SELinux kerneloops and dhclient issues
Daniel J Walsh
dwalsh at redhat.com
Mon Sep 8 12:45:59 UTC 2008
Stephen Croll wrote:
> Note: Originally posted to fedora-list.
>
> The "setroubleshoot browser" is reporting the following issues on Fedora 9:
>
> SELinux is preventing kerneloops (kerneloops_t) "signal" to <Unknown>
> (kerneloops_t).
> SELinux is preventing dhclient (dhcpc_t) "read write" to socket
> (unconfined_t).
>
> The first issue occurred on boot, but no longer seems to be happening.
> The second
> issue occurs when I bring up eth0.
>
> Should I file a bug report, or might there be something more sinister
> going on?
>
> For reference, the complete reports are as follows:
>
> Summary:
>
> SELinux is preventing kerneloops (kerneloops_t) "signal" to <Unknown>
> (kerneloops_t).
>
> Detailed Description:
>
> SELinux denied access requested by kerneloops. It is not expected that this
> access is required by kerneloops and this access may signal an intrusion
> attempt. It is also possible that the specific version or configuration
> of the
> application is causing it to require additional access.
>
> Allowing Access:
>
> You can generate a local policy module to allow this access - see FAQ
> (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can
> disable
> SELinux protection altogether. Disabling SELinux protection is not
> recommended.
> Please file a bug report
> (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
> against this package.
>
> Additional Information:
>
> Source Context system_u:system_r:kerneloops_t:s0
> Target Context system_u:system_r:kerneloops_t:s0
> Target Objects None [ process ]
> Source kerneloops
> Source Path /usr/sbin/kerneloops
> Port <Unknown>
> Host gerbil
> Source RPM Packages kerneloops-0.11-1.fc9
> Target RPM Packages Policy RPM
> selinux-policy-3.3.1-84.fc9
> Selinux Enabled True
> Policy Type targeted
> MLS Enabled True
> Enforcing Mode Enforcing
> Plugin Name catchall
> Host Name gerbil
> Platform Linux gerbil 2.6.25.14-108.fc9.x86_64 #1
> SMP Mon
> Aug 4 13:46:35 EDT 2008 x86_64 x86_64
> Alert Count 2
> First Seen Sun 07 Sep 2008 03:21:55 AM CDT
> Last Seen Sun 07 Sep 2008 03:21:55 AM CDT
> Local ID fa4c1bd0-faf1-48ba-ba55-74285538ef90
> Line Numbers Raw Audit Messages
> host=gerbil type=AVC msg=audit(1220775715.59:8): avc: denied { signal
> } for pid=2363 comm="kerneloops"
> scontext=system_u:system_r:kerneloops_t:s0
> tcontext=system_u:system_r:kerneloops_t:s0 tclass=process
>
> host=gerbil type=SYSCALL msg=audit(1220775715.59:8): arch=c000003e
> syscall=234 success=no exit=-13 a0=93b a1=93b a2=6 a3=8 items=0 ppid=1
> pid=2363 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
> fsgid=0 tty=(none) ses=4294967295 comm="kerneloops"
> exe="/usr/sbin/kerneloops" subj=system_u:system_r:kerneloops_t:s0
> key=(null)
>
> -and-
>
> Summary:
>
> SELinux is preventing dhclient (dhcpc_t) "read write" to socket
> (unconfined_t).
>
> Detailed Description:
>
> SELinux denied access requested by dhclient. It is not expected that
> this access
> is required by dhclient and this access may signal an intrusion attempt.
> It is
> also possible that the specific version or configuration of the
> application is
> causing it to require additional access.
>
> Allowing Access:
>
> You can generate a local policy module to allow this access - see FAQ
> (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can
> disable
> SELinux protection altogether. Disabling SELinux protection is not
> recommended.
> Please file a bug report
> (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
> against this package.
>
> Additional Information:
>
> Source Context unconfined_u:system_r:dhcpc_t:s0-s0:c0.c1023
> Target Context
> unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1
> 023
> Target Objects socket [ unix_stream_socket ]
> Source dhclient
> Source Path /sbin/dhclient
> Port <Unknown>
> Host gerbil
> Source RPM Packages dhclient-4.0.0-14.fc9
> Target RPM Packages Policy RPM
> selinux-policy-3.3.1-84.fc9
> Selinux Enabled True
> Policy Type targeted
> MLS Enabled True
> Enforcing Mode Enforcing
> Plugin Name catchall
> Host Name gerbil
> Platform Linux gerbil 2.6.25.14-108.fc9.x86_64 #1
> SMP Mon
> Aug 4 13:46:35 EDT 2008 x86_64 x86_64
> Alert Count 16
> First Seen Sun 07 Sep 2008 12:56:48 AM CDT
> Last Seen Sun 07 Sep 2008 03:23:07 AM CDT
> Local ID a3b5492a-0ef2-4cc3-bdd0-4c06696bae70
> Line Numbers Raw Audit Messages
> host=gerbil type=AVC msg=audit(1220775787.407:21): avc: denied { read
> write } for pid=3069 comm="dhclient" path="socket:[68728]" dev=sockfs
> ino=68728 scontext=unconfined_u:system_r:dhcpc_t:s0-s0:c0.c1023
> tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
> tclass=unix_stream_socket
>
> host=gerbil type=SYSCALL msg=audit(1220775787.407:21): arch=c000003e
> syscall=59 success=yes exit=0 a0=948530 a1=94ad90 a2=8f0d70
> a3=3f48f67a70 items=0 ppid=2970 pid=3069 auid=500 uid=0 gid=0 euid=0
> suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="dhclient"
> exe="/sbin/dhclient" subj=unconfined_u:system_r:dhcpc_t:s0-s0:c0.c1023
> key=(null)
>
kerneloops needing signal is a bug in selinux-policy.
You can allow this for now.
# audit2allow -M mypol -l -i /var/log/audit/audit.log
# semodule -i mypol.pp
Fixed in selinux-policy-3.3.1-89.fc9.noarch
The dhcp_t (/sbin/dhclient) trying to read/write an unconfined_t
unix_stream_socket, is a leaked file descriptor. So it is a bug in some
application that you are using to bring up your network. What app are
you using for this?
More information about the fedora-selinux-list
mailing list