Denied avcs

Daniel J Walsh dwalsh at redhat.com
Thu Oct 16 21:47:46 UTC 2008 

Antonio Olivares wrote:
> Dear fellow testers and selinux experts,
> 
> I have encountered several avcs.  I want to ask you for advice before applying the suggested fixes.
> 
> 
> Summary:
> 
> SELinux is preventing knotify4 from making the program stack executable.
> 
> Detailed Description:
> 
> The knotify4 application attempted to make its stack executable. This is a
> potential security problem. This should never ever be necessary. Stack memory is
> not executable on most OSes these days and this will not change. Executable
> stack memory is one of the biggest security problems. An execstack error might
> in fact be most likely raised by malicious code. Applications are sometimes
> coded incorrectly and request this permission. The SELinux Memory Protection
> Tests (http://people.redhat.com/drepper/selinux-mem.html) web page explains how
> to remove this requirement. If knotify4 does not work and you need it to work,
> you can configure SELinux temporarily to allow this access until the application
> is fixed. Please file a bug report
> (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package.
> 
> Allowing Access:
> 
> Sometimes a library is accidentally marked with the execstack flag, if you find
> a library with this flag you can clear it with the execstack -c LIBRARY_PATH.
> Then retry your application. If the app continues to not work, you can turn the
> flag back on with execstack -s LIBRARY_PATH. Otherwise, if you trust knotify4 to
> run correctly, you can change the context of the executable to
> unconfined_execmem_exec_t. "chcon -t unconfined_execmem_exec_t
> '/usr/bin/knotify4'" You must also change the default file context files on the
> system in order to preserve them even on a full relabel. "semanage fcontext -a
> -t unconfined_execmem_exec_t '/usr/bin/knotify4'"
> 
> Fix Command:
> 
> chcon -t unconfined_execmem_exec_t '/usr/bin/knotify4'
> 
> Additional Information:
> 
> Source Context                unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1
>                               023
> Target Context                unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1
>                               023
> Target Objects                None [ process ]
> Source                        knotify4
> Source Path                   /usr/bin/knotify4
> Port                          <Unknown>
> Host                          riohigh
> Source RPM Packages           kdebase-runtime-4.1.2-3.fc10
> Target RPM Packages           
> Policy RPM                    selinux-policy-3.5.10-3.fc10
> Selinux Enabled               True
> Policy Type                   targeted
> MLS Enabled                   True
> Enforcing Mode                Enforcing
> Plugin Name                   allow_execstack
> Host Name                     riohigh
> Platform                      Linux riohigh 2.6.27-3.fc10.i686 #1 SMP Fri Oct 10
>                               01:26:26 EDT 2008 i686 athlon
> Alert Count                   2
> First Seen                    Thu 16 Oct 2008 06:33:56 AM CDT
> Last Seen                     Thu 16 Oct 2008 06:33:56 AM CDT
> Local ID                      d2171be2-9d07-43e0-83bf-95f7f3e5e666
> Line Numbers                  
> 
> Raw Audit Messages            
> 
> node=riohigh type=AVC msg=audit(1224156836.173:93): avc:  denied  { execstack } for  pid=2874 comm="knotify4" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process
> 
> node=riohigh type=SYSCALL msg=audit(1224156836.173:93): arch=40000003 syscall=125 success=no exit=-13 a0=bf9c9000 a1=1000 a2=1000007 a3=fffff000 items=0 ppid=1 pid=2874 auid=501 uid=501 gid=501 euid=501 suid=501 fsuid=501 egid=501 sgid=501 fsgid=501 tty=(none) ses=1 comm="knotify4" exe="/usr/bin/knotify4" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
> 
> 
> 
> 
> Summary:
> 
> SELinux is preventing hal-acl-tool (hald_acl_t) "sys_resource" hald_acl_t.
> 
> Detailed Description:
> 
> SELinux denied access requested by hal-acl-tool. It is not expected that this
> access is required by hal-acl-tool and this access may signal an intrusion
> attempt. It is also possible that the specific version or configuration of the
> application is causing it to require additional access.
> 
> Allowing Access:
> 
> You can generate a local policy module to allow this access - see FAQ
> (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
> SELinux protection altogether. Disabling SELinux protection is not recommended.
> Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
> against this package.
> 
> Additional Information:
> 
> Source Context                system_u:system_r:hald_acl_t:s0
> Target Context                system_u:system_r:hald_acl_t:s0
> Target Objects                None [ capability ]
> Source                        hal-acl-tool
> Source Path                   /usr/libexec/hal-acl-tool
> Port                          <Unknown>
> Host                          riohigh
> Source RPM Packages           hal-0.5.12-3.20081013git.fc10
> Target RPM Packages           
> Policy RPM                    selinux-policy-3.5.10-3.fc10
> Selinux Enabled               True
> Policy Type                   targeted
> MLS Enabled                   True
> Enforcing Mode                Enforcing
> Plugin Name                   catchall
> Host Name                     riohigh
> Platform                      Linux riohigh 2.6.27-3.fc10.i686 #1 SMP Fri Oct 10
>                               01:26:26 EDT 2008 i686 athlon
> Alert Count                   73
> First Seen                    Sat 04 Oct 2008 11:10:27 AM CDT
> Last Seen                     Thu 16 Oct 2008 06:33:03 AM CDT
> Local ID                      16181f84-ddf2-4510-bd51-aef5ff647a63
> Line Numbers                  
> 
> Raw Audit Messages            
> 
> node=riohigh type=AVC msg=audit(1224156783.891:89): avc:  denied  { sys_resource } for  pid=2568 comm="hal-acl-tool" capability=24 scontext=system_u:system_r:hald_acl_t:s0 tcontext=system_u:system_r:hald_acl_t:s0 tclass=capability
> 
> node=riohigh type=SYSCALL msg=audit(1224156783.891:89): arch=40000003 syscall=4 success=yes exit=2057 a0=5 a1=b7ff4000 a2=809 a3=809 items=0 ppid=1834 pid=2568 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="hal-acl-tool" exe="/usr/libexec/hal-acl-tool" subj=system_u:system_r:hald_acl_t:s0 key=(null)
> 
> 
> 
> Summary:
> 
> SELinux is preventing console-kit-dae (consolekit_t) "sys_resource"
> consolekit_t.
> 
> Detailed Description:
> 
> SELinux denied access requested by console-kit-dae. It is not expected that this
> access is required by console-kit-dae and this access may signal an intrusion
> attempt. It is also possible that the specific version or configuration of the
> application is causing it to require additional access.
> 
> Allowing Access:
> 
> You can generate a local policy module to allow this access - see FAQ
> (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
> SELinux protection altogether. Disabling SELinux protection is not recommended.
> Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
> against this package.
> 
> Additional Information:
> 
> Source Context                system_u:system_r:consolekit_t:s0-s0:c0.c1023
> Target Context                system_u:system_r:consolekit_t:s0-s0:c0.c1023
> Target Objects                None [ capability ]
> Source                        console-kit-dae
> Source Path                   /usr/sbin/console-kit-daemon
> Port                          <Unknown>
> Host                          riohigh
> Source RPM Packages           ConsoleKit-0.3.0-2.fc10
> Target RPM Packages           
> Policy RPM                    selinux-policy-3.5.10-3.fc10
> Selinux Enabled               True
> Policy Type                   targeted
> MLS Enabled                   True
> Enforcing Mode                Enforcing
> Plugin Name                   catchall
> Host Name                     riohigh
> Platform                      Linux riohigh 2.6.27-3.fc10.i686 #1 SMP Fri Oct 10
>                               01:26:26 EDT 2008 i686 athlon
> Alert Count                   87
> First Seen                    Fri 03 Oct 2008 06:14:33 PM CDT
> Last Seen                     Thu 16 Oct 2008 06:33:02 AM CDT
> Local ID                      0c8f36ea-d6b2-4646-ba59-1cdf5e6a0ee0
> Line Numbers                  
> 
> Raw Audit Messages            
> 
> node=riohigh type=AVC msg=audit(1224156782.948:86): avc:  denied  { sys_resource } for  pid=1770 comm="console-kit-dae" capability=24 scontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tcontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tclass=capability
> 
> node=riohigh type=SYSCALL msg=audit(1224156782.948:86): arch=40000003 syscall=4 success=yes exit=674 a0=1a a1=8c4b790 a2=2a2 a3=8c4b790 items=0 ppid=1 pid=1770 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="console-kit-dae" exe="/usr/sbin/console-kit-daemon" subj=system_u:system_r:consolekit_t:s0-s0:c0.c1023 key=(null)
> 
> 
> 
> I had not encountered these ones before.  And before applying the fixes, I will ask if no one has encountered these ones before.
> 
> TIA,
> 
> 
> Antonio 
> 
> 
> 
>       
> 
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
The sys_resource ones seem to be a bug in the kernel, since every
confined domain seems to be getting a denial.

The exstack one is probably caused by a badly built executable or a bad
library.  You can execute the chcon command to allow it to run or turn
off the check.

More information about the fedora-test-list mailing list