org/
iEYEARECAAYFAk5fzDsACgkQrlYvE4MpobNG0QCgwfg4VdjlnLdFYofTbX/x4Y2z
rCIAoIci2JXk/uHCSi9+JzMIDKAy/ZBw
=TsQO
-----END PGP SIGNATURE-----