on machine with CPU -> 100%, lots of avc's

Daniel J Walsh dwalsh at redhat.com
Tue Feb 10 11:43:42 UTC 2009 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Antonio Olivares wrote:
> --- On Wed, 2/4/09, Christopher Beland <beland at alum.mit.edu> wrote:
> 
>> From: Christopher Beland <beland at alum.mit.edu>
>> Subject: Re: on machine with CPU -> 100%, lots of avc's
>> To: olivares14031 at yahoo.com
>> Cc: "For testers of Fedora Core development releases" <fedora-test-list at redhat.com>
>> Date: Wednesday, February 4, 2009, 7:45 PM
>> Try (as root):
>>
>> service auditd restart
>>
>> and see if auditd returns OK or FAIL?  It might spit out
>> some errors, or
>> put something in /var/log/messages.  If it complains about
>> the log not
>> being writable by owner, then  "chmod u+w
>> /var/log/audit/*" is what
>> fixed it for me.
>>
>> It could also be an SELinux problem, but only if you have
>> SELINUX=enforcing in /etc/selinux/config.  On my test
>> machine, I
>> generally set SELINUX=permissive there so I see avc
>> denials, but
>> everything continues working even if there is an SELinux
>> misconfiguration.
>>
>>> Disable SELinux and AVCs will be gone. Forever.
>> I agree SELinux can be quite frustrating once you start
>> customizing
>> services, and I have been known to turn it off entirely for
>> that reason.
>> But for testing purpose, it's extremely useful to have
>> people like us
>> stumble across avc denials so the general public
>> doesn't have to, and
>> they can enjoy the security benefits.
>>
>> -B.
> 
> Thank you for your help, I am now seeing setroubleshooter kick in :)
> 
> [olivares at localhost ~]$ su -
> Password:                   
> [root at localhost ~]# service auditd restart
> Stopping auditd:                                           [FAILED]
> Starting auditd:                                           [FAILED]
> [root at localhost ~]# tail -f /var/log/messages                      
> Feb  5 11:00:39 localhost kernel: type=1400 audit(1233853239.594:5): avc:  denied  { read write } for  pid=3871 comm="consoletype" path="socket:[12370]" dev=sockfs ino=12370 scontext=unconfined_u:system_r:consoletype_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket          
> Feb  5 11:00:39 localhost kernel: type=1400 audit(1233853239.594:6): avc:  denied  { read write } for  pid=3871 comm="consoletype" path="socket:[12370]" dev=sockfs ino=12370 scontext=unconfined_u:system_r:consoletype_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket          
> Feb  5 11:00:40 localhost kernel: type=1400 audit(1233853240.081:7): avc:  denied  { read write } for  pid=3881 comm="auditctl" path="socket:[12370]" dev=sockfs ino=12370 scontext=unconfined_u:system_r:auditctl_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket                
> Feb  5 11:00:40 localhost kernel: type=1400 audit(1233853240.081:8): avc:  denied  { read write } for  pid=3881 comm="auditctl" path="socket:[12370]" dev=sockfs ino=12370 scontext=unconfined_u:system_r:auditctl_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket                
> Feb  5 11:00:40 localhost kernel: type=1400 audit(1233853240.122:9): avc:  denied  { read write } for  pid=3885 comm="auditd" path="socket:[12370]" dev=sockfs ino=12370 scontext=unconfined_u:system_r:auditd_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket                    
> Feb  5 11:00:40 localhost kernel: type=1400 audit(1233853240.122:10): avc:  denied  { read write } for  pid=3885 comm="auditd" path="socket:[12370]" dev=sockfs ino=12370 scontext=unconfined_u:system_r:auditd_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket
> Feb  5 11:00:40 localhost auditd: audit log is not writable by owner
> Feb  5 11:00:40 localhost auditd: The audit daemon is exiting.
> Feb  5 11:00:40 localhost kernel: type=1400 audit(1233853240.159:11): avc:  denied  { read write } for  pid=3887 comm="auditctl" path="socket:[12370]" dev=sockfs ino=12370 scontext=unconfined_u:system_r:auditctl_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket
> Feb  5 11:00:40 localhost kernel: type=1400 audit(1233853240.159:12): avc:  denied  { read write } for  pid=3887 comm="auditctl" path="socket:[12370]" dev=sockfs ino=12370 scontext=unconfined_u:system_r:auditctl_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket
> ^C
> [root at localhost ~]# chmod u+w /var/log/audit/*
> You have new mail in /var/spool/mail/root
> [root at localhost ~]# service auditd restart
> Stopping auditd:                                           [FAILED]
> Starting auditd:                                           [  OK  ]
> [root at localhost ~]# service auditd status
> auditd (pid  3930) is running...
> [root at localhost ~]#
> 
> Now I get to see the alerts:
> 
> 
> Summary:
> 
> SELinux is preventing consoletype (consoletype_t) "read write" unconfined_t.
> 
> Detailed Description:
> 
> SELinux denied access requested by consoletype. It is not expected that this
> access is required by consoletype and this access may signal an intrusion
> attempt. It is also possible that the specific version or configuration of the
> application is causing it to require additional access.
> 
> Allowing Access:
> 
> You can generate a local policy module to allow this access - see FAQ
> (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
> SELinux protection altogether. Disabling SELinux protection is not recommended.
> Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
> against this package.
> 
> Additional Information:
> 
> Source Context                unconfined_u:system_r:consoletype_t
> Target Context                unconfined_u:unconfined_r:unconfined_t:SystemLow-
>                               SystemHigh
> Target Objects                socket [ unix_stream_socket ]
> Source                        consoletype
> Source Path                   /sbin/consoletype
> Port                          <Unknown>
> Host                          localhost
> Source RPM Packages           initscripts-8.89-1
> Target RPM Packages           
> Policy RPM                    selinux-policy-3.6.4-2.fc11
> Selinux Enabled               True
> Policy Type                   targeted
> MLS Enabled                   True
> Enforcing Mode                Enforcing
> Plugin Name                   catchall
> Host Name                     localhost
> Platform                      Linux localhost 2.6.29-0.78.rc3.git5.fc11.i686 #1
>                               SMP Tue Feb 3 16:45:12 EST 2009 i686 athlon
> Alert Count                   2
> First Seen                    Thu 05 Feb 2009 11:02:08 AM CST
> Last Seen                     Thu 05 Feb 2009 11:02:08 AM CST
> Local ID                      f1514423-f554-4573-bbbc-be7e2ea49653
> Line Numbers                  
> 
> Raw Audit Messages            
> 
> node=localhost type=AVC msg=audit(1233853328.116:21): avc:  denied  { read write } for  pid=3961 comm="consoletype" path="socket:[12370]" dev=sockfs ino=12370 scontext=unconfined_u:system_r:consoletype_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket
> 
> node=localhost type=AVC msg=audit(1233853328.116:21): avc:  denied  { read write } for  pid=3961 comm="consoletype" path="socket:[12370]" dev=sockfs ino=12370 scontext=unconfined_u:system_r:consoletype_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket
> 
> node=localhost type=SYSCALL msg=audit(1233853328.116:21): arch=40000003 syscall=11 success=yes exit=0 a0=8401580 a1=84015e0 a2=84012e8 a3=84015e0 items=0 ppid=3960 pid=3961 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=1 comm="consoletype" exe="/sbin/consoletype" subj=unconfined_u:system_r:consoletype_t:s0 key=(null)
> 
> 
> 
> 
> Summary:
> 
> SELinux is preventing auditctl (auditctl_t) "read write" unconfined_t.
> 
> Detailed Description:
> 
> SELinux denied access requested by auditctl. It is not expected that this access
> is required by auditctl and this access may signal an intrusion attempt. It is
> also possible that the specific version or configuration of the application is
> causing it to require additional access.
> 
> Allowing Access:
> 
> You can generate a local policy module to allow this access - see FAQ
> (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
> SELinux protection altogether. Disabling SELinux protection is not recommended.
> Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
> against this package.
> 
> Additional Information:
> 
> Source Context                unconfined_u:system_r:auditctl_t
> Target Context                unconfined_u:unconfined_r:unconfined_t:SystemLow-
>                               SystemHigh
> Target Objects                socket [ unix_stream_socket ]
> Source                        auditctl
> Source Path                   /sbin/auditctl
> Port                          <Unknown>
> Host                          localhost
> Source RPM Packages           audit-1.7.11-2.fc11
> Target RPM Packages           
> Policy RPM                    selinux-policy-3.6.4-2.fc11
> Selinux Enabled               True
> Policy Type                   targeted
> MLS Enabled                   True
> Enforcing Mode                Enforcing
> Plugin Name                   catchall
> Host Name                     localhost
> Platform                      Linux localhost 2.6.29-0.78.rc3.git5.fc11.i686 #1
>                               SMP Tue Feb 3 16:45:12 EST 2009 i686 athlon
> Alert Count                   2
> First Seen                    Thu 05 Feb 2009 11:01:56 AM CST
> Last Seen                     Thu 05 Feb 2009 11:01:56 AM CST
> Local ID                      57e3c37f-6698-456e-9d2f-86ad2b68220a
> Line Numbers                  
> 
> Raw Audit Messages            
> 
> node=localhost type=AVC msg=audit(1233853316.292:19): avc:  denied  { read write } for  pid=3936 comm="auditctl" path="socket:[12370]" dev=sockfs ino=12370 scontext=unconfined_u:system_r:auditctl_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket
> 
> node=localhost type=AVC msg=audit(1233853316.292:19): avc:  denied  { read write } for  pid=3936 comm="auditctl" path="socket:[12370]" dev=sockfs ino=12370 scontext=unconfined_u:system_r:auditctl_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket
> 
> node=localhost type=SYSCALL msg=audit(1233853316.292:19): arch=40000003 syscall=11 success=yes exit=0 a0=83a4c40 a1=83a4e38 a2=83a8350 a3=83a4e38 items=0 ppid=3913 pid=3936 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=1 comm="auditctl" exe="/sbin/auditctl" subj=unconfined_u:system_r:auditctl_t:s0 key=(null)
> 
> 
> 
> I will now check my other two machines to see if auditd is running or not and apply the same fix.
> 
> Thank you for helping out again with this problem. 
> 
> Regards,
> 
> Antonio 
> 
> 
> 
> 
> 
> 
>       
> 
Those all look like leaked file descriptors and would have nothing to do
with audit failing.  the devicekit_power avcs from earlier posts should
be fixed in latest policies.

Are you running konsole?  This is leaking file descriptors which would
cause these avc messages.


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkmRaG4ACgkQrlYvE4MpobMpsQCgqU7D4TQKuVo1gK2rBjF/Mx4d
YLcAn0EfHcepL85Tz1hAny2G3YHyCkFY
=8b/X
-----END PGP SIGNATURE-----

More information about the fedora-test-list mailing list