On Tue, 23 Apr 2013 17:44:33 +0100, Junk wrote:
On 23 Apr 2013, at 17:10, Beartooth beartooth@comcast.net wrote:
On Mon, 22 Apr 2013 16:40:19 +0800, Ed Greshko wrote: [....]
The only thing worse than a poorly asked question is a cryptic answer.
OK, first off, I'm the OP.
I suppose I should be flattered at being addressed as if I were an Alpha Plus Technoid; but I'm not one. I'm just an old twice-retired bookworm, running Fedora because there's more and better help online for it than for anything else I've tried (most of the well-known distros), and because I began back in '98 with RedHat. I can't imagine anything I have being of interest to an intruder.
Your right. They probably aren't interested in what you have. They might be interested in taking over your machine as part of a botnet though. A large amount of attacks are now automated against wide ranges of devices
Well, yes, I suppose some bad guy wanting only lots of machines, any machines, might like mine, too.
All the replies in this thread so far have been way over my head. The one thing I gather some of you want is the error message from SEL, verbatim. I don't have it; I presume it's in some log somewhere, but I have no idea how to find that log.
Try sealert -a /var/log/audit/audit.log
[root@Hbsk2 ~]# sealert -a /var/log/audit/audit.log 12% done[Errno 2] No such file or directory: 'wine-preloader' 100% donefound 3 alerts in /var/log/audit/audit.log ----------------------------------------------------------------------------- [snip] --------------------------------------------------------------------------------
SELinux is preventing /usr/bin/arora from mmap_zero access on the memprotect .
***** Plugin mmap_zero (53.1 confidence) suggests **************************
If you do not think /usr/bin/arora should need to mmap low memory in the kernel. Then you may be under attack by a hacker, this is a very dangerous access. Do contact your security administrator and report this issue.
***** Plugin catchall_boolean (42.6 confidence) suggests *******************
If you want to mmap_low_allowed Then you must tell SELinux about this by enabling the 'mmap_low_allowed' boolean.You can read 'unconfined_selinux' man page for more details. Do setsebool -P mmap_low_allowed 1
***** Plugin catchall (5.76 confidence) suggests ***************************
If you believe that arora should be allowed mmap_zero access on the memprotect by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep arora /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp
Additional Information: Source Context unconfined_u:unconfined_r:unconfined_t:s0- s0:c0.c1 023 Target Context unconfined_u:unconfined_r:unconfined_t:s0- s0:c0.c1 023 Target Objects [ memprotect ] Source arora Source Path /usr/bin/arora Port <Unknown> Host <Unknown> Source RPM Packages arora-0.11.0-4.fc17.i686 Target RPM Packages Policy RPM selinux-policy-3.10.0-167.fc17.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name Hbsk2.hsd1.va.comcast.net Platform Linux Hbsk2.hsd1.va.comcast.net 3.8.4-102.fc17.i686.PAE #1 SMP Sun Mar 24 13:15:17 UTC 2013 i686 i686 Alert Count 1 First Seen 2013-04-21 16:01:52 EDT Last Seen 2013-04-21 16:01:52 EDT Local ID fedad9e7-5ad4-49b0-a517-15a1e9efd7d4
Raw Audit Messages type=AVC msg=audit(1366574512.695:480): avc: denied { mmap_zero } for pid=25852 comm="arora" scontext=unconfined_u:unconfined_r:unconfined_t:s0- s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0- s0:c0.c1023 tclass=memprotect
type=SYSCALL msg=audit(1366574512.695:480): arch=i386 syscall=mmap2 success=no exit=EACCES a0=0 a1=7000 a2=3 a3=4022 items=0 ppid=1 pid=25852 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 ses=2 tty=(none) comm=arora exe=/usr/bin/arora subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
Hash: arora,unconfined_t,unconfined_t,memprotect,mmap_zero
audit2allow
#============= unconfined_t ============== #!!!! This avc can be allowed using the boolean 'mmap_low_allowed'
allow unconfined_t self:memprotect mmap_zero;
audit2allow -R
#============= unconfined_t ============== #!!!! This avc can be allowed using the boolean 'mmap_low_allowed'
allow unconfined_t self:memprotect mmap_zero;
[root@Hbsk2 ~]#
----------------------------------------------------------------------------
Or
grep setroubleshoot /var/log/messages
There will have been a full report in the graphical tool that initially warned you but these should give the same result.
They don't -- this one gets
[root@Hbsk2 ~]# grep setroubleshoot /var/log/messages Apr 21 16:02:00 Hbsk2 setroubleshoot: SELinux is preventing /usr/bin/arora from mmap_zero access on the memprotect . For complete SELinux messages. run sealert -l 6805396b-b8d1-4368-9356-aef00cbb2e43 Apr 22 14:57:12 Hbsk2 setroubleshoot: Plugin Exception wine Apr 22 14:57:12 Hbsk2 setroubleshoot: SELinux is preventing wine-preloader from mmap_zero access on the memprotect . For complete SELinux messages. run sealert -l 78752ead-8351-4d64-a04d-a2f500d942cd [root@Hbsk2 ~]#