Hi all,
I've just upgraded an fc13 x86_64 box to fc14, and had quite a bit of trouble with the upgrade process due to a hardware problem. After eventually completing the upgrade, I'm left with one remaining selinux error that I can't figure out:
[ 10.017350] type=1400 audit(1299697430.359:4): avc: denied { mmap_zero } for pid=664 comm="vbetool" scontext=system_u:system_r:vbetool_t:s0-s0:c0.c1023 tcontext=system_u:system_r:vbetool_t:s0-s0:c0.c1023 tclass=memprotect
What is the cause of this, and any suggestions on how to resolve it?
Thanks, Alex
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 03/09/2011 04:53 PM, Alex wrote:
Hi all,
I've just upgraded an fc13 x86_64 box to fc14, and had quite a bit of trouble with the upgrade process due to a hardware problem. After eventually completing the upgrade, I'm left with one remaining selinux error that I can't figure out:
[ 10.017350] type=1400 audit(1299697430.359:4): avc: denied { mmap_zero } for pid=664 comm="vbetool" scontext=system_u:system_r:vbetool_t:s0-s0:c0.c1023 tcontext=system_u:system_r:vbetool_t:s0-s0:c0.c1023 tclass=memprotect
What is the cause of this, and any suggestions on how to resolve it?
Thanks, Alex
yum remove vbetool will probably solve your problem. Most likely you do not need it.
Hi,
[ 10.017350] type=1400 audit(1299697430.359:4): avc: denied { mmap_zero } for pid=664 comm="vbetool" scontext=system_u:system_r:vbetool_t:s0-s0:c0.c1023 tcontext=system_u:system_r:vbetool_t:s0-s0:c0.c1023 tclass=memprotect
What is the cause of this, and any suggestions on how to resolve it?
Thanks, Alex
yum remove vbetool will probably solve your problem. Most likely you do not need it.
Awesome, thanks, that's what I've done.
Best, Alex
Hi,
As a follow-up to my own post, I now have several other selinux errors that I can't figure out:
type=SYSCALL msg=audit(1299712804.077:53): arch=c000003e syscall=2 success=no exit=-13 a0=fac5b0 a1=241 a2=1b6 a3=3293127420 items=0 ppid=3264 pid=3447 auid=4294967295 uid=489 gid=485 euid=489 suid=489 fsuid=489 egid=485 sgid=485 fsgid=485 tty=(none) ses=4294967295 comm="munin_stats" exe="/usr/bin/perl" subj=system_u:system_r:munin_t:s0 key=(null) type=CRED_DISP msg=audit(1299712815.522:54): user pid=3254 uid=0 auid=489 ses=5 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:setcred acct="munin" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success' type=USER_END msg=audit(1299712815.524:55): user pid=3254 uid=0 auid=489 ses=5 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:session_close acct="munin" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
I've tried running this through audit2allow but it doesn't seem to resolve it, even after rebooting and relabeling.
# egrep "httpd|perl|munin|crond" /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp
These are all related to my recent install of munin. Would reinstalling those packages make any difference?
Thanks, Alex
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 03/09/2011 06:25 PM, Alex wrote:
Hi,
As a follow-up to my own post, I now have several other selinux errors that I can't figure out:
type=SYSCALL msg=audit(1299712804.077:53): arch=c000003e syscall=2 success=no exit=-13 a0=fac5b0 a1=241 a2=1b6 a3=3293127420 items=0 ppid=3264 pid=3447 auid=4294967295 uid=489 gid=485 euid=489 suid=489 fsuid=489 egid=485 sgid=485 fsgid=485 tty=(none) ses=4294967295 comm="munin_stats" exe="/usr/bin/perl" subj=system_u:system_r:munin_t:s0 key=(null) type=CRED_DISP msg=audit(1299712815.522:54): user pid=3254 uid=0 auid=489 ses=5 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:setcred acct="munin" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success' type=USER_END msg=audit(1299712815.524:55): user pid=3254 uid=0 auid=489 ses=5 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:session_close acct="munin" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
I've tried running this through audit2allow but it doesn't seem to resolve it, even after rebooting and relabeling.
# egrep "httpd|perl|munin|crond" /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp
These are all related to my recent install of munin. Would reinstalling those packages make any difference?
Thanks, Alex
Those are regular audit messages and have nothing to do with SELinux. SELinux message either are type=AVC or type=SELINUX_ERR
Hi,
I've tried running this through audit2allow but it doesn't seem to resolve it, even after rebooting and relabeling.
# egrep "httpd|perl|munin|crond" /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp
These are all related to my recent install of munin. Would reinstalling those packages make any difference?
Thanks, Alex
Those are regular audit messages and have nothing to do with SELinux. SELinux message either are type=AVC or type=SELINUX_ERR
Oh :-)
I also ran it with quite a few AVC and SELINUX_ERR messages and it has had no effect:
type=AVC msg=audit(1299774763.043:2272): avc: denied { getattr } for pid=3245 comm="httpd" path="/etc/munin/htpasswd.users" dev=sda1 ino=3543833 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:munin_etc_t:s0 tclass=file
is this a problem with the policy for munin or my system in general?
Is each package responsible for maintaining their own selinux policy and installing it at the time the package is installed?
Thanks, Alex
Alex wrote:
is this a problem with the policy for munin or my system in general?
If you have already relabeled (and it sounds like you have) then yes, it would be a bug with selinux-policy.
You can always generate a policy to workaround the issue with:
$ audit2allow -M mypolicy [paste AVC message here] CTRL+D # semodule -i mypolicy.pp
I would suggest you collect all the information you can and open a bug report.
After the issue is resolved you can remove your policy with: # semodule -r mypolicy
Is each package responsible for maintaining their own selinux policy and installing it at the time the package is installed?
No. selinux-policy contains the policy for all Fedora packages.
Hi,
is this a problem with the policy for munin or my system in general?
If you have already relabeled (and it sounds like you have) then yes, it would be a bug with selinux-policy.
You can always generate a policy to workaround the issue with:
$ audit2allow -M mypolicy [paste AVC message here] CTRL+D # semodule -i mypolicy.pp
In a previous message in this thread, I wrote that I had done just that:
# cat mylog type=AVC msg=audit(1299774763.043:2272): avc: denied { getattr } for pid=3245 comm="httpd" path="/etc/munin/htpasswd.users" dev=sda1 ino=3543833 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:munin_etc_t:s0 tclass=file type=AVC msg=audit(1299777304.684:2366): avc: denied { write } for pid=12066 comm="munin_stats" name="munin_stats-127.0.0.1" dev=sda1 ino=3676145 scontext=unconfined_u:system_r:munin_t:s0 tcontext=system_u:object_r:munin_plugin_state_t:s0 tclass=file
# cat mylog | audit2allow -M mypol && semodule -i mypol.pp ******************** IMPORTANT *********************** To make this policy package active, execute:
semodule -i mypol.pp
And it has no effect..
I would suggest you collect all the information you can and open a bug report.
Does this still sound like a bug or am I doing something wrong?
Thanks, Alex
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 03/10/2011 12:18 PM, Alex wrote:
Hi,
is this a problem with the policy for munin or my system in general?
If you have already relabeled (and it sounds like you have) then yes, it would be a bug with selinux-policy.
You can always generate a policy to workaround the issue with:
$ audit2allow -M mypolicy [paste AVC message here] CTRL+D # semodule -i mypolicy.pp
In a previous message in this thread, I wrote that I had done just that:
# cat mylog type=AVC msg=audit(1299774763.043:2272): avc: denied { getattr } for pid=3245 comm="httpd" path="/etc/munin/htpasswd.users" dev=sda1 ino=3543833 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:munin_etc_t:s0 tclass=file type=AVC msg=audit(1299777304.684:2366): avc: denied { write } for pid=12066 comm="munin_stats" name="munin_stats-127.0.0.1" dev=sda1 ino=3676145 scontext=unconfined_u:system_r:munin_t:s0 tcontext=system_u:object_r:munin_plugin_state_t:s0 tclass=file
# cat mylog | audit2allow -M mypol && semodule -i mypol.pp ******************** IMPORTANT *********************** To make this policy package active, execute:
semodule -i mypol.pp
And it has no effect..
I would suggest you collect all the information you can and open a bug report.
Does this still sound like a bug or am I doing something wrong?
Thanks, A
We would need to see the new AVC information.
# cat mylog type=AVC msg=audit(1299774763.043:2272): avc: denied { getattr } for pid=3245 comm="httpd" path="/etc/munin/htpasswd.users" dev=sda1 ino=3543833 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:munin_etc_t:s0 tclass=file type=AVC msg=audit(1299777304.684:2366): avc: denied { write } for pid=12066 comm="munin_stats" name="munin_stats-127.0.0.1" dev=sda1 ino=3676145 scontext=unconfined_u:system_r:munin_t:s0 tcontext=system_u:object_r:munin_plugin_state_t:s0 tclass=file
# cat mylog | audit2allow -M mypol && semodule -i mypol.pp ******************** IMPORTANT *********************** To make this policy package active, execute:
semodule -i mypol.pp
And it has no effect..
I would suggest you collect all the information you can and open a bug report.
Does this still sound like a bug or am I doing something wrong?
Thanks, A
We would need to see the new AVC information.
Okay, now I'm not sure what's happened. I have these messages in the audit.log:
type=AVC msg=audit(1299782498.255:2552): avc: denied { search } for pid=3245 comm="httpd" name="munin" dev=sda1 ino=3675604 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:munin_etc_t:s0 tclass=dir type=SYSCALL msg=audit(1299782498.255:2552): arch=c000003e syscall=2 success=no exit=-13 a0=7f2c812e4df8 a1=80000 a2=1b6 a3=33 items=0 ppid=1382 pid=3245 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null)
I notice this from syslog:
Mar 10 13:41:39 gary setroubleshoot: SELinux is preventing /usr/sbin/httpd from search access on the directory /etc/munin. For complete SELinux messages. run sealert -l 1d6377ba-f07e-4cd5-ac6c-0d0e68cda3c0
I followed the instructions, and now I'm able to login to view the munin graphs after authenticating. However, I know I've done this at least once before for the same access problem.
I just now found this in the audit.log:
type=AVC msg=audit(1299783004.601:2571): avc: denied { write } for pid=21883 comm="munin_stats" name="munin_stats-127.0.0.1" dev=sda1 ino=3676145 scontext=unconfined_u:system_r:munin_t:s0 tcontext=system_u:object_r:munin_plugin_state_t:s0 tclass=file
However, I'm still able to login.
Thanks, Alex
On Wed, 9 Mar 2011 16:53:48 -0500 Alex mysqlstudent@gmail.com wrote:
eventually completing the upgrade, I'm left with one remaining selinux error that I can't figure out:
[ 10.017350] type=1400 audit(1299697430.359:4): avc: denied { mmap_zero } for pid=664 comm="vbetool" scontext=system_u:system_r:vbetool_t:s0-s0:c0.c1023 tcontext=system_u:system_r:vbetool_t:s0-s0:c0.c1023 tclass=memprotect
What is the cause of this, and any suggestions on how to resolve it?
A guess. vbetool is described as follows: vbetool uses lrmi in order to run code from the video BIOS. Currently, it is able to alter DPMS states, save/restore video card state and attempt to initialize the video card from scratch.
Given that, the error seems to say that it is trying to access memory that it is not authorized to have access to when doing its job. Do you map your video bios into memory? I think this is usually turned on the BIOS itself. If not, it might be trying to access the actual BIOS address, and this is not allowed. As I said, this is just a guess, and maybe someone more knowledgeable will answer you.
How does SETroubleshooter suggest you deal with this? If you have it enabled, and are able to see it.
-
Alex -
Daniel J Walsh -
Michael Cronenworth -
stan