Avc´s while running rkhunter

Stephen Smalley sds at tycho.nsa.gov
Fri Oct 20 13:02:18 UTC 2006 

On Fri, 2006-10-20 at 10:53 +0200, pi wrote:
> Hashes seems OK when i turn selinux protection off, as soon as i turn 
> selinux on while running rkhunter, they show up as BAD.
> So i figure they are okey, but rkhunter is denied access to something. 
> Can someone explain what i ahev to do to make it right?
> I´m on fc5, and i think it´s fully updated if i havent missed out on 
> any new repos.
<snip>

Tip:  Use /sbin/ausearch -i with other qualifiers as appropriate to
filter and interpret the audit logs.  Example:  /sbin/ausearch -i -m
avc,selinux_err to see all AVC and SELinux error messages in an
interpreted form.

> type=AVC msg=audit(1161332509.183:234): avc:  denied  { read write } 
> for  pid=28899 comm="prelink" name="0" dev=devpts ino=2 
> scontext=user_u:system_r:prelink_t:s0 
> tcontext=user_u:object_r:devpts_t:s0 tclass=chr_file

So rkhunter is running prelink, and prelink is likely inheriting a
descriptor to the user's pty, but isn't allowed to access it.  No big
deal, unless prelink truly needs to write to the user's pty for some
reason (not likely in this case).

> type=AVC msg=audit(1161332509.183:234): avc:  denied  { write } for  
> pid=28899 comm="prelink" name="prelink.tst" dev=dm-0 ino=1277164 
> scontext=user_u:system_r:prelink_t:s0 tcontext=user_u:object_r:var_t:s0 
> tclass=file
<snip>
> type=AVC_PATH msg=audit(1161332509.183:234):  
> path="/var/rkhunter/tmp/prelink.tst"

This one is likely the real culprit - prelink is trying to write to a
file named "prelink.tst", and isn't allowed to access it.  From the
AVC_PATH record, we see that the file's full path
is /var/rkhunter/tmp/prelink.tst.

Since rkhunter has no policy itself, /var/rkhunter just defaults to the
type of the parent directory, var_t, and prelink has no business writing
to generic files under /var.

You could use audit2allow just to allow it, but a better solution would
be to define a more specific type for /var/rkhunter, and then allow
prelink to write to files with that type.

-- 
Stephen Smalley
National Security Agency

More information about the fedora-selinux-list mailing list