New AVCs Fedora 17

David Highley dhighley at highley-recommended.com
Thu Dec 6 15:26:23 UTC 2012 

There seems to be a slew of avcs again lately, many of which are over
net_admin which we now have many custom modules for. Below are the yet
new ones after rebooting a system today. By the way, I'm sure there is
away to tell when you no longer need the customized modules. Some fixes
come quickly and we know that we can remove a module. In general they
hang around until the next system upgrade where we start from scratch.

There are a couple that we have not fixed or thought we had fixed.

We have the below rule in a custom module for rsyslod already but saw
this on the reboot.
#============= syslogd_t ==============
allow syslogd_t proc_net_t:file read;

The issue seems to be involved with Gnome, not quite what we customize
to fix the issue.
#============= xdm_t ==============
allow xdm_t default_t:lnk_file read;


module junk 1.0;

require {
	type sendmail_t;
	type syslogd_t;
	type default_t;
	type xdm_t;
	type var_yp_t;
	type sshdfilter_t;
	type ypbind_t;
	type passwd_file_t;
	type proc_net_t;
	type httpd_t;
	class process execmem;
	class capability net_admin;
	class tcp_socket create;
	class file read;
	class lnk_file read;
	class dir search;
}

#============= httpd_t ==============
#!!!! This avc can be allowed using the boolean 'httpd_execmem'

allow httpd_t self:process execmem;

#============= sendmail_t ==============
allow sendmail_t self:capability net_admin;

#============= sshdfilter_t ==============
allow sshdfilter_t passwd_file_t:file read;
allow sshdfilter_t self:tcp_socket create;
allow sshdfilter_t var_yp_t:dir search;

#============= syslogd_t ==============
allow syslogd_t proc_net_t:file read;

#============= xdm_t ==============
allow xdm_t default_t:lnk_file read;

#============= ypbind_t ==============
allow ypbind_t proc_net_t:file read;


----
time->Thu Dec  6 06:10:34 2012
type=SYSCALL msg=audit(1354803034.037:18): arch=c000003e syscall=21 success=no exit=-13 a0=7fff6d855e60 a1=4 a2=7fff6d855e6e a3=1c items=0 ppid=1 pid=833 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="rsyslogd" exe="/usr/sbin/rsyslogd" subj=system_u:system_r:syslogd_t:s0 key=(null)
type=AVC msg=audit(1354803034.037:18): avc:  denied  { read } for  pid=833 comm="rsyslogd" name="unix" dev="proc" ino=4026531999 scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=file
----
time->Thu Dec  6 06:10:41 2012
type=SYSCALL msg=audit(1354803041.423:50): arch=c000003e syscall=21 success=no exit=-13 a0=7ffff7f5b7d0 a1=4 a2=7ffff7f5b7de a3=1c items=0 ppid=1 pid=1068 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ypbind" exe="/usr/sbin/ypbind" subj=system_u:system_r:ypbind_t:s0 key=(null)
type=AVC msg=audit(1354803041.423:50): avc:  denied  { read } for  pid=1068 comm="ypbind" name="unix" dev="proc" ino=4026531999 scontext=system_u:system_r:ypbind_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=file
----
time->Thu Dec  6 06:10:44 2012
type=SYSCALL msg=audit(1354803044.071:94): arch=c000003e syscall=16 success=no exit=-19 a0=4 a1=8933 a2=7fff0638b000 a3=1c items=0 ppid=1 pid=1281 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=51 sgid=51 fsgid=51 tty=(none) ses=4294967295 comm="sendmail" exe="/usr/sbin/sendmail.sendmail" subj=system_u:system_r:sendmail_t:s0 key=(null)
type=AVC msg=audit(1354803044.071:94): avc:  denied  { net_admin } for  pid=1281 comm="sendmail" capability=12  scontext=system_u:system_r:sendmail_t:s0 tcontext=system_u:system_r:sendmail_t:s0 tclass=capability
----
time->Thu Dec  6 06:10:42 2012
type=SYSCALL msg=audit(1354803042.200:57): arch=c000003e syscall=16 success=no exit=-19 a0=4 a1=8933 a2=7fff07197d80 a3=1c items=0 ppid=1 pid=1087 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=51 sgid=51 fsgid=51 tty=(none) ses=4294967295 comm="sendmail" exe="/usr/sbin/sendmail.sendmail" subj=system_u:system_r:sendmail_t:s0 key=(null)
type=AVC msg=audit(1354803042.200:57): avc:  denied  { net_admin } for  pid=1087 comm="sendmail" capability=12  scontext=system_u:system_r:sendmail_t:s0 tcontext=system_u:system_r:sendmail_t:s0 tclass=capability
----
time->Thu Dec  6 06:10:42 2012
type=SYSCALL msg=audit(1354803042.424:59): arch=c000003e syscall=9 success=no exit=-13 a0=7fe5bd000000 a1=270000 a2=7 a3=32 items=0 ppid=1 pid=1107 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="java" exe="/usr/lib/jvm/java-1.7.0-openjdk-1.7.0.9.x86_64/jre/bin/java" subj=system_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1354803042.424:59): avc:  denied  { execmem } for  pid=1107 comm="java" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=process
----
time->Thu Dec  6 06:10:42 2012
type=SYSCALL msg=audit(1354803042.975:64): arch=c000003e syscall=2 success=no exit=-13 a0=7fb87ddd76ca a1=80000 a2=1b6 a3=238 items=0 ppid=1205 pid=1206 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="sh" exe="/usr/bin/bash" subj=system_u:system_r:sshdfilter_t:s0 key=(null)
type=AVC msg=audit(1354803042.975:64): avc:  denied  { read } for  pid=1206 comm="sh" name="passwd" dev="dm-1" ino=140024 scontext=system_u:system_r:sshdfilter_t:s0 tcontext=system_u:object_r:passwd_file_t:s0 tclass=file
----
time->Thu Dec  6 06:10:42 2012
type=SYSCALL msg=audit(1354803042.975:65): arch=c000003e syscall=2 success=no exit=-13 a0=7fff9cd586f8 a1=0 a2=7fff9cd58721 a3=7fff9cd58470 items=0 ppid=1205 pid=1206 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="sh" exe="/usr/bin/bash" subj=system_u:system_r:sshdfilter_t:s0 key=(null)
type=AVC msg=audit(1354803042.975:65): avc:  denied  { search } for  pid=1206 comm="sh" name="yp" dev="dm-1" ino=346 scontext=system_u:system_r:sshdfilter_t:s0 tcontext=system_u:object_r:var_yp_t:s0 tclass=dir
----
time->Thu Dec  6 06:10:42 2012
type=SYSCALL msg=audit(1354803042.975:66): arch=c000003e syscall=41 success=no exit=-13 a0=2 a1=1 a2=6 a3=98 items=0 ppid=1205 pid=1206 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="sh" exe="/usr/bin/bash" subj=system_u:system_r:sshdfilter_t:s0 key=(null)
type=AVC msg=audit(1354803042.975:66): avc:  denied  { create } for  pid=1206 comm="sh" scontext=system_u:system_r:sshdfilter_t:s0 tcontext=system_u:system_r:sshdfilter_t:s0 tclass=tcp_socket
----
time->Thu Dec  6 06:10:42 2012
type=SYSCALL msg=audit(1354803042.975:67): arch=c000003e syscall=41 success=no exit=-13 a0=2 a1=1 a2=6 a3=98 items=0 ppid=1205 pid=1206 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="sh" exe="/usr/bin/bash" subj=system_u:system_r:sshdfilter_t:s0 key=(null)
type=AVC msg=audit(1354803042.975:67): avc:  denied  { create } for  pid=1206 comm="sh" scontext=system_u:system_r:sshdfilter_t:s0 tcontext=system_u:system_r:sshdfilter_t:s0 tclass=tcp_socket
----
time->Thu Dec  6 06:10:42 2012
type=SYSCALL msg=audit(1354803042.975:68): arch=c000003e syscall=41 success=no exit=-13 a0=2 a1=1 a2=6 a3=98 items=0 ppid=1205 pid=1206 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="sh" exe="/usr/bin/bash" subj=system_u:system_r:sshdfilter_t:s0 key=(null)
type=AVC msg=audit(1354803042.975:68): avc:  denied  { create } for  pid=1206 comm="sh" scontext=system_u:system_r:sshdfilter_t:s0 tcontext=system_u:system_r:sshdfilter_t:s0 tclass=tcp_socket
----
time->Thu Dec  6 06:10:42 2012
type=SYSCALL msg=audit(1354803042.975:69): arch=c000003e syscall=41 success=no exit=-13 a0=2 a1=1 a2=6 a3=98 items=0 ppid=1205 pid=1206 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="sh" exe="/usr/bin/bash" subj=system_u:system_r:sshdfilter_t:s0 key=(null)
type=AVC msg=audit(1354803042.975:69): avc:  denied  { create } for  pid=1206 comm="sh" scontext=system_u:system_r:sshdfilter_t:s0 tcontext=system_u:system_r:sshdfilter_t:s0 tclass=tcp_socket
----
time->Thu Dec  6 06:10:42 2012
type=SYSCALL msg=audit(1354803042.978:70): arch=c000003e syscall=2 success=no exit=-13 a0=7fab786b76ca a1=80000 a2=1b6 a3=238 items=0 ppid=1205 pid=1210 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="sh" exe="/usr/bin/bash" subj=system_u:system_r:sshdfilter_t:s0 key=(null)
type=AVC msg=audit(1354803042.978:70): avc:  denied  { read } for  pid=1210 comm="sh" name="passwd" dev="dm-1" ino=140024 scontext=system_u:system_r:sshdfilter_t:s0 tcontext=system_u:object_r:passwd_file_t:s0 tclass=file
----
time->Thu Dec  6 06:10:42 2012
type=SYSCALL msg=audit(1354803042.978:71): arch=c000003e syscall=2 success=no exit=-13 a0=7fff3d234438 a1=0 a2=7fff3d234461 a3=7fff3d2341b0 items=0 ppid=1205 pid=1210 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="sh" exe="/usr/bin/bash" subj=system_u:system_r:sshdfilter_t:s0 key=(null)
type=AVC msg=audit(1354803042.978:71): avc:  denied  { search } for  pid=1210 comm="sh" name="yp" dev="dm-1" ino=346 scontext=system_u:system_r:sshdfilter_t:s0 tcontext=system_u:object_r:var_yp_t:s0 tclass=dir
----
time->Thu Dec  6 06:10:42 2012
type=SYSCALL msg=audit(1354803042.978:72): arch=c000003e syscall=41 success=no exit=-13 a0=2 a1=1 a2=6 a3=98 items=0 ppid=1205 pid=1210 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="sh" exe="/usr/bin/bash" subj=system_u:system_r:sshdfilter_t:s0 key=(null)
type=AVC msg=audit(1354803042.978:72): avc:  denied  { create } for  pid=1210 comm="sh" scontext=system_u:system_r:sshdfilter_t:s0 tcontext=system_u:system_r:sshdfilter_t:s0 tclass=tcp_socket
----
time->Thu Dec  6 06:10:42 2012
type=SYSCALL msg=audit(1354803042.978:73): arch=c000003e syscall=41 success=no exit=-13 a0=2 a1=1 a2=6 a3=98 items=0 ppid=1205 pid=1210 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="sh" exe="/usr/bin/bash" subj=system_u:system_r:sshdfilter_t:s0 key=(null)
type=AVC msg=audit(1354803042.978:73): avc:  denied  { create } for  pid=1210 comm="sh" scontext=system_u:system_r:sshdfilter_t:s0 tcontext=system_u:system_r:sshdfilter_t:s0 tclass=tcp_socket
----
time->Thu Dec  6 06:10:42 2012
type=SYSCALL msg=audit(1354803042.978:74): arch=c000003e syscall=41 success=no exit=-13 a0=2 a1=1 a2=6 a3=98 items=0 ppid=1205 pid=1210 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="sh" exe="/usr/bin/bash" subj=system_u:system_r:sshdfilter_t:s0 key=(null)
type=AVC msg=audit(1354803042.978:74): avc:  denied  { create } for  pid=1210 comm="sh" scontext=system_u:system_r:sshdfilter_t:s0 tcontext=system_u:system_r:sshdfilter_t:s0 tclass=tcp_socket
----
time->Thu Dec  6 06:10:42 2012
type=SYSCALL msg=audit(1354803042.978:75): arch=c000003e syscall=41 success=no exit=-13 a0=2 a1=1 a2=6 a3=98 items=0 ppid=1205 pid=1210 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="sh" exe="/usr/bin/bash" subj=system_u:system_r:sshdfilter_t:s0 key=(null)
type=AVC msg=audit(1354803042.978:75): avc:  denied  { create } for  pid=1210 comm="sh" scontext=system_u:system_r:sshdfilter_t:s0 tcontext=system_u:system_r:sshdfilter_t:s0 tclass=tcp_socket
----
time->Thu Dec  6 06:10:58 2012
type=SYSCALL msg=audit(1354803058.098:114): arch=c000003e syscall=21 success=no exit=-13 a0=1a99c70 a1=0 a2=1dfb770 a3=7fff939317d0 items=0 ppid=1656 pid=1739 auid=42 uid=42 gid=42 euid=42 suid=42 fsuid=42 egid=42 sgid=42 fsgid=42 tty=(none) ses=1 comm="gnome-shell" exe="/usr/bin/gnome-shell" subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1354803058.098:114): avc:  denied  { read } for  pid=1739 comm="gnome-shell" name="dhighley" dev="dm-1" ino=3014658 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:default_t:s0 tclass=lnk_file
----
time->Thu Dec  6 06:10:58 2012
type=SYSCALL msg=audit(1354803058.110:115): arch=c000003e syscall=21 success=no exit=-13 a0=2049b20 a1=0 a2=7f749c002b20 a3=7fff939317d0 items=0 ppid=1656 pid=1739 auid=42 uid=42 gid=42 euid=42 suid=42 fsuid=42 egid=42 sgid=42 fsgid=42 tty=(none) ses=1 comm="gnome-shell" exe="/usr/bin/gnome-shell" subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1354803058.110:115): avc:  denied  { read } for  pid=1739 comm="gnome-shell" name="mhighley" dev="dm-1" ino=3014659 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:default_t:s0 tclass=lnk_file
----
time->Thu Dec  6 06:10:58 2012
type=SYSCALL msg=audit(1354803058.111:116): arch=c000003e syscall=21 success=no exit=-13 a0=2075400 a1=0 a2=7f749c002b20 a3=7fff93933c60 items=0 ppid=1656 pid=1739 auid=42 uid=42 gid=42 euid=42 suid=42 fsuid=42 egid=42 sgid=42 fsgid=42 tty=(none) ses=1 comm="gnome-shell" exe="/usr/bin/gnome-shell" subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1354803058.111:116): avc:  denied  { read } for  pid=1739 comm="gnome-shell" name="mhighley" dev="dm-1" ino=3014659 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:default_t:s0 tclass=lnk_file

More information about the selinux mailing list