F13: nautilus & mmap
Daniel B. Thurman
dant at cdkkt.com
Tue Dec 14 23:41:18 UTC 2010
On 12/14/2010 03:35 PM, Dominick Grift wrote:
> On 12/15/2010 12:32 AM, Daniel B. Thurman wrote:
> > On 12/14/2010 02:45 PM, Daniel J Walsh wrote:
> >> On 12/14/2010 05:02 PM, Daniel B. Thurman wrote:
> >>
> >>> Not sure what this means, but it sound omimous...
> >>> Using the latest updates.
> >>
> >>> ==================================================
> >>> Summary:
> >>
> >>> Your system may be seriously compromised! /usr/bin/nautilus (deleted)
> >>> attempted
> >>> to mmap low kernel memory.
> >>
> >>> Detailed Description:
> >>
> >>> SELinux has denied the nautilus the ability to mmap low area of the
> >> kernel
> >>> address space. The ability to mmap a low area of the address space, as
> >>> configured by /proc/sys/kernel/mmap_min_addr. Preventing such
> >> mappings helps
> >>> protect against exploiting null deref bugs in the kernel. All
> >>> applications that
> >>> need this access should have already had policy written for them. If a
> >>> compromised application tries modify the kernel this AVC would be
> >> generated.
> >>> This is a serious issue. Your system may very well be compromised.
> >>
> >>> Allowing Access:
> >>
> >>> Contact your security administrator and report this issue.
> >>
> >>> Additional Information:
> >>
> >>> Source Context
> >>> unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1
> >>> 023
> >>> Target Context
> >>> unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1
> >>> 023
> >>> Target Objects None [ memprotect ]
> >>> Source nautilus
> >>> Source Path /usr/bin/nautilus (deleted)
> >>> Port <Unknown>
> >>> Host (removed)
> >>> Source RPM Packages
> >>> Target RPM Packages
> >>> Policy RPM selinux-policy-3.7.19-74.fc13
> >>> Selinux Enabled True
> >>> Policy Type targeted
> >>> Enforcing Mode Enforcing
> >>> Plugin Name mmap_zero
> >>> Host Name (removed)
> >>> Platform Linux <host>.<domain>.com
> >>> 2.6.34.7-61.fc13.i686 #1 SMP
> >>> Tue Oct 19 04:42:47 UTC 2010 i686 i686
> >>> Alert Count 1186
> >>> First Seen Thu 09 Dec 2010 12:08:59 PM PST
> >>> Last Seen Thu 09 Dec 2010 12:13:09 PM PST
> >>> Local ID aba9eed1-e6cf-48cb-80c4-88ccf2d90f43
> >>> Line Numbers
> >>
> >>> Raw Audit Messages
> >>
> >>> node=<host>.<domain>.com type=AVC msg=audit(1291925589.462:92406):
> avc:
> >>> denied { mmap_zero } for pid=26679 comm="nautilus"
> >>> scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
> >>> tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
> >>> tclass=memprotect
> >>
> >>> node=<host>.<domain>.com type=SYSCALL msg=audit(1291925589.462:92406):
> >>> arch=40000003 syscall=192 success=no exit=-13 a0=0 a1=a000 a2=3 a3=22
> >>> items=0 ppid=2663 pid=26679 auid=500 uid=500 gid=500 euid=500 suid=500
> >>> fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm="nautilus"
> >>> exe=2F7573722F62696E2F6E617574696C7573202864656C6574656429
> >>> subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
> >>
> >>
> >>> --
> >>> selinux mailing list
> >>> selinux at lists.fedoraproject.org
> >>> https://admin.fedoraproject.org/mailman/listinfo/selinux
> >>
> >>
> >> THis is bad. I have no idea why it would need this and it should be
> >> denied. Did you try to execute a wine app?
> >>
> >>
> > Uh, I don't remember if I did, is there a way to tell if I did?
>
> > I have another related one, should I post it together with this
> > one or open a new post? It is a Nautilus problem as well.
>
> use this thread. nautilus (most likely) should not be doing this
> somethings wrong here, question remains is it a bug in nautilus or an
> intrusion attempt (nautilus compromised), in my personal opinion.
OK, I added the other selinux error as a reply to my original posting.
I have no idea if it is a bug or an intrusion, but this system I am
on is not exposed AFAIK to the Internet, it is also behind a firewall
if that means anything...
More information about the selinux
mailing list