On 05/09/2016 03:30 PM, CS DBA wrote:
On 05/09/2016 01:39 PM, Rick Stevens wrote:
On 05/09/2016 12:19 PM, CS DBA wrote:
Hi All;
I'm running Fedora 23 KDE Spin, After a recent firefox update (I'm now at Firefox 46.0.1) I've been getting these SELINUX alerts:
The source process: 57656220436F6E74656E74 Attempted this access: create On this rawip_socket:
The alert gives me 2 choices:
- If I want to use the plugin package:
you must turn off SELinux controls on the Firefox plugins. # setsebool -P unconfined_mozilla_plugin_transition 0
- If I believe that 57656220436F6E74656E74 should be allowed to create
access on the Unknown rawip_socket by default:
You should report this as a bug. You can generate a local policy module to allow this access. Allow this access for now by executing: # ausearch -c 57656220436F6E74656E74 --raw | audit2allow -M mypol # semodule -i mypol.pp
If I click on "Plugin Details" I get this:
SELinux is preventing 57656220436F6E74656E74 from create access on the rawip_socket Unknown.
Plugin: catchall you want to allow 57656220436F6E74656E74 to have create access on the Unknown rawip_socketIf you believe that 57656220436F6E74656E74 should be allowed create access on the Unknown rawip_socket by default. You should report this as a bug. You can generate a local policy module to allow this access. Allow this access for now by executing: # ausearch -c 57656220436F6E74656E74 --raw | audit2allow -M mypol # semodule -i mypol.pp
Thoughts? Is this a bug? Should I run the setsebool command to allow access?
Smells fishy. I can't see an Internet website having any legitimate need to open a raw IP socket and I really don't see Firefox needing to do such a thing for normal operations. A web interface to an internal process, perhaps, but not a website.
BTW, the digits given, if used as a hex representation of a string, equate to "Web content". Hmmmmmmmmm......... I sure as heck wouldn't enable the boolean or add a policy.
Should I be concerned that my laptop has been compromised? Time to install clamav? Or re-install fedora completely?
I wouldn't go so far as to reinstall. SELinux has blocked a request-- specifically from Firefox--to open a rawip socket and that's what it's supposed to do. Why Firefox tried to do that is a guess, but I think you visited a site with some evil Javascript stuff in it and it's the javascript that's trying to open the port. Since the Javascript would be running in the context of the browser, SELinux reported that Firefox was doing it. Note that antics such as this is another reason to not just blithely allow Javascript to run in your browser. I certainly don't.
So, to your question in more detail...
Are you compromised? Probably not. Emphasis on the "probably."
Is that website evil? If they're injecting Javascript to do things like this, yes and they should be beaten senseless and staked out over an anthill under a noon sun in the Sahara.
Should you ever just enable a boolean or set up a local policy? Not unless you research and understand WHY you'd do such a thing. They do have their uses at times.
Should you disable SELinux? Nope. Generally a bad idea.
Should you run a very restrictive firewall? Oh, yes, indeedy-do!
Should you run virus checkers such as clamav? Hell, yes!
Should you periodically scan your entire disk for viruses using whatever checker you have? Again, hell yes! (I run clamscan every night as a minimum).
Linux is a bit more impervious to the nefarious actions of the evil hackers out there than MacOS and a lot more so that Winblows, but it isn't perfect. If you're surfing the web, wear a full-body condom or two. And always remember the motto:
"Just because I'm paranoid doesn't mean they AREN'T out to get me!" ---------------------------------------------------------------------- - Rick Stevens, Systems Engineer, AllDigital ricks@alldigital.com - - AIM/Skype: therps2 ICQ: 226437340 Yahoo: origrps2 - - - - "Microsoft is a cross between The Borg and the Ferengi. - - Unfortunately they use Borg to do their marketing and Ferengi to - - do their programming." -- Simon Slavin - ----------------------------------------------------------------------