unix_stream_socket AVC

Arthur Dent misc.lists at blueyonder.co.uk
Thu Sep 1 08:33:22 UTC 2011 

Hello all,

I did my monthly yum update on my F15 server yesterday. It brought down
a bunch of updates including selinux-policy-3.9.16-35.fc15.noarch and
selinux-policy-targeted-3.9.16-35.fc15.noarch.

Since then I have been getting several AVCs related to
"unix_stream_socket". They break into 2 types:

SELinux is preventing /usr/libexec/fprintd from 'read, write' accesses
on the unix_stream_socket unix_stream_socket.

and

SELinux is preventing /usr/sbin/sendmail.sendmail from 'read, write'
accesses on the unix_stream_socket unix_stream_socket.

I detail one example of each below.

What should I do about these? I have no idea what might be causing
them...

Thanks

Mark

==================8<=============================================


SELinux is preventing /usr/libexec/fprintd from 'read, write' accesses on the unix_stream_socket unix_stream_socket.

*****  Plugin catchall (50.5 confidence) suggests  ***************************

If you believe that fprintd should be allowed read write access on the unix_stream_socket unix_stream_socket by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep fprintd /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

*****  Plugin leaks (50.5 confidence) suggests  ******************************

If you want to ignore fprintd trying to read write access the unix_stream_socket unix_stream_socket, because you believe it should not need this access.
Then you should report this as a bug.  
You can generate a local policy module to dontaudit this access.
Do
# grep /usr/libexec/fprintd /var/log/audit/audit.log | audit2allow -D -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:fprintd_t:s0-s0:c0.c1023
Target Context                system_u:system_r:init_t:s0
Target Objects                unix_stream_socket [ unix_stream_socket ]
Source                        fprintd
Source Path                   /usr/libexec/fprintd
Port                          <Unknown>
Host                          troodos.org.uk
Source RPM Packages           fprintd-0.2.0-3.fc15
Target RPM Packages           
Policy RPM                    selinux-policy-3.9.16-35.fc15
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     troodos.org.uk
Platform                      Linux troodos.org.uk 2.6.40.3-0.fc15.i686.PAE #1
                              SMP Tue Aug 16 04:17:30 UTC 2011 i686 i686
Alert Count                   8
First Seen                    Tue Aug 30 10:17:09 2011
Last Seen                     Thu Sep  1 09:14:32 2011
Local ID                      f5ca1075-789c-4c8f-971d-8919dd496044

Raw Audit Messages
type=AVC msg=audit(1314864872.594:5072): avc:  denied  { read write } for  pid=27863 comm="fprintd" path="socket:[14520]" dev=sockfs ino=14520 scontext=system_u:system_r:fprintd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:init_t:s0 tclass=unix_stream_socket


type=AVC msg=audit(1314864872.594:5072): avc:  denied  { read write } for  pid=27863 comm="fprintd" path="socket:[14520]" dev=sockfs ino=14520 scontext=system_u:system_r:fprintd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:init_t:s0 tclass=unix_stream_socket


type=SYSCALL msg=audit(1314864872.594:5072): arch=i386 syscall=execve success=yes exit=0 a0=83a3bc0 a1=83a34e0 a2=83a3008 a3=83a61c0 items=0 ppid=27862 pid=27863 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=fprintd exe=/usr/libexec/fprintd subj=system_u:system_r:fprintd_t:s0-s0:c0.c1023 key=(null)

Hash: fprintd,fprintd_t,init_t,unix_stream_socket,read,write

audit2allow

#============= fprintd_t ==============
allow fprintd_t init_t:unix_stream_socket { read write };

audit2allow -R

#============= fprintd_t ==============
allow fprintd_t init_t:unix_stream_socket { read write };


==================8<=============================================


SELinux is preventing /usr/sbin/sendmail.sendmail from 'read, write' accesses on the unix_stream_socket unix_stream_socket.

*****  Plugin catchall (50.5 confidence) suggests  ***************************

If you believe that sendmail.sendmail should be allowed read write access on the unix_stream_socket unix_stream_socket by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep sendmail /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

*****  Plugin leaks (50.5 confidence) suggests  ******************************

If you want to ignore sendmail.sendmail trying to read write access the unix_stream_socket unix_stream_socket, because you believe it should not need this access.
Then you should report this as a bug.  
You can generate a local policy module to dontaudit this access.
Do
# grep /usr/sbin/sendmail.sendmail /var/log/audit/audit.log | audit2allow -D -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:system_mail_t:s0-s0:c0.c1023
Target Context                system_u:system_r:init_t:s0
Target Objects                unix_stream_socket [ unix_stream_socket ]
Source                        sendmail
Source Path                   /usr/sbin/sendmail.sendmail
Port                          <Unknown>
Host                          troodos.org.uk
Source RPM Packages           sendmail-8.14.5-1.fc15
Target RPM Packages           
Policy RPM                    selinux-policy-3.9.16-35.fc15
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     troodos.org.uk
Platform                      Linux troodos.org.uk 2.6.40.3-0.fc15.i686.PAE #1
                              SMP Tue Aug 16 04:17:30 UTC 2011 i686 i686
Alert Count                   14
First Seen                    Wed Aug 31 02:20:01 2011
Last Seen                     Thu Sep  1 06:40:01 2011
Local ID                      45c301bb-43a3-4b46-b23b-549d56586333

Raw Audit Messages
type=AVC msg=audit(1314855601.515:4541): avc:  denied  { read write } for  pid=26981 comm="sendmail" path="socket:[13124]" dev=sockfs ino=13124 scontext=system_u:system_r:system_mail_t:s0-s0:c0.c1023 tcontext=system_u:system_r:init_t:s0 tclass=unix_stream_socket


type=AVC msg=audit(1314855601.515:4541): avc:  denied  { read write } for  pid=26981 comm="sendmail" path="socket:[13124]" dev=sockfs ino=13124 scontext=system_u:system_r:system_mail_t:s0-s0:c0.c1023 tcontext=system_u:system_r:init_t:s0 tclass=unix_stream_socket


type=SYSCALL msg=audit(1314855601.515:4541): arch=i386 syscall=execve success=yes exit=0 a0=bfaa897c a1=bfaa67c8 a2=bfae8fd0 a3=bfae8fd0 items=0 ppid=26963 pid=26981 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=51 sgid=51 fsgid=51 tty=(none) ses=634 comm=sendmail exe=/usr/sbin/sendmail.sendmail subj=system_u:system_r:system_mail_t:s0-s0:c0.c1023 key=(null)

Hash: sendmail,system_mail_t,init_t,unix_stream_socket,read,write

audit2allow

#============= system_mail_t ==============
allow system_mail_t init_t:unix_stream_socket { read write };

audit2allow -R

#============= system_mail_t ==============
allow system_mail_t init_t:unix_stream_socket { read write };


-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part
Url : http://lists.fedoraproject.org/pipermail/selinux/attachments/20110901/96cf6de8/attachment.bin

More information about the selinux mailing list