Strange AVC

Daniel J Walsh dwalsh at redhat.com
Thu Oct 1 16:07:27 UTC 2009 

On 10/01/2009 10:13 AM, Vadym Chepkov wrote:
> That's the problem, I don't think it was a legitimate call. I scanned every single file in /var/www and I don't see presence on uptime call anywhere. I afraid it was a probe to see if the system can be compromised.  I scanned file system for inode 2474106 - it's gone, neither ppid=18807 nor pid=18808 are running, so I am not even sure where else to look.
> 
> Sincerely yours,
>   Vadym Chepkov
> 
> 
> --- On Thu, 10/1/09, Daniel J Walsh <dwalsh at redhat.com> wrote:
> 
>> From: Daniel J Walsh <dwalsh at redhat.com>
>> Subject: Re: Strange AVC
>> To: fedora-selinux-list at redhat.com
>> Date: Thursday, October 1, 2009, 10:06 AM
>> On 10/01/2009 05:51 AM, Dominick
>> Grift wrote:
>>> On Wed, Sep 30, 2009 at 05:21:56PM -0700, Vadym
>> Chepkov wrote:
>>>> Hi,
>>>>
>>>> I am puzzled, what could have caused this kind of
>> AVC:
>>>>
>>>> type=SYSCALL msg=audit(1254270789.862:74347):
>> arch=c000003e syscall=2 success=no exit=-13 a0=7f2929f52532
>> a1=0 a2=d a3=7fff325c4270 items=0 ppid=18807 pid=18808
>> auid=500 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48
>> sgid=48 fsgid=48 tty=(none) comm="uptime"
>> exe="/usr/bin/uptime" subj=user_u:system_r:httpd_t:s0
>> key=(null)
>>>> type=AVC msg=audit(1254270789.862:74347):
>> avc:  denied  { read } for  pid=18808
>> comm="uptime" name="utmp" dev=sda1 ino=2474106
>> scontext=user_u:system_r:httpd_t:s0
>> tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=file
>>>
>>> Well uptime runs in the httpd_t domain and the httpd
>> domain (uptime) tried to read /var/run/utmp file.
>> /var/run/utmp has a object type that is owned by init
>> scripts for object in /var/run.
>>>
>>> you can and should check first to see whether the
>> types are correct: should "uptime" in this scenario run in
>> the httpd_t domain (is it called from a webapp (non-cgi)
>> also is the target object labelled properly (matchpathcon
>> /var/run/utmp)
>>>
>>> Once that is established you can verify whether
>> httpd_t should be able to access the target type:
>>>
>>> sesearch --allow -s httpd_t -t initrc_var_run_t 
>> -c file -p read
>>>
>>> With this information you are going to have to make
>> your security decision.
>>>
>>> should you allow it or deny it?
>>>
>>> I can tell you that in my configuration /var/run/utmp
>> also has type initrc_var_run_t. So i guess that is what it
>> should be.
>>>
>>> What i cannot tell you is why and how uptime is
>> executed in this scenario.
>>> All i know is that it runs in the httpd_t domain.
>>>>
>>>>
>>>> Sincerely yours,
>>>>    Vadym Chepkov
>>>>
>>>> --
>>>> fedora-selinux-list mailing list
>>>> fedora-selinux-list at redhat.com
>>>> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
>>>>
>>>>
>>>> --
>>>> fedora-selinux-list mailing list
>>>> fedora-selinux-list at redhat.com
>>>> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
>> You would need to add policy to be able to do this. 
>> Apache being able to read utmp could allow a hacker to
>> figure out all the user names that have logged onto a
>> system.  It is denied by default.
>>
>> You can easily add custom policy using audit2allow.
>>
>>
>> --
>> fedora-selinux-list mailing list
>> fedora-selinux-list at redhat.com
>> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
>>
Not sure why anyone would be trying to run uptime, but I would watch your logs for other strange behaviour.

More information about the fedora-selinux-list mailing list