Who? Me?? Attacked???
Beartooth
beartooth at comcast.net
Tue Apr 23 18:30:07 UTC 2013
On Tue, 23 Apr 2013 17:44:33 +0100, Junk wrote:
> On 23 Apr 2013, at 17:10, Beartooth <beartooth at comcast.net> wrote:
>
>> On Mon, 22 Apr 2013 16:40:19 +0800, Ed Greshko wrote:
>> [....]
>>> The only thing worse than a poorly asked question is a cryptic answer.
>>
>> OK, first off, I'm the OP.
>>
>> I suppose I should be flattered at being addressed as if I were
>> an Alpha Plus Technoid; but I'm not one. I'm just an old twice-retired
>> bookworm, running Fedora because there's more and better help online
>> for it than for anything else I've tried (most of the well-known
>> distros), and because I began back in '98 with RedHat. I can't imagine
>> anything I have being of interest to an intruder.
>>
>>
> Your right. They probably aren't interested in what you have. They might
> be interested in taking over your machine as part of a botnet though. A
> large amount of attacks are now automated against wide ranges of devices
Well, yes, I suppose some bad guy wanting only lots of machines,
any machines, might like mine, too.
>> All the replies in this thread so far have been way over my head.
>> The one thing I gather some of you want is the error message from SEL,
>> verbatim. I don't have it; I presume it's in some log somewhere, but I
>> have no idea how to find that log.
>>
>>
> Try sealert -a /var/log/audit/audit.log
[root at Hbsk2 ~]# sealert -a /var/log/audit/audit.log
12% done[Errno 2] No such file or directory: 'wine-preloader'
100% donefound 3 alerts in /var/log/audit/audit.log
-----------------------------------------------------------------------------
[snip]
--------------------------------------------------------------------------------
SELinux is preventing /usr/bin/arora from mmap_zero access on the
memprotect .
***** Plugin mmap_zero (53.1 confidence) suggests
**************************
If you do not think /usr/bin/arora should need to mmap low memory in the
kernel.
Then you may be under attack by a hacker, this is a very dangerous access.
Do
contact your security administrator and report this issue.
***** Plugin catchall_boolean (42.6 confidence) suggests
*******************
If you want to mmap_low_allowed
Then you must tell SELinux about this by enabling the 'mmap_low_allowed'
boolean.You can read 'unconfined_selinux' man page for more details.
Do
setsebool -P mmap_low_allowed 1
***** Plugin catchall (5.76 confidence) suggests
***************************
If you believe that arora should be allowed mmap_zero access on the
memprotect by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep arora /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp
Additional Information:
Source Context unconfined_u:unconfined_r:unconfined_t:s0-
s0:c0.c1
023
Target Context unconfined_u:unconfined_r:unconfined_t:s0-
s0:c0.c1
023
Target Objects [ memprotect ]
Source arora
Source Path /usr/bin/arora
Port <Unknown>
Host <Unknown>
Source RPM Packages arora-0.11.0-4.fc17.i686
Target RPM Packages
Policy RPM selinux-policy-3.10.0-167.fc17.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name Hbsk2.hsd1.va.comcast.net
Platform Linux Hbsk2.hsd1.va.comcast.net
3.8.4-102.fc17.i686.PAE #1 SMP Sun Mar 24
13:15:17
UTC 2013 i686 i686
Alert Count 1
First Seen 2013-04-21 16:01:52 EDT
Last Seen 2013-04-21 16:01:52 EDT
Local ID fedad9e7-5ad4-49b0-a517-15a1e9efd7d4
Raw Audit Messages
type=AVC msg=audit(1366574512.695:480): avc: denied { mmap_zero } for
pid=25852 comm="arora" scontext=unconfined_u:unconfined_r:unconfined_t:s0-
s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-
s0:c0.c1023 tclass=memprotect
type=SYSCALL msg=audit(1366574512.695:480): arch=i386 syscall=mmap2
success=no exit=EACCES a0=0 a1=7000 a2=3 a3=4022 items=0 ppid=1 pid=25852
auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000
sgid=1000 fsgid=1000 ses=2 tty=(none) comm=arora exe=/usr/bin/arora
subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
Hash: arora,unconfined_t,unconfined_t,memprotect,mmap_zero
audit2allow
#============= unconfined_t ==============
#!!!! This avc can be allowed using the boolean 'mmap_low_allowed'
allow unconfined_t self:memprotect mmap_zero;
audit2allow -R
#============= unconfined_t ==============
#!!!! This avc can be allowed using the boolean 'mmap_low_allowed'
allow unconfined_t self:memprotect mmap_zero;
[root at Hbsk2 ~]#
----------------------------------------------------------------------------
> Or
>
> grep setroubleshoot /var/log/messages
>
> There will have been a full report in the graphical tool that initially
> warned you but these should give the same result.
They don't -- this one gets
[root at Hbsk2 ~]# grep setroubleshoot /var/log/messages
Apr 21 16:02:00 Hbsk2 setroubleshoot: SELinux is preventing /usr/bin/arora
from mmap_zero access on the memprotect . For complete SELinux messages.
run sealert -l 6805396b-b8d1-4368-9356-aef00cbb2e43
Apr 22 14:57:12 Hbsk2 setroubleshoot: Plugin Exception wine
Apr 22 14:57:12 Hbsk2 setroubleshoot: SELinux is preventing wine-preloader
from mmap_zero access on the memprotect . For complete SELinux messages.
run sealert -l 78752ead-8351-4d64-a04d-a2f500d942cd
[root at Hbsk2 ~]#
--
Beartooth Staffwright, Neo-Redneck Not Quite Clueless Power User
Remember I have precious (very precious!) little idea where up is.
More information about the users
mailing list