F10 Logwatch and avc(s) long post
Frank Murphy
frankly3d at fedoraproject.org
Sat Nov 22 09:25:19 UTC 2008
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- ------------A snip from the logwatch included at end-----------------
Summary:
SELinux is preventing netstat (logwatch_t) "search" to <Unknown>
(sysctl_net_t).
Detailed Description:
SELinux denied access requested by netstat. It is not expected that this
access
is required by netstat and this access may signal an intrusion attempt.
It is
also possible that the specific version or configuration of the
application is
causing it to require additional access.
Allowing Access:
Sometimes labeling problems can cause SELinux denials. You could try to
restore
the default system file context for <Unknown>,
restorecon -v '<Unknown>'
If this does not work, there is currently no automatic way to allow this
access.
Instead, you can generate a local policy module to allow this access -
see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can
disable
SELinux protection altogether. Disabling SELinux protection is not
recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.
Additional Information:
Source Context system_u:system_r:logwatch_t:s0
Target Context system_u:object_r:sysctl_net_t:s0
Target Objects None [ dir ]
Source ifconfig
Source Path /sbin/ifconfig
Port <Unknown>
Host frank-01
Source RPM Packages net-tools-1.60-91.fc10
Target RPM Packages
Policy RPM selinux-policy-3.5.13-18.fc10
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name catchall_file
Host Name frank-01
Platform Linux frank-01 2.6.27.5-117.fc10.i686 #1
SMP Tue
Nov 18 12:19:59 EST 2008 i686 i686
Alert Count 4
First Seen Sat 22 Nov 2008 09:17:13 GMT
Last Seen Sat 22 Nov 2008 09:17:13 GMT
Local ID 144ff94f-abf9-47ba-8ab6-bda6cceb41e8
Line Numbers
Raw Audit Messages
node=frank-01 type=AVC msg=audit(1227345433.820:48): avc: denied {
search } for pid=4085 comm="netstat"
scontext=system_u:system_r:logwatch_t:s0
tcontext=system_u:object_r:sysctl_net_t:s0 tclass=dir
node=frank-01 type=SYSCALL msg=audit(1227345433.820:48): arch=40000003
syscall=33 success=no exit=-13 a0=805f195 a1=4 a2=ffffffff a3=8064020
items=0 ppid=4084 pid=4085 auid=4294967295 uid=0 gid=0 euid=0 suid=0
fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="netstat"
exe="/bin/netstat" subj=system_u:system_r:logwatch_t:s0 key=(null)
Summary:
SELinux is preventing netstat (logwatch_t) "read" to ./unix (proc_net_t).
Detailed Description:
SELinux denied access requested by netstat. It is not expected that this
access
is required by netstat and this access may signal an intrusion attempt.
It is
also possible that the specific version or configuration of the
application is
causing it to require additional access.
Allowing Access:
Sometimes labeling problems can cause SELinux denials. You could try to
restore
the default system file context for ./unix,
restorecon -v './unix'
If this does not work, there is currently no automatic way to allow this
access.
Instead, you can generate a local policy module to allow this access -
see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can
disable
SELinux protection altogether. Disabling SELinux protection is not
recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.
Additional Information:
Source Context system_u:system_r:logwatch_t:s0
Target Context system_u:object_r:proc_net_t:s0
Target Objects ./unix [ file ]
Source ifconfig
Source Path /sbin/ifconfig
Port <Unknown>
Host frank-01
Source RPM Packages net-tools-1.60-91.fc10
Target RPM Packages
Policy RPM selinux-policy-3.5.13-18.fc10
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name catchall_file
Host Name frank-01
Platform Linux frank-01 2.6.27.5-117.fc10.i686 #1
SMP Tue
Nov 18 12:19:59 EST 2008 i686 i686
Alert Count 2
First Seen Sat 22 Nov 2008 09:17:13 GMT
Last Seen Sat 22 Nov 2008 09:17:13 GMT
Local ID c323266d-4b2a-4e47-9b13-eeb640939573
Line Numbers
Raw Audit Messages
node=frank-01 type=AVC msg=audit(1227345433.820:45): avc: denied {
read } for pid=4085 comm="netstat" name="unix" dev=proc ino=4026531984
scontext=system_u:system_r:logwatch_t:s0
tcontext=system_u:object_r:proc_net_t:s0 tclass=file
node=frank-01 type=SYSCALL msg=audit(1227345433.820:45): arch=40000003
syscall=33 success=no exit=-13 a0=805c8b9 a1=4 a2=ffffffff a3=8064360
items=0 ppid=4084 pid=4085 auid=4294967295 uid=0 gid=0 euid=0 suid=0
fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="netstat"
exe="/bin/netstat" subj=system_u:system_r:logwatch_t:s0 key=(null)
Summary:
SELinux is preventing netstat (logwatch_t) "read" to ./if_inet6
(proc_net_t).
Detailed Description:
SELinux denied access requested by netstat. It is not expected that this
access
is required by netstat and this access may signal an intrusion attempt.
It is
also possible that the specific version or configuration of the
application is
causing it to require additional access.
Allowing Access:
Sometimes labeling problems can cause SELinux denials. You could try to
restore
the default system file context for ./if_inet6,
restorecon -v './if_inet6'
If this does not work, there is currently no automatic way to allow this
access.
Instead, you can generate a local policy module to allow this access -
see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can
disable
SELinux protection altogether. Disabling SELinux protection is not
recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.
Additional Information:
Source Context system_u:system_r:logwatch_t:s0
Target Context system_u:object_r:proc_net_t:s0
Target Objects ./if_inet6 [ file ]
Source ifconfig
Source Path /sbin/ifconfig
Port <Unknown>
Host frank-01
Source RPM Packages net-tools-1.60-91.fc10
Target RPM Packages
Policy RPM selinux-policy-3.5.13-18.fc10
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name catchall_file
Host Name frank-01
Platform Linux frank-01 2.6.27.5-117.fc10.i686 #1
SMP Tue
Nov 18 12:19:59 EST 2008 i686 i686
Alert Count 4
First Seen Sat 22 Nov 2008 09:17:13 GMT
Last Seen Sat 22 Nov 2008 09:17:13 GMT
Local ID 9de63b84-aff8-4a49-bc45-510abd4637b3
Line Numbers
Raw Audit Messages
node=frank-01 type=AVC msg=audit(1227345433.820:46): avc: denied {
read } for pid=4085 comm="netstat" name="if_inet6" dev=proc
ino=4026532168 scontext=system_u:system_r:logwatch_t:s0
tcontext=system_u:object_r:proc_net_t:s0 tclass=file
node=frank-01 type=SYSCALL msg=audit(1227345433.820:46): arch=40000003
syscall=33 success=no exit=-13 a0=805f29e a1=4 a2=ffffffff a3=8064180
items=0 ppid=4084 pid=4085 auid=4294967295 uid=0 gid=0 euid=0 suid=0
fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="netstat"
exe="/bin/netstat" subj=system_u:system_r:logwatch_t:s0 key=(null)
Summary:
SELinux is preventing netstat (logwatch_t) "read" to ./dev (proc_net_t).
Detailed Description:
SELinux denied access requested by netstat. It is not expected that this
access
is required by netstat and this access may signal an intrusion attempt.
It is
also possible that the specific version or configuration of the
application is
causing it to require additional access.
Allowing Access:
Sometimes labeling problems can cause SELinux denials. You could try to
restore
the default system file context for ./dev,
restorecon -v './dev'
If this does not work, there is currently no automatic way to allow this
access.
Instead, you can generate a local policy module to allow this access -
see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can
disable
SELinux protection altogether. Disabling SELinux protection is not
recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.
Additional Information:
Source Context system_u:system_r:logwatch_t:s0
Target Context system_u:object_r:proc_net_t:s0
Target Objects ./dev [ file ]
Source ifconfig
Source Path /sbin/ifconfig
Port <Unknown>
Host frank-01
Source RPM Packages net-tools-1.60-91.fc10
Target RPM Packages filesystem-2.4.19-1.fc10
Policy RPM selinux-policy-3.5.13-18.fc10
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name catchall_file
Host Name frank-01
Platform Linux frank-01 2.6.27.5-117.fc10.i686 #1
SMP Tue
Nov 18 12:19:59 EST 2008 i686 i686
Alert Count 6
First Seen Sat 22 Nov 2008 09:17:13 GMT
Last Seen Sat 22 Nov 2008 09:17:13 GMT
Local ID 44eb7259-6162-4669-9b01-b5d48a63aaa5
Line Numbers
Raw Audit Messages
node=frank-01 type=AVC msg=audit(1227345433.855:51): avc: denied {
read } for pid=4085 comm="netstat" name="dev" dev=proc ino=4026531957
scontext=system_u:system_r:logwatch_t:s0
tcontext=system_u:object_r:proc_net_t:s0 tclass=file
node=frank-01 type=SYSCALL msg=audit(1227345433.855:51): arch=40000003
syscall=5 success=no exit=-13 a0=805ff47 a1=0 a2=1b6 a3=0 items=0
ppid=4084 pid=4085 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0
egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="netstat"
exe="/bin/netstat" subj=system_u:system_r:logwatch_t:s0 key=(null)
Logwatch:
--------------------- Network Report Begin ------------------------
Warning: cannot open /proc/net/dev (Permission denied). Limited output.
Warning: cannot open /proc/net/dev (Permission denied). Limited output.
Warning: cannot open /proc/net/dev (Permission denied). Limited output.
------------- Network Interfaces ---------------
Ethernet : 1
Other : 1
Total : 2
------------- Ethernet -------------------------
eth1 Link encap:Ethernet HWaddr 00:19:E0:7A:40:4C
------------- Other ----------------------------
lo Link encap:Local Loopback
------------- Network Interfaces ---------------
------------- Network statistics ---------------
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast
state UNKNOWN qlen 1000
link/ether 00:19:e0:7a:40:4c brd ff:ff:ff:ff:ff:ff
inet 192.168.0.5/24 brd 192.168.0.255 scope global eth1
inet6 fe80::219:e0ff:fe7a:404c/64 scope link
valid_lft forever preferred_lft forever
Warning: cannot open /proc/net/dev (Permission denied). Limited output.
Warning: cannot open /proc/net/dev (Permission denied). Limited output.
Warning: cannot open /proc/net/dev (Permission denied). Limited output.
Iface MTU RX-ERR TX-ERR
eth1 1500 no BMRU
lo 16436 no LRU
------------- Network statistics ---------------
---------------------- Network Report End -------------------------
- --
gpg id EB547226 Revoked Forgot Password :(
aMSN: Frankly3D
http://www.frankly3d.com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
iEYEARECAAYFAkknz/8ACgkQzrcOE0b3RmITUgCfR/8BYJmpAiluEAH0SWqOtXnr
QUgAn1bhRbsmlsZGyJEsTlwl2MNcp57J
=fMiJ
-----END PGP SIGNATURE-----
More information about the fedora-selinux-list
mailing list