How to solve these audit messages
Daniel J Walsh
dwalsh at redhat.com
Tue Nov 6 15:22:26 UTC 2007
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Ali Nebi wrote:
> Hi,
>
> i want to ask about 2 strange audit messages. The messages are these:
>
> Nov 5 14:14:24 asgard kernel: audit(1194268464.097:309): avc: denied
> { search } for pid=22933 comm="sh" name="src" dev=dm-0 ino=5244065
> scontext=root:system_r:httpd_t:s0 tcontext=system_u:object_r:src_t:s0
> tclass=dir
> Nov 5 14:14:24 asgard kernel: audit(1194268464.124:310): avc: denied
> { getattr } for pid=22933 comm="sh" name="SPECS" dev=dm-0 ino=5865755
> scontext=root:system_r:httpd_t:s0 tcontext=system_u:object_r:src_t:s0
> tclass=dir
>
> i don't know what is the reason sh to try to make something in /usr/src
> and /usr/src/redhat/SPEC
>
> we have not set some script that to have task to do something in these
> directories. is it possible to be some hack attack ? also i see that
> scontext is this: scontext=root:system_r:httpd_t:s0 is it possible to
> understand where is the file that try to use "sh" ?
>
> Also the audits:
>
> Nov 5 12:03:07 casamerica kernel: audit(1194260587.185:40): avc:
> denied { read write } for pid=26690 comm="listinfo" name="" dev=sockfs
> ino=1414447 scontext=system_u:system_r:mailman_cgi_t:s0
> tcontext=system_u:system_r:httpd_t:s0 tclass=unix_stream_socket
>
> i have some similar messages related with mailmain, what is the best
> that i can do to solve these messages?
>
> Thanks in advanced!
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
I guess that you are running some mod_(php, perl)? script that is trying
to look at /usr/src/redhat/SPEC. This is all the info we get from the
kernel. I don't know if this is a problem or not.
The other avc is a leaked file descriptor in httpd and could be
dontaudited, in mailmail_cgi_t. It can safely be ignored.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
iD8DBQFHMIayrlYvE4MpobMRAvJqAKCpxJhX79gb5AyWWaMDarWDIdFmXwCg4mj8
uV8jei4Xzvv8ybkhX5g1OgA=
=NaRf
-----END PGP SIGNATURE-----
More information about the fedora-selinux-list
mailing list