F13: nautilus & mmap
Daniel B. Thurman
dant at cdkkt.com
Tue Dec 14 23:38:45 UTC 2010
On 12/14/2010 02:02 PM, Daniel B. Thurman wrote:
> Not sure what this means, but it sound omimous...
> Using the latest updates.
>
> ==================================================
> Summary:
>
> Your system may be seriously compromised! /usr/bin/nautilus (deleted)
> attempted
> to mmap low kernel memory.
>
> Detailed Description:
>
> SELinux has denied the nautilus the ability to mmap low area of the kernel
> address space. The ability to mmap a low area of the address space, as
> configured by /proc/sys/kernel/mmap_min_addr. Preventing such mappings helps
> protect against exploiting null deref bugs in the kernel. All
> applications that
> need this access should have already had policy written for them. If a
> compromised application tries modify the kernel this AVC would be generated.
> This is a serious issue. Your system may very well be compromised.
>
> Allowing Access:
>
> Contact your security administrator and report this issue.
>
> Additional Information:
>
> Source Context
> unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1
> 023
> Target Context
> unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1
> 023
> Target Objects None [ memprotect ]
> Source nautilus
> Source Path /usr/bin/nautilus (deleted)
> Port <Unknown>
> Host (removed)
> Source RPM Packages
> Target RPM Packages
> Policy RPM selinux-policy-3.7.19-74.fc13
> Selinux Enabled True
> Policy Type targeted
> Enforcing Mode Enforcing
> Plugin Name mmap_zero
> Host Name (removed)
> Platform Linux <host>.<domain>.com
> 2.6.34.7-61.fc13.i686 #1 SMP
> Tue Oct 19 04:42:47 UTC 2010 i686 i686
> Alert Count 1186
> First Seen Thu 09 Dec 2010 12:08:59 PM PST
> Last Seen Thu 09 Dec 2010 12:13:09 PM PST
> Local ID aba9eed1-e6cf-48cb-80c4-88ccf2d90f43
> Line Numbers
>
> Raw Audit Messages
>
> node=<host>.<domain>.com type=AVC msg=audit(1291925589.462:92406): avc:
> denied { mmap_zero } for pid=26679 comm="nautilus"
> scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
> tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
> tclass=memprotect
>
> node=<host>.<domain>.com type=SYSCALL msg=audit(1291925589.462:92406):
> arch=40000003 syscall=192 success=no exit=-13 a0=0 a1=a000 a2=3 a3=22
> items=0 ppid=2663 pid=26679 auid=500 uid=500 gid=500 euid=500 suid=500
> fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm="nautilus"
> exe=2F7573722F62696E2F6E617574696C7573202864656C6574656429
> subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
>
>
> --
> selinux mailing list
> selinux at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux
This selinux error also comes up with the above:
====================================================
Summary:
SELinux is preventing /usr/bin/nautilus "mmap_zero" access on <Unknown>.
Detailed Description:
SELinux denied access requested by nautilus. The current boolean
settings do not
allow this access. If you have not setup nautilus to require this access
this
may signal an intrusion attempt. If you do intend this access you need
to change
the booleans on this system to allow the access.
Allowing Access:
Confined processes can be configured to run requiring different access,
SELinux
provides booleans to allow you to turn on/off access as needed. The boolean
mmap_low_allowed is set incorrectly.
Boolean Description:
Allow certain domains to map low memory in the kernel
Fix Command:
# setsebool -P mmap_low_allowed 1
Additional Information:
Source Context
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1
023
Target Context
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1
023
Target Objects None [ memprotect ]
Source nautilus
Source Path /usr/bin/nautilus
Port <Unknown>
Host <host>.<domain>.com
Source RPM Packages nautilus-2.30.1-6.fc13
Target RPM Packages
Policy RPM selinux-policy-3.7.19-74.fc13
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Plugin Name catchall_boolean
Host Name <host>.<domain>.com
Platform Linux <host>.<domain>.com
2.6.34.7-63.fc13.i686 #1 SMP
Fri Dec 3 12:35:44 UTC 2010 i686 i686
Alert Count 1543
First Seen Mon 13 Dec 2010 02:44:43 PM PST
Last Seen Mon 13 Dec 2010 02:54:42 PM PST
Local ID f035f5c8-ea23-4496-a9cd-8eab88c60842
Line Numbers
Raw Audit Messages
node=<host>.<domain>.com type=AVC msg=audit(1292280882.565:140615):
avc: denied { mmap_zero } for pid=12468 comm="nautilus"
scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
tclass=memprotect
node=<host>.<domain>.com type=SYSCALL msg=audit(1292280882.565:140615):
arch=40000003 syscall=192 success=no exit=-13 a0=0 a1=1000 a2=3 a3=22
items=0 ppid=2553 pid=12468 auid=500 uid=500 gid=500 euid=500 suid=500
fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm="nautilus"
exe="/usr/bin/nautilus"
subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
More information about the selinux
mailing list