Trend Micro IWSS AVCs

Daniel J Walsh dwalsh at redhat.com
Fri Apr 3 15:33:55 UTC 2009 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Jeronimo Zucco wrote:
> I'm getting some avc's using Trend Micro IWSS (web proxy anti-virus -
> www.trendmicro.com/en/products/gateway/iwss/evaluate/overview.htm ).
> Here are the logs:
> 
> 
>    Linux: Red Hat Enterprise Linux Server release 5.2
>    Policy version:                 21
>    Policy from config file:        targeted
> 
> 
> 
> type=SYSCALL msg=audit(1238693758.307:18): arch=40000003 syscall=125
> success=no exit=-13 a0=6a1000 a1=51000 a2=5 a3=bfd8ecf0 items=0 ppid=1
> pid=4639 auid=4294967295 uid=502 gid=502 euid=502 suid=502 fsuid=502
> egid=502 sgid=502 fsgid=502 tty=(none) ses=4294967295 comm="iwssd"
> exe="/opt/trend/iwss/bin/iwss-process"
> subj=system_u:system_r:initrc_t:s0 key=(null)
> type=AVC msg=audit(1238693769.018:25): avc:  denied  { execmod } for 
> pid=4756 comm="ismetricmgmtd"
> path="/opt/trend/iwss/bin/lib/libReportLogging.so" dev=dm-0 ino=9231574
> scontext=system_u:system_r:initrc_t:s0
> tcontext=system_u:object_r:usr_t:s0 tclass=file
> type=SYSCALL msg=audit(1238693769.018:25): arch=40000003 syscall=125
> success=no exit=-13 a0=93b000 a1=5f000 a2=5 a3=bfd4a040 items=0
> ppid=4753 pid=4756 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0
> egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ismetricmgmtd"
> exe="/opt/trend/iwss/bin/ismetricmgmtd"
> subj=system_u:system_r:initrc_t:s0 key=(null)
> type=AVC msg=audit(1238693772.384:32): avc:  denied  { execmod } for 
> pid=4798 comm="svcmonitor"
> path="/opt/trend/iwss/bin/lib/libReportLogging.so" dev=dm-0 ino=9231574
> scontext=system_u:system_r:initrc_t:s0
> tcontext=system_u:object_r:usr_t:s0 tclass=file
> type=SYSCALL msg=audit(1238693772.384:32): arch=40000003 syscall=125
> success=no exit=-13 a0=895000 a1=5f000 a2=5 a3=bfd7f0b0 items=0 ppid=1
> pid=4798 auid=4294967295 uid=502 gid=502 euid=0 suid=0 fsuid=0 egid=502
> sgid=502 fsgid=502 tty=(none) ses=4294967295 comm="svcmonitor"
> exe="/opt/trend/iwss/bin/svcmonitor" subj=system_u:system_r:initrc_t:s0
> key=(null)
> type=AVC msg=audit(1238693775.995:35): avc:  denied  { execmod } for 
> pid=4889 comm="iwssd"
> path="/opt/trend/iwss/bin/plugin/IWSSPIJavascan.so" dev=dm-0 ino=9166090
> scontext=system_u:system_r:initrc_t:s0
> tcontext=system_u:object_r:usr_t:s0 tclass=file
> type=SYSCALL msg=audit(1238693775.995:35): arch=40000003 syscall=125
> success=no exit=-13 a0=5ed000 a1=51000 a2=5 a3=bf8afb10 items=0 ppid=1
> pid=4889 auid=4294967295 uid=502 gid=502 euid=502 suid=502 fsuid=502
> egid=502 sgid=502 fsgid=502 tty=(none) ses=4294967295 comm="iwssd"
> exe="/opt/trend/iwss/bin/iwss-process"
> subj=system_u:system_r:initrc_t:s0 key=(null)
> type=AVC msg=audit(1238694058.311:155): avc:  denied  { execmod } for 
> pid=19765 comm="iwssd"
> path="/opt/trend/iwss/bin/plugin/IWSSPIJavascan.so" dev=dm-0 ino=9166090
> scontext=user_u:system_r:unconfined_t:s0
> tcontext=system_u:object_r:usr_t:s0 tclass=file
> type=SYSCALL msg=audit(1238694058.311:155): arch=40000003 syscall=125
> success=yes exit=0 a0=702000 a1=51000 a2=5 a3=bffed4c0 items=0 ppid=1
> pid=19765 auid=500 uid=502 gid=502 euid=502 suid=502 fsuid=502 egid=502
> sgid=502 fsgid=502 tty=(none) ses=1 comm="iwssd"
> exe="/opt/trend/iwss/bin/iwss-process"
> subj=user_u:system_r:unconfined_t:s0 key=(null)
> type=AVC msg=audit(1238694060.596:156): avc:  denied  { execmod } for 
> pid=19765 comm="iwssd"
> path="/opt/trend/iwss/bin/plugin/libIWSSPIUrlFilter.so" dev=dm-0
> ino=9166092 scontext=user_u:system_r:unconfined_t:s0
> tcontext=system_u:object_r:initrc_tmp_t:s0 tclass=file
> type=SYSCALL msg=audit(1238694060.596:156): arch=40000003 syscall=125
> success=yes exit=0 a0=7de000 a1=53000 a2=5 a3=bffed4c0 items=0 ppid=1
> pid=19765 auid=500 uid=502 gid=502 euid=502 suid=502 fsuid=502 egid=502
> sgid=502 fsgid=502 tty=(none) ses=1 comm="iwssd"
> exe="/opt/trend/iwss/bin/iwss-process"
> subj=user_u:system_r:unconfined_t:s0 key=(null)
> type=AVC msg=audit(1238694164.063:188): avc:  denied  { execmod } for 
> pid=4582 comm="iwssd"
> path="/opt/trend/iwss/bin/plugin/IWSSPIJavascan.so" dev=dm-0 ino=9166090
> scontext=system_u:system_r:initrc_t:s0
> tcontext=system_u:object_r:initrc_tmp_t:s0 tclass=file
> type=SYSCALL msg=audit(1238694164.063:188): arch=40000003 syscall=125
> success=yes exit=0 a0=81d000 a1=51000 a2=5 a3=bfecca10 items=0 ppid=1
> pid=4582 auid=4294967295 uid=502 gid=502 euid=502 suid=502 fsuid=502
> egid=502 sgid=502 fsgid=502 tty=(none) ses=4294967295 comm="iwssd"
> exe="/opt/trend/iwss/bin/iwss-process"
> subj=system_u:system_r:initrc_t:s0 key=(null)
> 
> 
> It was running ok whith target selinux enforced, since december until
> today. Now I have to put selinux in permissive mode to get IWSS running
> again.
> 
> 
> Running audit2allow, I've got this policy:
> 
> #============= initrc_t ==============
> allow initrc_t initrc_tmp_t:file execmod;
> allow initrc_t usr_t:file execmod;
> 
> #============= unconfined_t ==============
> allow unconfined_t initrc_tmp_t:file execmod;
> allow unconfined_t usr_t:file execmod;
> 
> 
> 
> To permissive, isn't? Any ideia how to fix it?
> 
> 



Execmod libraries can be fixed by setting the file context to
textrel_shlib_t.

chcon -t textrel_shlib_t  /opt/trend/iwss/bin/lib/libReportLogging.so

You should report this problem to www.trendmicro.com that they built
their libraries incorrectly.

Attach this link

http://people.redhat.com/~drepper/selinux-mem.html
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAknWLGMACgkQrlYvE4MpobNIQwCgpBC/PKkiMn7QwS3s7TZrOz2r
g4wAoKF0sWvs7vG7n6KFtPsy13EVNegF
=ZBco
-----END PGP SIGNATURE-----

More information about the fedora-selinux-list mailing list