F13: nautilus & mmap
Dominick Grift
domg472 at gmail.com
Tue Dec 14 23:35:40 UTC 2010
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 12/15/2010 12:32 AM, Daniel B. Thurman wrote:
> On 12/14/2010 02:45 PM, Daniel J Walsh wrote:
>> On 12/14/2010 05:02 PM, Daniel B. Thurman wrote:
>>
>>> Not sure what this means, but it sound omimous...
>>> Using the latest updates.
>>
>>> ==================================================
>>> Summary:
>>
>>> Your system may be seriously compromised! /usr/bin/nautilus (deleted)
>>> attempted
>>> to mmap low kernel memory.
>>
>>> Detailed Description:
>>
>>> SELinux has denied the nautilus the ability to mmap low area of the
>> kernel
>>> address space. The ability to mmap a low area of the address space, as
>>> configured by /proc/sys/kernel/mmap_min_addr. Preventing such
>> mappings helps
>>> protect against exploiting null deref bugs in the kernel. All
>>> applications that
>>> need this access should have already had policy written for them. If a
>>> compromised application tries modify the kernel this AVC would be
>> generated.
>>> This is a serious issue. Your system may very well be compromised.
>>
>>> Allowing Access:
>>
>>> Contact your security administrator and report this issue.
>>
>>> Additional Information:
>>
>>> Source Context
>>> unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1
>>> 023
>>> Target Context
>>> unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1
>>> 023
>>> Target Objects None [ memprotect ]
>>> Source nautilus
>>> Source Path /usr/bin/nautilus (deleted)
>>> Port <Unknown>
>>> Host (removed)
>>> Source RPM Packages
>>> Target RPM Packages
>>> Policy RPM selinux-policy-3.7.19-74.fc13
>>> Selinux Enabled True
>>> Policy Type targeted
>>> Enforcing Mode Enforcing
>>> Plugin Name mmap_zero
>>> Host Name (removed)
>>> Platform Linux <host>.<domain>.com
>>> 2.6.34.7-61.fc13.i686 #1 SMP
>>> Tue Oct 19 04:42:47 UTC 2010 i686 i686
>>> Alert Count 1186
>>> First Seen Thu 09 Dec 2010 12:08:59 PM PST
>>> Last Seen Thu 09 Dec 2010 12:13:09 PM PST
>>> Local ID aba9eed1-e6cf-48cb-80c4-88ccf2d90f43
>>> Line Numbers
>>
>>> Raw Audit Messages
>>
>>> node=<host>.<domain>.com type=AVC msg=audit(1291925589.462:92406): avc:
>>> denied { mmap_zero } for pid=26679 comm="nautilus"
>>> scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
>>> tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
>>> tclass=memprotect
>>
>>> node=<host>.<domain>.com type=SYSCALL msg=audit(1291925589.462:92406):
>>> arch=40000003 syscall=192 success=no exit=-13 a0=0 a1=a000 a2=3 a3=22
>>> items=0 ppid=2663 pid=26679 auid=500 uid=500 gid=500 euid=500 suid=500
>>> fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm="nautilus"
>>> exe=2F7573722F62696E2F6E617574696C7573202864656C6574656429
>>> subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
>>
>>
>>> --
>>> selinux mailing list
>>> selinux at lists.fedoraproject.org
>>> https://admin.fedoraproject.org/mailman/listinfo/selinux
>>
>>
>> THis is bad. I have no idea why it would need this and it should be
>> denied. Did you try to execute a wine app?
>>
>>
> Uh, I don't remember if I did, is there a way to tell if I did?
>
> I have another related one, should I post it together with this
> one or open a new post? It is a Nautilus problem as well.
use this thread. nautilus (most likely) should not be doing this
somethings wrong here, question remains is it a bug in nautilus or an
intrusion attempt (nautilus compromised), in my personal opinion.
> --
> selinux mailing list
> selinux at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.16 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
iEYEARECAAYFAk0H/0wACgkQMlxVo39jgT8otwCgxNlLxSb1xVWKBAQEHotPa18H
ifUAoKxvm91XOeO5kSfLVA2EMsISkcnd
=sFKW
-----END PGP SIGNATURE-----
More information about the selinux
mailing list