Trend Micro IWSS AVCs

Jeronimo Zucco JCZucco at ucs.br
Fri Apr 3 11:01:20 UTC 2009 

Citando Dominick Grift <domg472 at gmail.com>:

> On Thu, 2009-04-02 at 14:50 -0300, Jeronimo Zucco wrote:
>> I'm getting some avc's using Trend Micro IWSS (web proxy anti-virus -
>> www.trendmicro.com/en/products/gateway/iwss/evaluate/overview.htm ).
>> Here are the logs:
>>
>>
>>     Linux: Red Hat Enterprise Linux Server release 5.2
>>     Policy version:                 21
>>     Policy from config file:        targeted
>>
>>
>>
>> type=SYSCALL msg=audit(1238693758.307:18): arch=40000003 syscall=125
>> success=no exit=-13 a0=6a1000 a1=51000 a2=5 a3=bfd8ecf0 items=0 ppid=1
>> pid=4639 auid=4294967295 uid=502 gid=502 euid=502 suid=502 fsuid=502
>> egid=502 sgid=502 fsgid=502 tty=(none) ses=4294967295 comm="iwssd"
>> exe="/opt/trend/iwss/bin/iwss-process"
>> subj=system_u:system_r:initrc_t:s0 key=(null)
>> type=AVC msg=audit(1238693769.018:25): avc:  denied  { execmod } for
>> pid=4756 comm="ismetricmgmtd"
>> path="/opt/trend/iwss/bin/lib/libReportLogging.so" dev=dm-0
>> ino=9231574 scontext=system_u:system_r:initrc_t:s0
>> tcontext=system_u:object_r:usr_t:s0 tclass=file
>
> semanage fcontext -a -t
> textrel_shlib_t /opt/trend/iwss/bin/lib/libReportLogging.so
> restorecon /opt/trend/iwss/bin/lib/libReportLogging.so

I've got this error in this command:

iscan homedir /etc/iscan or its parent directory conflicts with a
defined context in /etc/selinux/targeted/contexts/files/file_contexts,
/usr/sbin/genhomedircon will not create a new context. This usually  
indicates an incorrectly defined system account.  If it is a system  
account please make sure its login shell is /sbin/nologin.


>
>> type=SYSCALL msg=audit(1238693769.018:25): arch=40000003 syscall=125
>> success=no exit=-13 a0=93b000 a1=5f000 a2=5 a3=bfd4a040 items=0
>> ppid=4753 pid=4756 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0
>> egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ismetricmgmtd"
>> exe="/opt/trend/iwss/bin/ismetricmgmtd"
>> subj=system_u:system_r:initrc_t:s0 key=(null)
>> type=AVC msg=audit(1238693772.384:32): avc:  denied  { execmod } for
>> pid=4798 comm="svcmonitor"
>> path="/opt/trend/iwss/bin/lib/libReportLogging.so" dev=dm-0
>> ino=9231574 scontext=system_u:system_r:initrc_t:s0
>> tcontext=system_u:object_r:usr_t:s0 tclass=file
>
> Same as above
>
>> type=SYSCALL msg=audit(1238693772.384:32): arch=40000003 syscall=125
>> success=no exit=-13 a0=895000 a1=5f000 a2=5 a3=bfd7f0b0 items=0 ppid=1
>> pid=4798 auid=4294967295 uid=502 gid=502 euid=0 suid=0 fsuid=0
>> egid=502 sgid=502 fsgid=502 tty=(none) ses=4294967295
>> comm="svcmonitor" exe="/opt/trend/iwss/bin/svcmonitor"
>> subj=system_u:system_r:initrc_t:s0 key=(null)
>> type=AVC msg=audit(1238693775.995:35): avc:  denied  { execmod } for
>> pid=4889 comm="iwssd"
>> path="/opt/trend/iwss/bin/plugin/IWSSPIJavascan.so" dev=dm-0
>> ino=9166090 scontext=system_u:system_r:initrc_t:s0
>> tcontext=system_u:object_r:usr_t:s0 tclass=file
>
> semanage fcontext -a -t
> textrel_shlib_t /opt/trend/iwss/bin/plugin/IWSSPIJavascan.so
> restorecon /opt/trend/iwss/bin/plugin/IWSSPIJavascan.so

More error:
iscan homedir /etc/iscan or its parent directory conflicts with a
defined context in /etc/selinux/targeted/contexts/files/file_contexts,
/usr/sbin/genhomedircon will not create a new context. This usually  
indicates an incorrectly defined system account.  If it is a system  
account please make sure its login shell is /sbin/nologin.

>
>> type=SYSCALL msg=audit(1238693775.995:35): arch=40000003 syscall=125
>> success=no exit=-13 a0=5ed000 a1=51000 a2=5 a3=bf8afb10 items=0 ppid=1
>> pid=4889 auid=4294967295 uid=502 gid=502 euid=502 suid=502 fsuid=502
>> egid=502 sgid=502 fsgid=502 tty=(none) ses=4294967295 comm="iwssd"
>> exe="/opt/trend/iwss/bin/iwss-process"
>> subj=system_u:system_r:initrc_t:s0 key=(null)
>> type=AVC msg=audit(1238694058.311:155): avc:  denied  { execmod } for
>> pid=19765 comm="iwssd"
>> path="/opt/trend/iwss/bin/plugin/IWSSPIJavascan.so" dev=dm-0
>> ino=9166090 scontext=user_u:system_r:unconfined_t:s0
>> tcontext=system_u:object_r:usr_t:s0 tclass=file
>
> Same as above
>
>> type=SYSCALL msg=audit(1238694058.311:155): arch=40000003 syscall=125
>> success=yes exit=0 a0=702000 a1=51000 a2=5 a3=bffed4c0 items=0 ppid=1
>> pid=19765 auid=500 uid=502 gid=502 euid=502 suid=502 fsuid=502
>> egid=502 sgid=502 fsgid=502 tty=(none) ses=1 comm="iwssd"
>> exe="/opt/trend/iwss/bin/iwss-process"
>> subj=user_u:system_r:unconfined_t:s0 key=(null)
>> type=AVC msg=audit(1238694060.596:156): avc:  denied  { execmod } for
>> pid=19765 comm="iwssd"
>> path="/opt/trend/iwss/bin/plugin/libIWSSPIUrlFilter.so" dev=dm-0
>> ino=9166092 scontext=user_u:system_r:unconfined_t:s0
>> tcontext=system_u:object_r:initrc_tmp_t:s0 tclass=file
>
> semanage fcontext -a -t
> textrel_shlib_t /opt/trend/iwss/bin/plugin/libIWSSPIUrlFilter.so
> restorecon /opt/trend/iwss/bin/plugin/libIWSSPIUrlFilter.so

Same error again:

iscan homedir /etc/iscan or its parent directory conflicts with a
defined context in /etc/selinux/targeted/contexts/files/file_contexts,
/usr/sbin/genhomedircon will not create a new context. This usually  
indicates an incorrectly defined system account.  If it is a system  
account please make sure its login shell is /sbin/nologin.


>
>> type=SYSCALL msg=audit(1238694060.596:156): arch=40000003 syscall=125
>> success=yes exit=0 a0=7de000 a1=53000 a2=5 a3=bffed4c0 items=0 ppid=1
>> pid=19765 auid=500 uid=502 gid=502 euid=502 suid=502 fsuid=502
>> egid=502 sgid=502 fsgid=502 tty=(none) ses=1 comm="iwssd"
>> exe="/opt/trend/iwss/bin/iwss-process"
>> subj=user_u:system_r:unconfined_t:s0 key=(null)
>> type=AVC msg=audit(1238694164.063:188): avc:  denied  { execmod } for
>> pid=4582 comm="iwssd"
>> path="/opt/trend/iwss/bin/plugin/IWSSPIJavascan.so" dev=dm-0
>> ino=9166090 scontext=system_u:system_r:initrc_t:s0
>> tcontext=system_u:object_r:initrc_tmp_t:s0 tclass=file
>
> Same as above
>
>> type=SYSCALL msg=audit(1238694164.063:188): arch=40000003 syscall=125
>> success=yes exit=0 a0=81d000 a1=51000 a2=5 a3=bfecca10 items=0 ppid=1
>> pid=4582 auid=4294967295 uid=502 gid=502 euid=502 suid=502 fsuid=502
>> egid=502 sgid=502 fsgid=502 tty=(none) ses=4294967295 comm="iwssd"
>> exe="/opt/trend/iwss/bin/iwss-process"
>> subj=system_u:system_r:initrc_t:s0 key=(null)
>>
>>
>> It was running ok whith target selinux enforced, since december until
>> today. Now I have to put selinux in permissive mode to get IWSS
>> running again.
>>
>>
>> Running audit2allow, I've got this policy:
>>
>> #============= initrc_t ==============
>> allow initrc_t initrc_tmp_t:file execmod;
>> allow initrc_t usr_t:file execmod;
>>
>> #============= unconfined_t ==============
>> allow unconfined_t initrc_tmp_t:file execmod;
>> allow unconfined_t usr_t:file execmod;
>>
>>
>>
>> To permissive, isn't? Any ideia how to fix it?
>>
> Yes too permissive. The Trend Micro IWSS daemon runs in initrc_t  
> (this domain is unconfined and meant for init scripts)
> You should write policy for this init daemon.
>
>
>



-- 
Jeronimo Zucco
LPIC-1 Linux Professional Institute Certified
Universidade de Caxias do Sul - NPDU

http://jczucco.blogspot.com

---------------------------------------
Essa mensagem foi enviada pelo UCS Mail

More information about the fedora-selinux-list mailing list