:

john.moniz-rieW9WUcm8FFJ04o6PK0Fg at public.gmane.org john.moniz-rieW9WUcm8FFJ04o6PK0Fg at public.gmane.org
Mon Mar 15 18:30:49 UTC 2010 

Thanks, I didn't expect it to be a bug, thought I had a security problem. I've done the updating mentioned on Comment #3 and will keep an eye on it.

Now I turn my attention to Alert 2 at bottom of email. I also found it in bugzilla
https://bugzilla.redhat.com/show_bug.cgi?id=485921
I did the check shown on Comment #3 and found tons of files labeled file_t
(# ls -lZ /home/family/.gconf/desktop/gnome/applications/window_manager
-rw-------. family users system_u:object_r:file_t:s0      %gconf.xml)

But I don't know what to do with that info (am not familiar with labels at all). The suggestion on Comment #2 is to do the follwoing:
touch /.autorelabel;reboot

Does that seem like a good idea? Would it be done for all of the directories involved? Any dangers to avoid?

Thanks again,

John.


> Date: Mon, 15 Mar 2010 11:00:27 -0400
> Subject: Re: [TLUG]:
> From: vanaltj-Re5JQEeQqe8AvxtiuMwx3w at public.gmane.org
> To: tlug-lxSQFCZeNF4 at public.gmane.org
> 
> As a Fedora user, Red Hat Bugzilla (and google) is your friend  :D
> 
> https://bugzilla.redhat.com/show_bug.cgi?id=562328
> 
> So I'd try a #yum update (or otherwise confirm that your
> selinux-policy package is at least as new as the version mentioned in
> Comment #3), then if you still get these alerts add your 2 cents to
> the bug report, to help the root cause get fixed.  But if you care
> only about your own system, the command mentioned in Comment 1 should
> do the trick.
> 
> cheers,
> 
> jon
> 
> On Mon, Mar 15, 2010 at 10:45 AM,  <john.moniz-rieW9WUcm8FFJ04o6PK0Fg at public.gmane.org> wrote:
> > I'm getting these SELinux security alerts on my Fedora 12. I don't know if
> > it's a misconfiguration or a real threat. Does anyone know what it means?
> > I've been getting the first alert from the time I installed the distro, but
> > haven't come up with a pattern yet. They have always been the same until
> > today - I received a new alert, which follows the first one.
> >
> > I'll be executing some of the commands suggested on the alerts once I have a
> > better idea of what's happening.
> >
> > Thanks,
> >
> > John.
> >
> >
> > {Alert 1}
> > Summary:
> >
> > SELinux is preventing /usr/sbin/NetworkManager "create" access on
> > NetworkManager.state.R4GQ8U.
> >
> > Detailed Description:
> >
> > SELinux denied access requested by NetworkManager. It is not expected that
> > this
> > access is required by NetworkManager and this access may signal an intrusion
> > attempt. It is also possible that the specific version or configuration of
> > the
> > application is causing it to require additional access.
> >
> > Allowing Access:
> >
> > You can generate a local policy module to allow this access - see FAQ
> > (http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Please file a bug
> > report.
> >
> > Additional Information:
> >
> > Source Context                system_u:system_r:NetworkManager_t:s0
> > Target Context                system_u:object_r:var_lib_t:s0
> > Target Objects                NetworkManager.state.R4GQ8U [ file ]
> > Source                        NetworkManager
> > Source Path                   /usr/sbin/NetworkManager
> > Port                          <Unknown>
> > Host                          <hostname>
> > Source RPM Packages           NetworkManager-0.7.998-2.git20100106.fc12
> > Target RPM Packages
> > Policy RPM                    selinux-policy-3.6.32-78.fc12
> > Selinux Enabled               True
> > Policy Type                   targeted
> > Enforcing Mode                Enforcing
> > Plugin Name                   catchall
> > Host Name                     <hostname>
> > Platform                      Linux <hostname> 2.6.32.7-37.fc12.x86_64 #1
> > SMP Fri
> >                               Jan 29 14:19:39 UTC 2010 x86_64 x86_64
> > Alert Count                   1
> > First Seen                    Sun 21 Feb 2010 05:42:11 AM EST
> > Last Seen                     Sun 21 Feb 2010 05:42:11 AM EST
> > Local ID                      bbe2d9d8-17c5-4dd0-b99b-971acd50d151
> > Line Numbers
> >
> > Raw Audit Messages
> >
> > node=<hostname> type=AVC msg=audit(1266748931.439:6): avc:  denied  { create
> > } for  pid=1148 comm="NetworkManager" name="NetworkManager.state.R4GQ8U"
> > scontext=system_u:system_r:NetworkManager_t:s0
> > tcontext=system_u:object_r:var_lib_t:s0 tclass=file
> >
> > node=<hostname> type=SYSCALL msg=audit(1266748931.439:6): arch=c000003e
> > syscall=2 success=no exit=-13 a0=22c2170 a1=c2 a2=1b6 a3=4d6b726f7774654e
> > items=0 ppid=1147 pid=1148 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0
> > egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="NetworkManager"
> > exe="/usr/sbin/NetworkManager" subj=system_u:system_r:NetworkManager_t:s0
> > key=(null)
> >
> > {Alert 2}
> >
> > Summary:
> >
> > SELinux is preventing access to files with the label, file_t.
> >
> > Detailed Description:
> >
> > SELinux permission checks on files labeled file_t are being denied. file_t
> > is
> > the context the SELinux kernel gives to files that do not have a label. This
> > indicates a serious labeling problem. No files on an SELinux box should ever
> > be
> > labeled file_t. If you have just added a disk drive to the system you can
> > relabel it using the restorecon command. For example if you saved the home
> > directory from a previous installation that did not use SELinux, 'restorecon
> > -R
> > -v /home' will fix the labels. Otherwise you should relabel the entire file
> > system.
> >
> > Allowing Access:
> >
> > You can execute the following command as root to relabel your computer
> > system:
> > "touch /.autorelabel; reboot"
> >
> > Additional Information:
> >
> > Source Context                system_u:system_r:xdm_t:s0-s0:c0.c1023
> > Target Context                system_u:object_r:file_t:s0
> > Target Objects                /home/john [ dir ]
> > Source                        gdm-simple-gree
> > Source Path                   /usr/libexec/gdm-simple-greeter
> > Port                          <Unknown>
> > Host                          apollo
> > Source RPM Packages           gdm-2.28.2-1.fc12
> > Target RPM Packages
> > Policy RPM                    selinux-policy-3.6.32-89.fc12
> > Selinux Enabled               True
> > Policy Type                   targeted
> > Enforcing Mode                Enforcing
> > Plugin Name                   file
> > Host Name                     apollo
> > Platform                      Linux apollo 2.6.32.7-37.fc12.x86_64 #1 SMP
> > Fri
> >                               Jan 29 14:19:39 UTC 2010 x86_64 x86_64
> > Alert Count                   281
> > First Seen                    Sun 21 Feb 2010 05:42:32 AM EST
> > Last Seen                     Mon 15 Mar 2010 10:12:19 AM EDT
> > Local ID                      76dd86e3-aa08-4fd1-a645-cfa884cc8337
> > Line Numbers
> >
> > Raw Audit Messages
> >
> > node=apollo type=AVC msg=audit(1268662339.365:28903): avc:  denied  { read }
> > for  pid=1813 comm="gdm-simple-gree" name="john" dev=sda6 ino=6422529
> > scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023
> > tcontext=system_u:object_r:file_t:s0 tclass=dir
> >
> > node=apollo type=SYSCALL msg=audit(1268662339.365:28903): arch=c000003e
> > syscall=254 success=no exit=-13 a0=12 a1=27f0180 a2=1002fce a3=1 items=0
> > ppid=1742 pid=1813 auid=4294967295 uid=42 gid=475 euid=42 suid=42 fsuid=42
> > egid=475 sgid=475 fsgid=475 tty=(none) ses=4294967295 comm="gdm-simple-gree"
> > exe="/usr/libexec/gdm-simple-greeter"
> > subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null)
> >
> >
> >
> >
> --
> The Toronto Linux Users Group.      Meetings: http://gtalug.org/
> TLUG requests: Linux topics, No HTML, wrap text below 80 columns
> How to UNSUBSCRIBE: http://gtalug.org/wiki/Mailing_lists
 		 	   		  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://gtalug.org/pipermail/legacy/attachments/20100315/439f5ffa/attachment.html>

More information about the Legacy mailing list