selinux is denying consolekit, hal?, ...,
Antonio Olivares
olivares14031 at yahoo.com
Mon Oct 20 12:40:38 UTC 2008
Dear fellow selinux experts,
selinux is at it again, this time, setroubleshoot shot out the warnings:
Summary:
SELinux is preventing hal-acl-tool (hald_acl_t) "sys_resource" hald_acl_t.
Detailed Description:
SELinux denied access requested by hal-acl-tool. It is not expected that this
access is required by hal-acl-tool and this access may signal an intrusion
attempt. It is also possible that the specific version or configuration of the
application is causing it to require additional access.
Allowing Access:
You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.
Additional Information:
Source Context system_u:system_r:hald_acl_t:s0
Target Context system_u:system_r:hald_acl_t:s0
Target Objects None [ capability ]
Source hal-acl-tool
Source Path /usr/libexec/hal-acl-tool
Port <Unknown>
Host riohigh
Source RPM Packages hal-0.5.12-3.20081013git.fc10
Target RPM Packages
Policy RPM selinux-policy-3.5.13-1.fc10
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name catchall
Host Name riohigh
Platform Linux riohigh 2.6.27.3-27.rc1.fc10.i686 #1 SMP Sat
Oct 18 20:35:56 EDT 2008 i686 athlon
Alert Count 25
First Seen Thu 16 Oct 2008 05:21:21 PM CDT
Last Seen Mon 20 Oct 2008 07:22:37 AM CDT
Local ID 2dda3b9b-7240-47c2-9865-4e1c1971771c
Line Numbers
Raw Audit Messages
node=riohigh type=AVC msg=audit(1224505357.902:104): avc: denied { sys_resource } for pid=3200 comm="hal-acl-tool" capability=24 scontext=system_u:system_r:hald_acl_t:s0 tcontext=system_u:system_r:hald_acl_t:s0 tclass=capability
node=riohigh type=SYSCALL msg=audit(1224505357.902:104): arch=40000003 syscall=4 success=yes exit=2132 a0=4 a1=b7f94000 a2=854 a3=854 items=0 ppid=1873 pid=3200 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="hal-acl-tool" exe="/usr/libexec/hal-acl-tool" subj=system_u:system_r:hald_acl_t:s0 key=(null)
Summary:
SELinux is preventing knotify4 from making the program stack executable.
Detailed Description:
The knotify4 application attempted to make its stack executable. This is a
potential security problem. This should never ever be necessary. Stack memory is
not executable on most OSes these days and this will not change. Executable
stack memory is one of the biggest security problems. An execstack error might
in fact be most likely raised by malicious code. Applications are sometimes
coded incorrectly and request this permission. The SELinux Memory Protection
Tests (http://people.redhat.com/drepper/selinux-mem.html) web page explains how
to remove this requirement. If knotify4 does not work and you need it to work,
you can configure SELinux temporarily to allow this access until the application
is fixed. Please file a bug report
(http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package.
Allowing Access:
Sometimes a library is accidentally marked with the execstack flag, if you find
a library with this flag you can clear it with the execstack -c LIBRARY_PATH.
Then retry your application. If the app continues to not work, you can turn the
flag back on with execstack -s LIBRARY_PATH. Otherwise, if you trust knotify4 to
run correctly, you can change the context of the executable to
unconfined_execmem_exec_t. "chcon -t unconfined_execmem_exec_t
'/usr/bin/knotify4'" You must also change the default file context files on the
system in order to preserve them even on a full relabel. "semanage fcontext -a
-t unconfined_execmem_exec_t '/usr/bin/knotify4'"
Fix Command:
chcon -t unconfined_execmem_exec_t '/usr/bin/knotify4'
Additional Information:
Source Context unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1
023
Target Context unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1
023
Target Objects None [ process ]
Source knotify4
Source Path /usr/bin/knotify4
Port <Unknown>
Host riohigh
Source RPM Packages kdebase-runtime-4.1.2-5.fc10
Target RPM Packages
Policy RPM selinux-policy-3.5.13-1.fc10
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name allow_execstack
Host Name riohigh
Platform Linux riohigh 2.6.27.3-27.rc1.fc10.i686 #1 SMP Sat
Oct 18 20:35:56 EDT 2008 i686 athlon
Alert Count 2
First Seen Mon 20 Oct 2008 07:21:30 AM CDT
Last Seen Mon 20 Oct 2008 07:21:30 AM CDT
Local ID eebb1d00-400c-4898-888b-ae7a132cd800
Line Numbers
Raw Audit Messages
node=riohigh type=AVC msg=audit(1224505290.544:95): avc: denied { execstack } for pid=2883 comm="knotify4" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process
node=riohigh type=SYSCALL msg=audit(1224505290.544:95): arch=40000003 syscall=125 success=no exit=-13 a0=bf983000 a1=1000 a2=1000007 a3=fffff000 items=0 ppid=1 pid=2883 auid=501 uid=501 gid=501 euid=501 suid=501 fsuid=501 egid=501 sgid=501 fsgid=501 tty=(none) ses=1 comm="knotify4" exe="/usr/bin/knotify4" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
Summary:
SELinux is preventing console-kit-dae (consolekit_t) "sys_resource"
consolekit_t.
Detailed Description:
SELinux denied access requested by console-kit-dae. It is not expected that this
access is required by console-kit-dae and this access may signal an intrusion
attempt. It is also possible that the specific version or configuration of the
application is causing it to require additional access.
Allowing Access:
You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.
Additional Information:
Source Context system_u:system_r:consolekit_t:s0-s0:c0.c1023
Target Context system_u:system_r:consolekit_t:s0-s0:c0.c1023
Target Objects None [ capability ]
Source console-kit-dae
Source Path /usr/sbin/console-kit-daemon
Port <Unknown>
Host riohigh
Source RPM Packages ConsoleKit-0.3.0-2.fc10
Target RPM Packages
Policy RPM selinux-policy-3.5.13-1.fc10
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name catchall
Host Name riohigh
Platform Linux riohigh 2.6.27.3-27.rc1.fc10.i686 #1 SMP Sat
Oct 18 20:35:56 EDT 2008 i686 athlon
Alert Count 23
First Seen Thu 16 Oct 2008 04:27:59 PM CDT
Last Seen Mon 20 Oct 2008 07:20:39 AM CDT
Local ID 18c02e39-31cf-4b70-b999-fa910c61d822
Line Numbers
Raw Audit Messages
node=riohigh type=AVC msg=audit(1224505239.547:88): avc: denied { sys_resource } for pid=1810 comm="console-kit-dae" capability=24 scontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tcontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tclass=capability
node=riohigh type=SYSCALL msg=audit(1224505239.547:88): arch=40000003 syscall=4 success=yes exit=672 a0=1a a1=9fb1758 a2=2a0 a3=9fb1758 items=0 ppid=1 pid=1810 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="console-kit-dae" exe="/usr/sbin/console-kit-daemon" subj=system_u:system_r:consolekit_t:s0-s0:c0.c1023 key=(null)
Summary:
SELinux is preventing sm-notify (rpcd_t) "sys_resource" rpcd_t.
Detailed Description:
SELinux denied access requested by sm-notify. It is not expected that this
access is required by sm-notify and this access may signal an intrusion attempt.
It is also possible that the specific version or configuration of the
application is causing it to require additional access.
Allowing Access:
You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.
Additional Information:
Source Context unconfined_u:system_r:rpcd_t:s0
Target Context unconfined_u:system_r:rpcd_t:s0
Target Objects None [ capability ]
Source rpc.statd
Source Path /sbin/rpc.statd
Port <Unknown>
Host riohigh
Source RPM Packages nfs-utils-1.1.3-6.fc10
Target RPM Packages
Policy RPM selinux-policy-3.5.12-2.fc10
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name catchall
Host Name riohigh
Platform Linux riohigh 2.6.27-3.fc10.i686 #1 SMP Fri Oct 10
01:26:26 EDT 2008 i686 athlon
Alert Count 2
First Seen Thu 16 Oct 2008 05:15:06 PM CDT
Last Seen Thu 16 Oct 2008 05:15:06 PM CDT
Local ID cc9a1241-41d6-4b07-aa8c-4d2701763004
Line Numbers
Raw Audit Messages
node=riohigh type=AVC msg=audit(1224195306.728:103): avc: denied { sys_resource } for pid=7184 comm="sm-notify" capability=24 scontext=unconfined_u:system_r:rpcd_t:s0 tcontext=unconfined_u:system_r:rpcd_t:s0 tclass=capability
node=riohigh type=SYSCALL msg=audit(1224195306.728:103): arch=40000003 syscall=4 success=yes exit=5 a0=5 a1=bffbd700 a2=5 a3=5 items=0 ppid=7183 pid=7184 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="sm-notify" exe="/usr/sbin/sm-notify" subj=unconfined_u:system_r:rpcd_t:s0 key=(null)
Which ones should I file bugs against, if there are any to file?
I have seen knotify and selinux again, this one is filed. Do I need more info?
Thanks,
Antonio
__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
More information about the fedora-selinux-list
mailing list