Denied avcs

Antonio Olivares olivares14031 at yahoo.com
Thu Oct 16 11:40:55 UTC 2008


Dear fellow testers and selinux experts,

I have encountered several avcs.  I want to ask you for advice before applying the suggested fixes.


Summary:

SELinux is preventing knotify4 from making the program stack executable.

Detailed Description:

The knotify4 application attempted to make its stack executable. This is a
potential security problem. This should never ever be necessary. Stack memory is
not executable on most OSes these days and this will not change. Executable
stack memory is one of the biggest security problems. An execstack error might
in fact be most likely raised by malicious code. Applications are sometimes
coded incorrectly and request this permission. The SELinux Memory Protection
Tests (http://people.redhat.com/drepper/selinux-mem.html) web page explains how
to remove this requirement. If knotify4 does not work and you need it to work,
you can configure SELinux temporarily to allow this access until the application
is fixed. Please file a bug report
(http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package.

Allowing Access:

Sometimes a library is accidentally marked with the execstack flag, if you find
a library with this flag you can clear it with the execstack -c LIBRARY_PATH.
Then retry your application. If the app continues to not work, you can turn the
flag back on with execstack -s LIBRARY_PATH. Otherwise, if you trust knotify4 to
run correctly, you can change the context of the executable to
unconfined_execmem_exec_t. "chcon -t unconfined_execmem_exec_t
'/usr/bin/knotify4'" You must also change the default file context files on the
system in order to preserve them even on a full relabel. "semanage fcontext -a
-t unconfined_execmem_exec_t '/usr/bin/knotify4'"

Fix Command:

chcon -t unconfined_execmem_exec_t '/usr/bin/knotify4'

Additional Information:

Source Context                unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1
                              023
Target Context                unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1
                              023
Target Objects                None [ process ]
Source                        knotify4
Source Path                   /usr/bin/knotify4
Port                          <Unknown>
Host                          riohigh
Source RPM Packages           kdebase-runtime-4.1.2-3.fc10
Target RPM Packages           
Policy RPM                    selinux-policy-3.5.10-3.fc10
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   allow_execstack
Host Name                     riohigh
Platform                      Linux riohigh 2.6.27-3.fc10.i686 #1 SMP Fri Oct 10
                              01:26:26 EDT 2008 i686 athlon
Alert Count                   2
First Seen                    Thu 16 Oct 2008 06:33:56 AM CDT
Last Seen                     Thu 16 Oct 2008 06:33:56 AM CDT
Local ID                      d2171be2-9d07-43e0-83bf-95f7f3e5e666
Line Numbers                  

Raw Audit Messages            

node=riohigh type=AVC msg=audit(1224156836.173:93): avc:  denied  { execstack } for  pid=2874 comm="knotify4" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process

node=riohigh type=SYSCALL msg=audit(1224156836.173:93): arch=40000003 syscall=125 success=no exit=-13 a0=bf9c9000 a1=1000 a2=1000007 a3=fffff000 items=0 ppid=1 pid=2874 auid=501 uid=501 gid=501 euid=501 suid=501 fsuid=501 egid=501 sgid=501 fsgid=501 tty=(none) ses=1 comm="knotify4" exe="/usr/bin/knotify4" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)




Summary:

SELinux is preventing hal-acl-tool (hald_acl_t) "sys_resource" hald_acl_t.

Detailed Description:

SELinux denied access requested by hal-acl-tool. It is not expected that this
access is required by hal-acl-tool and this access may signal an intrusion
attempt. It is also possible that the specific version or configuration of the
application is causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Additional Information:

Source Context                system_u:system_r:hald_acl_t:s0
Target Context                system_u:system_r:hald_acl_t:s0
Target Objects                None [ capability ]
Source                        hal-acl-tool
Source Path                   /usr/libexec/hal-acl-tool
Port                          <Unknown>
Host                          riohigh
Source RPM Packages           hal-0.5.12-3.20081013git.fc10
Target RPM Packages           
Policy RPM                    selinux-policy-3.5.10-3.fc10
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   catchall
Host Name                     riohigh
Platform                      Linux riohigh 2.6.27-3.fc10.i686 #1 SMP Fri Oct 10
                              01:26:26 EDT 2008 i686 athlon
Alert Count                   73
First Seen                    Sat 04 Oct 2008 11:10:27 AM CDT
Last Seen                     Thu 16 Oct 2008 06:33:03 AM CDT
Local ID                      16181f84-ddf2-4510-bd51-aef5ff647a63
Line Numbers                  

Raw Audit Messages            

node=riohigh type=AVC msg=audit(1224156783.891:89): avc:  denied  { sys_resource } for  pid=2568 comm="hal-acl-tool" capability=24 scontext=system_u:system_r:hald_acl_t:s0 tcontext=system_u:system_r:hald_acl_t:s0 tclass=capability

node=riohigh type=SYSCALL msg=audit(1224156783.891:89): arch=40000003 syscall=4 success=yes exit=2057 a0=5 a1=b7ff4000 a2=809 a3=809 items=0 ppid=1834 pid=2568 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="hal-acl-tool" exe="/usr/libexec/hal-acl-tool" subj=system_u:system_r:hald_acl_t:s0 key=(null)



Summary:

SELinux is preventing console-kit-dae (consolekit_t) "sys_resource"
consolekit_t.

Detailed Description:

SELinux denied access requested by console-kit-dae. It is not expected that this
access is required by console-kit-dae and this access may signal an intrusion
attempt. It is also possible that the specific version or configuration of the
application is causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Additional Information:

Source Context                system_u:system_r:consolekit_t:s0-s0:c0.c1023
Target Context                system_u:system_r:consolekit_t:s0-s0:c0.c1023
Target Objects                None [ capability ]
Source                        console-kit-dae
Source Path                   /usr/sbin/console-kit-daemon
Port                          <Unknown>
Host                          riohigh
Source RPM Packages           ConsoleKit-0.3.0-2.fc10
Target RPM Packages           
Policy RPM                    selinux-policy-3.5.10-3.fc10
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   catchall
Host Name                     riohigh
Platform                      Linux riohigh 2.6.27-3.fc10.i686 #1 SMP Fri Oct 10
                              01:26:26 EDT 2008 i686 athlon
Alert Count                   87
First Seen                    Fri 03 Oct 2008 06:14:33 PM CDT
Last Seen                     Thu 16 Oct 2008 06:33:02 AM CDT
Local ID                      0c8f36ea-d6b2-4646-ba59-1cdf5e6a0ee0
Line Numbers                  

Raw Audit Messages            

node=riohigh type=AVC msg=audit(1224156782.948:86): avc:  denied  { sys_resource } for  pid=1770 comm="console-kit-dae" capability=24 scontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tcontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tclass=capability

node=riohigh type=SYSCALL msg=audit(1224156782.948:86): arch=40000003 syscall=4 success=yes exit=674 a0=1a a1=8c4b790 a2=2a2 a3=8c4b790 items=0 ppid=1 pid=1770 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="console-kit-dae" exe="/usr/sbin/console-kit-daemon" subj=system_u:system_r:consolekit_t:s0-s0:c0.c1023 key=(null)



I had not encountered these ones before.  And before applying the fixes, I will ask if no one has encountered these ones before.

TIA,


Antonio 



      




More information about the test mailing list