:

john.moniz-rieW9WUcm8FFJ04o6PK0Fg at public.gmane.org john.moniz-rieW9WUcm8FFJ04o6PK0Fg at public.gmane.org
Mon Mar 15 14:45:46 UTC 2010 

I'm getting these SELinux security alerts on my Fedora 12. I don't know if it's a misconfiguration or a real threat. Does anyone know what it means? I've been getting the first alert from the time I installed the distro, but haven't come up with a pattern yet. They have always been the same until today - I received a new alert, which follows the first one.

I'll be executing some of the commands suggested on the alerts once I have a better idea of what's happening.

Thanks,

John.


{Alert 1}
Summary:

SELinux is preventing /usr/sbin/NetworkManager "create" access on
NetworkManager.state.R4GQ8U.

Detailed Description:

SELinux denied access requested by NetworkManager. It is not expected that this
access is required by NetworkManager and this access may signal an intrusion
attempt. It is also possible that the specific version or configuration of the
application is causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Please file a bug
report.

Additional Information:

Source Context                system_u:system_r:NetworkManager_t:s0
Target Context                system_u:object_r:var_lib_t:s0
Target Objects                NetworkManager.state.R4GQ8U [ file ]
Source                        NetworkManager
Source Path                   /usr/sbin/NetworkManager
Port                          <Unknown>
Host                          <hostname>
Source RPM Packages           NetworkManager-0.7.998-2.git20100106.fc12
Target RPM Packages           
Policy RPM                    selinux-policy-3.6.32-78.fc12
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Plugin Name                   catchall
Host Name                     <hostname>
Platform                      Linux <hostname> 2.6.32.7-37.fc12.x86_64 #1 SMP Fri
                              Jan 29 14:19:39 UTC 2010 x86_64 x86_64
Alert Count                   1
First Seen                    Sun 21 Feb 2010 05:42:11 AM EST
Last Seen                     Sun 21 Feb 2010 05:42:11 AM EST
Local ID                      bbe2d9d8-17c5-4dd0-b99b-971acd50d151
Line Numbers                  

Raw Audit Messages            

node=<hostname> type=AVC msg=audit(1266748931.439:6): avc:  denied  { create } for  pid=1148 comm="NetworkManager" name="NetworkManager.state.R4GQ8U" scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file

node=<hostname> type=SYSCALL msg=audit(1266748931.439:6): arch=c000003e syscall=2 success=no exit=-13 a0=22c2170 a1=c2 a2=1b6 a3=4d6b726f7774654e items=0 ppid=1147 pid=1148 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="NetworkManager" exe="/usr/sbin/NetworkManager" subj=system_u:system_r:NetworkManager_t:s0 key=(null)

{Alert 2}

Summary:

SELinux is preventing access to files with the label, file_t.

Detailed Description:

SELinux permission checks on files labeled file_t are being denied. file_t is
the context the SELinux kernel gives to files that do not have a label. This
indicates a serious labeling problem. No files on an SELinux box should ever be
labeled file_t. If you have just added a disk drive to the system you can
relabel it using the restorecon command. For example if you saved the home
directory from a previous installation that did not use SELinux, 'restorecon -R
-v /home' will fix the labels. Otherwise you should relabel the entire file
system.

Allowing Access:

You can execute the following command as root to relabel your computer system:
"touch /.autorelabel; reboot"

Additional Information:

Source Context                system_u:system_r:xdm_t:s0-s0:c0.c1023
Target Context                system_u:object_r:file_t:s0
Target Objects                /home/john [ dir ]
Source                        gdm-simple-gree
Source Path                   /usr/libexec/gdm-simple-greeter
Port                          <Unknown>
Host                          apollo
Source RPM Packages           gdm-2.28.2-1.fc12
Target RPM Packages           
Policy RPM                    selinux-policy-3.6.32-89.fc12
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Plugin Name                   file
Host Name                     apollo
Platform                      Linux apollo 2.6.32.7-37.fc12.x86_64 #1 SMP Fri
                              Jan 29 14:19:39 UTC 2010 x86_64 x86_64
Alert Count                   281
First Seen                    Sun 21 Feb 2010 05:42:32 AM EST
Last Seen                     Mon 15 Mar 2010 10:12:19 AM EDT
Local ID                      76dd86e3-aa08-4fd1-a645-cfa884cc8337
Line Numbers                  

Raw Audit Messages            

node=apollo type=AVC msg=audit(1268662339.365:28903): avc:  denied  { read } for  pid=1813 comm="gdm-simple-gree" name="john" dev=sda6 ino=6422529 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=dir

node=apollo type=SYSCALL msg=audit(1268662339.365:28903): arch=c000003e syscall=254 success=no exit=-13 a0=12 a1=27f0180 a2=1002fce a3=1 items=0 ppid=1742 pid=1813 auid=4294967295 uid=42 gid=475 euid=42 suid=42 fsuid=42 egid=475 sgid=475 fsgid=475 tty=(none) ses=4294967295 comm="gdm-simple-gree" exe="/usr/libexec/gdm-simple-greeter" subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null)



 		 	   		  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://gtalug.org/pipermail/legacy/attachments/20100315/7ac93804/attachment.html>

More information about the Legacy mailing list