Denied avcs
Antonio Olivares
olivares14031 at yahoo.com
Thu Oct 16 11:40:55 UTC 2008
Dear fellow testers and selinux experts,
I have encountered several avcs. I want to ask you for advice before applying the suggested fixes.
Summary:
SELinux is preventing knotify4 from making the program stack executable.
Detailed Description:
The knotify4 application attempted to make its stack executable. This is a
potential security problem. This should never ever be necessary. Stack memory is
not executable on most OSes these days and this will not change. Executable
stack memory is one of the biggest security problems. An execstack error might
in fact be most likely raised by malicious code. Applications are sometimes
coded incorrectly and request this permission. The SELinux Memory Protection
Tests (http://people.redhat.com/drepper/selinux-mem.html) web page explains how
to remove this requirement. If knotify4 does not work and you need it to work,
you can configure SELinux temporarily to allow this access until the application
is fixed. Please file a bug report
(http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package.
Allowing Access:
Sometimes a library is accidentally marked with the execstack flag, if you find
a library with this flag you can clear it with the execstack -c LIBRARY_PATH.
Then retry your application. If the app continues to not work, you can turn the
flag back on with execstack -s LIBRARY_PATH. Otherwise, if you trust knotify4 to
run correctly, you can change the context of the executable to
unconfined_execmem_exec_t. "chcon -t unconfined_execmem_exec_t
'/usr/bin/knotify4'" You must also change the default file context files on the
system in order to preserve them even on a full relabel. "semanage fcontext -a
-t unconfined_execmem_exec_t '/usr/bin/knotify4'"
Fix Command:
chcon -t unconfined_execmem_exec_t '/usr/bin/knotify4'
Additional Information:
Source Context unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1
023
Target Context unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1
023
Target Objects None [ process ]
Source knotify4
Source Path /usr/bin/knotify4
Port <Unknown>
Host riohigh
Source RPM Packages kdebase-runtime-4.1.2-3.fc10
Target RPM Packages
Policy RPM selinux-policy-3.5.10-3.fc10
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name allow_execstack
Host Name riohigh
Platform Linux riohigh 2.6.27-3.fc10.i686 #1 SMP Fri Oct 10
01:26:26 EDT 2008 i686 athlon
Alert Count 2
First Seen Thu 16 Oct 2008 06:33:56 AM CDT
Last Seen Thu 16 Oct 2008 06:33:56 AM CDT
Local ID d2171be2-9d07-43e0-83bf-95f7f3e5e666
Line Numbers
Raw Audit Messages
node=riohigh type=AVC msg=audit(1224156836.173:93): avc: denied { execstack } for pid=2874 comm="knotify4" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process
node=riohigh type=SYSCALL msg=audit(1224156836.173:93): arch=40000003 syscall=125 success=no exit=-13 a0=bf9c9000 a1=1000 a2=1000007 a3=fffff000 items=0 ppid=1 pid=2874 auid=501 uid=501 gid=501 euid=501 suid=501 fsuid=501 egid=501 sgid=501 fsgid=501 tty=(none) ses=1 comm="knotify4" exe="/usr/bin/knotify4" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
Summary:
SELinux is preventing hal-acl-tool (hald_acl_t) "sys_resource" hald_acl_t.
Detailed Description:
SELinux denied access requested by hal-acl-tool. It is not expected that this
access is required by hal-acl-tool and this access may signal an intrusion
attempt. It is also possible that the specific version or configuration of the
application is causing it to require additional access.
Allowing Access:
You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.
Additional Information:
Source Context system_u:system_r:hald_acl_t:s0
Target Context system_u:system_r:hald_acl_t:s0
Target Objects None [ capability ]
Source hal-acl-tool
Source Path /usr/libexec/hal-acl-tool
Port <Unknown>
Host riohigh
Source RPM Packages hal-0.5.12-3.20081013git.fc10
Target RPM Packages
Policy RPM selinux-policy-3.5.10-3.fc10
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name catchall
Host Name riohigh
Platform Linux riohigh 2.6.27-3.fc10.i686 #1 SMP Fri Oct 10
01:26:26 EDT 2008 i686 athlon
Alert Count 73
First Seen Sat 04 Oct 2008 11:10:27 AM CDT
Last Seen Thu 16 Oct 2008 06:33:03 AM CDT
Local ID 16181f84-ddf2-4510-bd51-aef5ff647a63
Line Numbers
Raw Audit Messages
node=riohigh type=AVC msg=audit(1224156783.891:89): avc: denied { sys_resource } for pid=2568 comm="hal-acl-tool" capability=24 scontext=system_u:system_r:hald_acl_t:s0 tcontext=system_u:system_r:hald_acl_t:s0 tclass=capability
node=riohigh type=SYSCALL msg=audit(1224156783.891:89): arch=40000003 syscall=4 success=yes exit=2057 a0=5 a1=b7ff4000 a2=809 a3=809 items=0 ppid=1834 pid=2568 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="hal-acl-tool" exe="/usr/libexec/hal-acl-tool" subj=system_u:system_r:hald_acl_t:s0 key=(null)
Summary:
SELinux is preventing console-kit-dae (consolekit_t) "sys_resource"
consolekit_t.
Detailed Description:
SELinux denied access requested by console-kit-dae. It is not expected that this
access is required by console-kit-dae and this access may signal an intrusion
attempt. It is also possible that the specific version or configuration of the
application is causing it to require additional access.
Allowing Access:
You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.
Additional Information:
Source Context system_u:system_r:consolekit_t:s0-s0:c0.c1023
Target Context system_u:system_r:consolekit_t:s0-s0:c0.c1023
Target Objects None [ capability ]
Source console-kit-dae
Source Path /usr/sbin/console-kit-daemon
Port <Unknown>
Host riohigh
Source RPM Packages ConsoleKit-0.3.0-2.fc10
Target RPM Packages
Policy RPM selinux-policy-3.5.10-3.fc10
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name catchall
Host Name riohigh
Platform Linux riohigh 2.6.27-3.fc10.i686 #1 SMP Fri Oct 10
01:26:26 EDT 2008 i686 athlon
Alert Count 87
First Seen Fri 03 Oct 2008 06:14:33 PM CDT
Last Seen Thu 16 Oct 2008 06:33:02 AM CDT
Local ID 0c8f36ea-d6b2-4646-ba59-1cdf5e6a0ee0
Line Numbers
Raw Audit Messages
node=riohigh type=AVC msg=audit(1224156782.948:86): avc: denied { sys_resource } for pid=1770 comm="console-kit-dae" capability=24 scontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tcontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tclass=capability
node=riohigh type=SYSCALL msg=audit(1224156782.948:86): arch=40000003 syscall=4 success=yes exit=674 a0=1a a1=8c4b790 a2=2a2 a3=8c4b790 items=0 ppid=1 pid=1770 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="console-kit-dae" exe="/usr/sbin/console-kit-daemon" subj=system_u:system_r:consolekit_t:s0-s0:c0.c1023 key=(null)
I had not encountered these ones before. And before applying the fixes, I will ask if no one has encountered these ones before.
TIA,
Antonio
More information about the fedora-selinux-list
mailing list