selinux is denying consolekit, hal?, ...,
Daniel J Walsh
dwalsh at redhat.com
Mon Oct 20 17:57:08 UTC 2008
Antonio Olivares wrote:
> Dear fellow selinux experts,
>
> selinux is at it again, this time, setroubleshoot shot out the warnings:
>
>
> Summary:
>
> SELinux is preventing hal-acl-tool (hald_acl_t) "sys_resource" hald_acl_t.
>
> Detailed Description:
>
> SELinux denied access requested by hal-acl-tool. It is not expected that this
> access is required by hal-acl-tool and this access may signal an intrusion
> attempt. It is also possible that the specific version or configuration of the
> application is causing it to require additional access.
>
> Allowing Access:
>
> You can generate a local policy module to allow this access - see FAQ
> (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
> SELinux protection altogether. Disabling SELinux protection is not recommended.
> Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
> against this package.
>
> Additional Information:
>
> Source Context system_u:system_r:hald_acl_t:s0
> Target Context system_u:system_r:hald_acl_t:s0
> Target Objects None [ capability ]
> Source hal-acl-tool
> Source Path /usr/libexec/hal-acl-tool
> Port <Unknown>
> Host riohigh
> Source RPM Packages hal-0.5.12-3.20081013git.fc10
> Target RPM Packages
> Policy RPM selinux-policy-3.5.13-1.fc10
> Selinux Enabled True
> Policy Type targeted
> MLS Enabled True
> Enforcing Mode Enforcing
> Plugin Name catchall
> Host Name riohigh
> Platform Linux riohigh 2.6.27.3-27.rc1.fc10.i686 #1 SMP Sat
> Oct 18 20:35:56 EDT 2008 i686 athlon
> Alert Count 25
> First Seen Thu 16 Oct 2008 05:21:21 PM CDT
> Last Seen Mon 20 Oct 2008 07:22:37 AM CDT
> Local ID 2dda3b9b-7240-47c2-9865-4e1c1971771c
> Line Numbers
>
> Raw Audit Messages
>
> node=riohigh type=AVC msg=audit(1224505357.902:104): avc: denied { sys_resource } for pid=3200 comm="hal-acl-tool" capability=24 scontext=system_u:system_r:hald_acl_t:s0 tcontext=system_u:system_r:hald_acl_t:s0 tclass=capability
>
> node=riohigh type=SYSCALL msg=audit(1224505357.902:104): arch=40000003 syscall=4 success=yes exit=2132 a0=4 a1=b7f94000 a2=854 a3=854 items=0 ppid=1873 pid=3200 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="hal-acl-tool" exe="/usr/libexec/hal-acl-tool" subj=system_u:system_r:hald_acl_t:s0 key=(null)
>
>
> Summary:
>
> SELinux is preventing knotify4 from making the program stack executable.
>
> Detailed Description:
>
> The knotify4 application attempted to make its stack executable. This is a
> potential security problem. This should never ever be necessary. Stack memory is
> not executable on most OSes these days and this will not change. Executable
> stack memory is one of the biggest security problems. An execstack error might
> in fact be most likely raised by malicious code. Applications are sometimes
> coded incorrectly and request this permission. The SELinux Memory Protection
> Tests (http://people.redhat.com/drepper/selinux-mem.html) web page explains how
> to remove this requirement. If knotify4 does not work and you need it to work,
> you can configure SELinux temporarily to allow this access until the application
> is fixed. Please file a bug report
> (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package.
>
> Allowing Access:
>
> Sometimes a library is accidentally marked with the execstack flag, if you find
> a library with this flag you can clear it with the execstack -c LIBRARY_PATH.
> Then retry your application. If the app continues to not work, you can turn the
> flag back on with execstack -s LIBRARY_PATH. Otherwise, if you trust knotify4 to
> run correctly, you can change the context of the executable to
> unconfined_execmem_exec_t. "chcon -t unconfined_execmem_exec_t
> '/usr/bin/knotify4'" You must also change the default file context files on the
> system in order to preserve them even on a full relabel. "semanage fcontext -a
> -t unconfined_execmem_exec_t '/usr/bin/knotify4'"
>
> Fix Command:
>
> chcon -t unconfined_execmem_exec_t '/usr/bin/knotify4'
>
> Additional Information:
>
> Source Context unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1
> 023
> Target Context unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1
> 023
> Target Objects None [ process ]
> Source knotify4
> Source Path /usr/bin/knotify4
> Port <Unknown>
> Host riohigh
> Source RPM Packages kdebase-runtime-4.1.2-5.fc10
> Target RPM Packages
> Policy RPM selinux-policy-3.5.13-1.fc10
> Selinux Enabled True
> Policy Type targeted
> MLS Enabled True
> Enforcing Mode Enforcing
> Plugin Name allow_execstack
> Host Name riohigh
> Platform Linux riohigh 2.6.27.3-27.rc1.fc10.i686 #1 SMP Sat
> Oct 18 20:35:56 EDT 2008 i686 athlon
> Alert Count 2
> First Seen Mon 20 Oct 2008 07:21:30 AM CDT
> Last Seen Mon 20 Oct 2008 07:21:30 AM CDT
> Local ID eebb1d00-400c-4898-888b-ae7a132cd800
> Line Numbers
>
> Raw Audit Messages
>
> node=riohigh type=AVC msg=audit(1224505290.544:95): avc: denied { execstack } for pid=2883 comm="knotify4" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process
>
> node=riohigh type=SYSCALL msg=audit(1224505290.544:95): arch=40000003 syscall=125 success=no exit=-13 a0=bf983000 a1=1000 a2=1000007 a3=fffff000 items=0 ppid=1 pid=2883 auid=501 uid=501 gid=501 euid=501 suid=501 fsuid=501 egid=501 sgid=501 fsgid=501 tty=(none) ses=1 comm="knotify4" exe="/usr/bin/knotify4" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
>
>
> Summary:
>
> SELinux is preventing console-kit-dae (consolekit_t) "sys_resource"
> consolekit_t.
>
> Detailed Description:
>
> SELinux denied access requested by console-kit-dae. It is not expected that this
> access is required by console-kit-dae and this access may signal an intrusion
> attempt. It is also possible that the specific version or configuration of the
> application is causing it to require additional access.
>
> Allowing Access:
>
> You can generate a local policy module to allow this access - see FAQ
> (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
> SELinux protection altogether. Disabling SELinux protection is not recommended.
> Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
> against this package.
>
> Additional Information:
>
> Source Context system_u:system_r:consolekit_t:s0-s0:c0.c1023
> Target Context system_u:system_r:consolekit_t:s0-s0:c0.c1023
> Target Objects None [ capability ]
> Source console-kit-dae
> Source Path /usr/sbin/console-kit-daemon
> Port <Unknown>
> Host riohigh
> Source RPM Packages ConsoleKit-0.3.0-2.fc10
> Target RPM Packages
> Policy RPM selinux-policy-3.5.13-1.fc10
> Selinux Enabled True
> Policy Type targeted
> MLS Enabled True
> Enforcing Mode Enforcing
> Plugin Name catchall
> Host Name riohigh
> Platform Linux riohigh 2.6.27.3-27.rc1.fc10.i686 #1 SMP Sat
> Oct 18 20:35:56 EDT 2008 i686 athlon
> Alert Count 23
> First Seen Thu 16 Oct 2008 04:27:59 PM CDT
> Last Seen Mon 20 Oct 2008 07:20:39 AM CDT
> Local ID 18c02e39-31cf-4b70-b999-fa910c61d822
> Line Numbers
>
> Raw Audit Messages
>
> node=riohigh type=AVC msg=audit(1224505239.547:88): avc: denied { sys_resource } for pid=1810 comm="console-kit-dae" capability=24 scontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tcontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tclass=capability
>
> node=riohigh type=SYSCALL msg=audit(1224505239.547:88): arch=40000003 syscall=4 success=yes exit=672 a0=1a a1=9fb1758 a2=2a0 a3=9fb1758 items=0 ppid=1 pid=1810 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="console-kit-dae" exe="/usr/sbin/console-kit-daemon" subj=system_u:system_r:consolekit_t:s0-s0:c0.c1023 key=(null)
>
>
> Summary:
>
> SELinux is preventing sm-notify (rpcd_t) "sys_resource" rpcd_t.
>
> Detailed Description:
>
> SELinux denied access requested by sm-notify. It is not expected that this
> access is required by sm-notify and this access may signal an intrusion attempt.
> It is also possible that the specific version or configuration of the
> application is causing it to require additional access.
>
> Allowing Access:
>
> You can generate a local policy module to allow this access - see FAQ
> (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
> SELinux protection altogether. Disabling SELinux protection is not recommended.
> Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
> against this package.
>
> Additional Information:
>
> Source Context unconfined_u:system_r:rpcd_t:s0
> Target Context unconfined_u:system_r:rpcd_t:s0
> Target Objects None [ capability ]
> Source rpc.statd
> Source Path /sbin/rpc.statd
> Port <Unknown>
> Host riohigh
> Source RPM Packages nfs-utils-1.1.3-6.fc10
> Target RPM Packages
> Policy RPM selinux-policy-3.5.12-2.fc10
> Selinux Enabled True
> Policy Type targeted
> MLS Enabled True
> Enforcing Mode Enforcing
> Plugin Name catchall
> Host Name riohigh
> Platform Linux riohigh 2.6.27-3.fc10.i686 #1 SMP Fri Oct 10
> 01:26:26 EDT 2008 i686 athlon
> Alert Count 2
> First Seen Thu 16 Oct 2008 05:15:06 PM CDT
> Last Seen Thu 16 Oct 2008 05:15:06 PM CDT
> Local ID cc9a1241-41d6-4b07-aa8c-4d2701763004
> Line Numbers
>
> Raw Audit Messages
>
> node=riohigh type=AVC msg=audit(1224195306.728:103): avc: denied { sys_resource } for pid=7184 comm="sm-notify" capability=24 scontext=unconfined_u:system_r:rpcd_t:s0 tcontext=unconfined_u:system_r:rpcd_t:s0 tclass=capability
>
> node=riohigh type=SYSCALL msg=audit(1224195306.728:103): arch=40000003 syscall=4 success=yes exit=5 a0=5 a1=bffbd700 a2=5 a3=5 items=0 ppid=7183 pid=7184 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="sm-notify" exe="/usr/sbin/sm-notify" subj=unconfined_u:system_r:rpcd_t:s0 key=(null)
>
>
> Which ones should I file bugs against, if there are any to file?
>
> I have seen knotify and selinux again, this one is filed. Do I need more info?
>
> Thanks,
>
> Antonio
>
>
>
>
>
>
>
>
> __________________________________________________
> Do You Yahoo!?
> Tired of spam? Yahoo! Mail has the best spam protection around
> http://mail.yahoo.com
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
These should be filed against the kernel. These tools should not
suddenly need sys_resource. I believe this is a kernel bug.
More information about the fedora-selinux-list
mailing list