Arora has just crashed. SELinux reports that I may be under attack and should report. I'm guessing it's a lot more likely SELinux is being needlessly paranoid. (I'm running F17, fully updated, and arora had a probably excessive number of tabs open.)
Is this guess plausible? What should I do?
Am 21.04.2013 22:09, schrieb Beartooth:
Arora has just crashed. SELinux reports that I may be under attack and should report. I'm guessing it's a lot more likely SELinux is being needlessly paranoid. (I'm running F17, fully updated, and arora had a probably excessive number of tabs open.)
Is this guess plausible? What should I do?
what answer do you expect wihtout provide any information?
SELinux reports that I may be under attack and should report
which is surely not all what SELinux reports http://www.catb.org/esr/faqs/smart-questions.html
On Sun, 21 Apr 2013 22:31:35 +0200, Reindl Harald wrote:
Am 21.04.2013 22:09, schrieb Beartooth:
Arora has just crashed. [....] (I'm running F17, fully updated,
and
arora had a probably excessive number of tabs open.)
Is this guess plausible? What should I do?
what answer do you expect wihtout provide any information?
Oh come off it. Read what I wrote.
On 04/22/13 05:24, Beartooth wrote:
On Sun, 21 Apr 2013 22:31:35 +0200, Reindl Harald wrote:
Am 21.04.2013 22:09, schrieb Beartooth:
Arora has just crashed. [....] (I'm running F17, fully updated,
and
arora had a probably excessive number of tabs open.)
Is this guess plausible? What should I do?
what answer do you expect wihtout provide any information?
Oh come off it. Read what I wrote.
I read what you wrote and I have no idea what you're talking about or what kind of help you are expecting.
Please provide more information about the "crash" and provide the output of what is being reported by SELinux.
Am 21.04.2013 23:24, schrieb Beartooth:
On Sun, 21 Apr 2013 22:31:35 +0200, Reindl Harald wrote:
Am 21.04.2013 22:09, schrieb Beartooth:
Arora has just crashed. [....] (I'm running F17, fully updated,
and
arora had a probably excessive number of tabs open.)
Is this guess plausible? What should I do?
what answer do you expect wihtout provide any information?
Oh come off it. Read what I wrote
you wrote NOTHING which provides any detail informations helping anybody to help you
On 04/21/2013 03:09 PM, Beartooth wrote:
Arora has just crashed. SELinux reports that I may be under attack and should report. I'm guessing it's a lot more likely SELinux is being needlessly paranoid. (I'm running F17, fully updated, and arora had a probably excessive number of tabs open.)
Is this guess plausible? What should I do?
What are the AVCs? What is the exact wording of the message from SELinux?
On 04/21/2013 11:24 PM, Beartooth wrote:
On Sun, 21 Apr 2013 22:31:35 +0200, Reindl Harald wrote:
Am 21.04.2013 22:09, schrieb Beartooth:
Arora has just crashed. [....] (I'm running F17, fully updated,
and
arora had a probably excessive number of tabs open.)
Is this guess plausible? What should I do?
what answer do you expect wihtout provide any information?
Oh come off it. Read what I wrote.
yum search Arora error: rpmdb: BDB0113 Thread/process 19288/140223507343168 failed: BDB1507 Thread died in Berkeley DB library error: db5 error(-30973) from dbenv->failchk: BDB0087 DB_RUNRECOVERY: Fatal error, run database recovery error: cannot open Packages index using db5 - (-30973) error: cannot open Packages database in /var/lib/rpm CRITICAL:yum.main:
Error: rpmdb open failed
Dude, what are you doing!? :)
poma
Why is this not all automated on the net so there is a global Fedora database of SELinux AVC's. That intelligently ignores but tallies what is know to be a fault and highlights any new breaks ?
Oh, and I believe bugzilla is crap and needs replacing with something more user friendly. It took 4 attempts to make an entry each time loosing what I had typed and ended up with an incomplete entry in the end.
These two need to be combined. Also we need all error logs at startup to be beamed into our new "central control centre".
BTW. This is not an April fools joke.
On 21 April 2013 23:09, Steven Stern subscribed-lists@sterndata.com wrote:
On 04/21/2013 03:09 PM, Beartooth wrote:
Arora has just crashed. SELinux reports that I may be underattack and should report. I'm guessing it's a lot more likely SELinux is being needlessly paranoid. (I'm running F17, fully updated, and arora had a probably excessive number of tabs open.)
Is this guess plausible? What should I do?What are the AVCs? What is the exact wording of the message from SELinux?
--
-- Steve
users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
On 04/22/13 07:49, poma wrote:
yum search Arora error: rpmdb: BDB0113 Thread/process 19288/140223507343168 failed: BDB1507 Thread died in Berkeley DB library error: db5 error(-30973) from dbenv->failchk: BDB0087 DB_RUNRECOVERY: Fatal error, run database recovery error: cannot open Packages index using db5 - (-30973) error: cannot open Packages database in /var/lib/rpm CRITICAL:yum.main:
Error: rpmdb open failed
Dude, what are you doing!? :)
Is that meant to be helpful in any way to the OP?
[egreshko@meimei ~]$ yum search Arora Loaded plugins: langpacks, presto, refresh-packagekit adobe-linux-x86_64 | 951 B 00:00:00 fedora/18/x86_64/metalink | 9.4 kB 00:00:00 google-chrome | 951 B 00:00:00 rpmfusion-free-updates | 3.3 kB 00:00:00 rpmfusion-nonfree-updates | 3.3 kB 00:00:00 updates/18/x86_64/metalink | 5.2 kB 00:00:00 virtualbox | 951 B 00:00:00 updates/pkgtags | 333 B 00:00:00 =============================== N/S Matched: Arora =============================== arora.x86_64 : A cross platform web browser
Name and summary matches only, use "search all" for everything.
On Sun, Apr 21, 2013 at 8:04 PM, Aaron Gray wrote:
Why is this not all automated on the net so there is a global Fedora database of SELinux AVC's. That intelligently ignores but tallies what is know to be a fault and highlights any new breaks ?
Oh, and I believe bugzilla is crap and needs replacing with something more user friendly. It took 4 attempts to make an entry each time loosing what I had typed and ended up with an incomplete entry in the end.
These two need to be combined. Also we need all error logs at startup to be beamed into our new "central control centre".
Bugzilla is the bug tracking system used by hundreds of widely used open source projects and it won't be replaced just like that but yes, improvements could be made especially if more people contribute. I hope you consider doing that.
Rahul
Am 22.04.2013 02:04, schrieb Aaron Gray:
Why is this not all automated on the net so there is a global Fedora database of SELinux AVC's. That intelligently ignores but tallies what is know to be a fault and highlights any new breaks ?
Oh, and I believe bugzilla is crap and needs replacing with something more user friendly. It took 4 attempts to make an entry each time loosing what I had typed and ended up with an incomplete entry in the end.
These two need to be combined. Also we need all error logs at startup to be beamed into our new "central control centre".
BTW. This is not an April fools joke
besides the fact that you should NOT top-post (put your reply above the quote) how does all this rant help anybody helping you since you still refuse to provide any details
so start provide informations or tell your rant somebody else
On 04/22/13 16:03, Reindl Harald wrote:
Am 22.04.2013 02:04, schrieb Aaron Gray:
Why is this not all automated on the net so there is a global Fedora database of SELinux AVC's. That intelligently ignores but tallies what is know to be a fault and highlights any new breaks ?
Oh, and I believe bugzilla is crap and needs replacing with something more user friendly. It took 4 attempts to make an entry each time loosing what I had typed and ended up with an incomplete entry in the end.
These two need to be combined. Also we need all error logs at startup to be beamed into our new "central control centre".
BTW. This is not an April fools joke
besides the fact that you should NOT top-post (put your reply above the quote) how does all this rant help anybody helping you since you still refuse to provide any details
so start provide informations or tell your rant somebody else
Of course you do realize that Aaron is not the OP and was just taking the opportunity to insert a rant really unconnected with the OP. So, in a sense, top posting was OK. :-) (note the smiley face to denote sarcasm)
On Mon, 22 Apr 2013 16:40:19 +0800, Ed Greshko wrote: [....]
The only thing worse than a poorly asked question is a cryptic answer.
OK, first off, I'm the OP.
I suppose I should be flattered at being addressed as if I were an Alpha Plus Technoid; but I'm not one. I'm just an old twice-retired bookworm, running Fedora because there's more and better help online for it than for anything else I've tried (most of the well-known distros), and because I began back in '98 with RedHat. I can't imagine anything I have being of interest to an intruder.
All the replies in this thread so far have been way over my head. The one thing I gather some of you want is the error message from SEL, verbatim. I don't have it; I presume it's in some log somewhere, but I have no idea how to find that log.
As for the rest of the comments, however well-meant, I can't tell what is wanted; but I'll try to go find it if someone can make it clear to me.
My guess is that Arora had well over a hundred, but well under two hundred, tabs open when it crashed. SEL then offered me two choices, both having something to do with Arora trying to access memory somewhere that SEL thought it had no business accessing.
A point that may or may not be relevant is that the machine I was using had been running slow, with some of the probably busiest apps (Pan, several browsers, and Alpine) seeming especially slow.
Pan and Firefox (but iirc not Arora) had actually crashed a time or two, in one of two ways. Sometimes they just went away, but I could restart them (and, with one or two of the browsers, eliminate some of the open tabs before full restoration). Sometimes they produced what I've called, in another recent thread here, the Diagonal Screen of Death (DSoD).
On 23 Apr 2013, at 17:10, Beartooth beartooth@comcast.net wrote:
On Mon, 22 Apr 2013 16:40:19 +0800, Ed Greshko wrote: [....]
The only thing worse than a poorly asked question is a cryptic answer.
OK, first off, I'm the OP.
I suppose I should be flattered at being addressed as if I were an Alpha Plus Technoid; but I'm not one. I'm just an old twice-retired bookworm, running Fedora because there's more and better help online for it than for anything else I've tried (most of the well-known distros), and because I began back in '98 with RedHat. I can't imagine anything I have being of interest to an intruder.
Your right. They probably aren't interested in what you have. They might be interested in taking over your machine as part of a botnet though. A large amount of attacks are now automated against wide ranges of devices
All the replies in this thread so far have been way over my head. The one thing I gather some of you want is the error message from SEL, verbatim. I don't have it; I presume it's in some log somewhere, but I have no idea how to find that log.
Try sealert -a /var/log/audit/audit.log
Or
grep setroubleshoot /var/log/messages
There will have been a full report in the graphical tool that initially warned you but these should give the same result.
Junk
On Tue, 23 Apr 2013 17:44:33 +0100, Junk wrote:
On 23 Apr 2013, at 17:10, Beartooth beartooth@comcast.net wrote:
On Mon, 22 Apr 2013 16:40:19 +0800, Ed Greshko wrote: [....]
The only thing worse than a poorly asked question is a cryptic answer.
OK, first off, I'm the OP.
I suppose I should be flattered at being addressed as if I were an Alpha Plus Technoid; but I'm not one. I'm just an old twice-retired bookworm, running Fedora because there's more and better help online for it than for anything else I've tried (most of the well-known distros), and because I began back in '98 with RedHat. I can't imagine anything I have being of interest to an intruder.
Your right. They probably aren't interested in what you have. They might be interested in taking over your machine as part of a botnet though. A large amount of attacks are now automated against wide ranges of devices
Well, yes, I suppose some bad guy wanting only lots of machines, any machines, might like mine, too.
All the replies in this thread so far have been way over my head. The one thing I gather some of you want is the error message from SEL, verbatim. I don't have it; I presume it's in some log somewhere, but I have no idea how to find that log.
Try sealert -a /var/log/audit/audit.log
[root@Hbsk2 ~]# sealert -a /var/log/audit/audit.log 12% done[Errno 2] No such file or directory: 'wine-preloader' 100% donefound 3 alerts in /var/log/audit/audit.log ----------------------------------------------------------------------------- [snip] --------------------------------------------------------------------------------
SELinux is preventing /usr/bin/arora from mmap_zero access on the memprotect .
***** Plugin mmap_zero (53.1 confidence) suggests **************************
If you do not think /usr/bin/arora should need to mmap low memory in the kernel. Then you may be under attack by a hacker, this is a very dangerous access. Do contact your security administrator and report this issue.
***** Plugin catchall_boolean (42.6 confidence) suggests *******************
If you want to mmap_low_allowed Then you must tell SELinux about this by enabling the 'mmap_low_allowed' boolean.You can read 'unconfined_selinux' man page for more details. Do setsebool -P mmap_low_allowed 1
***** Plugin catchall (5.76 confidence) suggests ***************************
If you believe that arora should be allowed mmap_zero access on the memprotect by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep arora /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp
Additional Information: Source Context unconfined_u:unconfined_r:unconfined_t:s0- s0:c0.c1 023 Target Context unconfined_u:unconfined_r:unconfined_t:s0- s0:c0.c1 023 Target Objects [ memprotect ] Source arora Source Path /usr/bin/arora Port <Unknown> Host <Unknown> Source RPM Packages arora-0.11.0-4.fc17.i686 Target RPM Packages Policy RPM selinux-policy-3.10.0-167.fc17.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name Hbsk2.hsd1.va.comcast.net Platform Linux Hbsk2.hsd1.va.comcast.net 3.8.4-102.fc17.i686.PAE #1 SMP Sun Mar 24 13:15:17 UTC 2013 i686 i686 Alert Count 1 First Seen 2013-04-21 16:01:52 EDT Last Seen 2013-04-21 16:01:52 EDT Local ID fedad9e7-5ad4-49b0-a517-15a1e9efd7d4
Raw Audit Messages type=AVC msg=audit(1366574512.695:480): avc: denied { mmap_zero } for pid=25852 comm="arora" scontext=unconfined_u:unconfined_r:unconfined_t:s0- s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0- s0:c0.c1023 tclass=memprotect
type=SYSCALL msg=audit(1366574512.695:480): arch=i386 syscall=mmap2 success=no exit=EACCES a0=0 a1=7000 a2=3 a3=4022 items=0 ppid=1 pid=25852 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 ses=2 tty=(none) comm=arora exe=/usr/bin/arora subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
Hash: arora,unconfined_t,unconfined_t,memprotect,mmap_zero
audit2allow
#============= unconfined_t ============== #!!!! This avc can be allowed using the boolean 'mmap_low_allowed'
allow unconfined_t self:memprotect mmap_zero;
audit2allow -R
#============= unconfined_t ============== #!!!! This avc can be allowed using the boolean 'mmap_low_allowed'
allow unconfined_t self:memprotect mmap_zero;
[root@Hbsk2 ~]#
----------------------------------------------------------------------------
Or
grep setroubleshoot /var/log/messages
There will have been a full report in the graphical tool that initially warned you but these should give the same result.
They don't -- this one gets
[root@Hbsk2 ~]# grep setroubleshoot /var/log/messages Apr 21 16:02:00 Hbsk2 setroubleshoot: SELinux is preventing /usr/bin/arora from mmap_zero access on the memprotect . For complete SELinux messages. run sealert -l 6805396b-b8d1-4368-9356-aef00cbb2e43 Apr 22 14:57:12 Hbsk2 setroubleshoot: Plugin Exception wine Apr 22 14:57:12 Hbsk2 setroubleshoot: SELinux is preventing wine-preloader from mmap_zero access on the memprotect . For complete SELinux messages. run sealert -l 78752ead-8351-4d64-a04d-a2f500d942cd [root@Hbsk2 ~]#
Not in particular response to your actual problem, but...
Allegedly, on or about 23 April 2013, Beartooth sent:
I can't imagine anything I have being of interest to an intruder.
These days, it seems that miscreants have little interest in what's on your computer, but are interested in using your computer for their nefarious purposes.
My guess is that Arora had well over a hundred, but well under two hundred, tabs open when it crashed.
I really don't know how anybody does that, with any browser. On any computer that I've ever used, including other people's, the thing grinds to a sludgey halt when anything more than about twenty tabs are open, often far less. Especially with any pages that aren't just plain text. Scripts, Flash, even just lots of pictures, are the kiss of death. And, no, my computer isn't paging out to swap.
On 04/23/2013 07:30 PM, Beartooth wrote:
On Tue, 23 Apr 2013 17:44:33 +0100, Junk wrote:
Try sealert -a /var/log/audit/audit.log
[root@Hbsk2 ~]# sealert -a /var/log/audit/audit.log 12% done[Errno 2] No such file or directory: 'wine-preloader' 100% donefound 3 alerts in /var/log/audit/audit.log
[snip]
SELinux is preventing /usr/bin/arora from mmap_zero access on the memprotect .
***** Plugin mmap_zero (53.1 confidence) suggests
If you do not think /usr/bin/arora should need to mmap low memory in the kernel. Then you may be under attack by a hacker, this is a very dangerous access. Do contact your security administrator and report this issue.
***** Plugin catchall_boolean (42.6 confidence) suggests
If you want to mmap_low_allowed Then you must tell SELinux about this by enabling the 'mmap_low_allowed' boolean.You can read 'unconfined_selinux' man page for more details. Do setsebool -P mmap_low_allowed 1
***** Plugin catchall (5.76 confidence) suggests
If you believe that arora should be allowed mmap_zero access on the memprotect by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep arora /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp
Additional Information: Source Context unconfined_u:unconfined_r:unconfined_t:s0- s0:c0.c1 023 Target Context unconfined_u:unconfined_r:unconfined_t:s0- s0:c0.c1 023 Target Objects [ memprotect ] Source arora Source Path /usr/bin/arora Port <Unknown> Host <Unknown> Source RPM Packages arora-0.11.0-4.fc17.i686 Target RPM Packages Policy RPM selinux-policy-3.10.0-167.fc17.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name Hbsk2.hsd1.va.comcast.net Platform Linux Hbsk2.hsd1.va.comcast.net 3.8.4-102.fc17.i686.PAE #1 SMP Sun Mar 24 13:15:17 UTC 2013 i686 i686 Alert Count 1 First Seen 2013-04-21 16:01:52 EDT Last Seen 2013-04-21 16:01:52 EDT Local ID fedad9e7-5ad4-49b0-a517-15a1e9efd7d4
Raw Audit Messages type=AVC msg=audit(1366574512.695:480): avc: denied { mmap_zero } for pid=25852 comm="arora" scontext=unconfined_u:unconfined_r:unconfined_t:s0- s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0- s0:c0.c1023 tclass=memprotect
type=SYSCALL msg=audit(1366574512.695:480): arch=i386 syscall=mmap2 success=no exit=EACCES a0=0 a1=7000 a2=3 a3=4022 items=0 ppid=1 pid=25852 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 ses=2 tty=(none) comm=arora exe=/usr/bin/arora subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
Hash: arora,unconfined_t,unconfined_t,memprotect,mmap_zero
audit2allow
#============= unconfined_t ============== #!!!! This avc can be allowed using the boolean 'mmap_low_allowed'
allow unconfined_t self:memprotect mmap_zero;
audit2allow -R
#============= unconfined_t ============== #!!!! This avc can be allowed using the boolean 'mmap_low_allowed'
allow unconfined_t self:memprotect mmap_zero;
[root@Hbsk2 ~]#
Or
grep setroubleshoot /var/log/messages
There will have been a full report in the graphical tool that initially warned you but these should give the same result.
They don't -- this one gets
[root@Hbsk2 ~]# grep setroubleshoot /var/log/messages Apr 21 16:02:00 Hbsk2 setroubleshoot: SELinux is preventing /usr/bin/arora from mmap_zero access on the memprotect . For complete SELinux messages. run sealert -l 6805396b-b8d1-4368-9356-aef00cbb2e43 Apr 22 14:57:12 Hbsk2 setroubleshoot: Plugin Exception wine Apr 22 14:57:12 Hbsk2 setroubleshoot: SELinux is preventing wine-preloader from mmap_zero access on the memprotect . For complete SELinux messages. run sealert -l 78752ead-8351-4d64-a04d-a2f500d942cd [root@Hbsk2 ~]#
Excellent work. Looks good. The audit.log reports are the long form of the messages in /var/log/messages If you copied and pasted ""sealert -l 6805396b-b8d1-4368-9356-aef00cbb2e43" then it would show you the exact same message that's in the audit.log, The salient part being
SELinux is preventing /usr/bin/arora from mmap_zero access on the memprotect
It's possible that one of your tabs had a page that was trying to exploit your browser to access a region of low memory in the kernel.
It also might be something much more mundane such as a bug in the browser which occurs when you have 100+ tabs open and tries to write to a misaddressed memory region.
Either way I can't imagine having a web browser writing into odd bits of kernel memory is a good idea and it would appear to be a good thing that SELinux stopped it. If it keeps happening when you have lots of tabs I'd file a bug in Bugzilla against arora.
There seems to be a wine app trying to do a similar thing. This appears to be more common and there is a wine-specific boolean to manage it.
setsebool -P wine_mmap_zero_ignore 1
Junk
Junk junk@therobinsonfamily.net writes:
It also might be something much more mundane such as a bug in the browser which occurs when you have 100+ tabs open and tries to write to a misaddressed memory region.
It may well be some malloc()-like routine returning 0, saying "no more memory for you buddy" and the code blindly dereferencing that value and causing a write to the 0-page. It is a common error with sloppy coders.
-wolfgang
-
Aaron Gray -
Beartooth -
Ed Greshko -
Junk -
poma -
Rahul Sundaram -
Reindl Harald -
SternData -
Tim -
Wolfgang S. Rupprecht