On 08/21/2014 02:09 PM, Les Mikesell wrote: > On Thu, Aug 21, 2014 at 12:23 PM, <m.r...@5-cent.us> wrote: >> Les Mikesell wrote: >>> A machine I set up to run OpenNMS stopped working last night - no >>> hardware alarm lights, but keyboard/monitor/network unresponsive. >>> After a reboot I see a large stack of messages like this in >>> /var/log/messages: >>> >>> ---- >>> Aug 20 14:02:34 opennms-h-03 python: SELinux is preventing >>> /usr/sbin/monitor-get-edid-using-vbe from mmap >>> _zero access on the memprotect . >>> ------ >>> and then this final message >>> >>> Aug 20 14:02:42 opennms-h-03 dbus-daemon: 'list' object has no attribute >>> 'split' >>> >>> >>> Do either of those look fatal? And where else should I look for the >>> underlying problem? >>> >> Looks like all selinux to me, esp. the wording. Is it in enforcing mode? I >> wonder if it's possible that there's a bug in an selinux policy that >> results in "IT'S NOT SAFE!!! SHUT IT DOWN!!!". > /var/log/audit/audit.log says: > type=AVC msg=audit(1408478520.792:7016): avc: denied { mmap_zero } > for pid=17977 comm="monitor-get-edi" > scontext=system_u:system_r:system_cronjob_t:s0-s0:c0.c1023 > tcontext=system_u:system_r:system_cronjob_t:s0-s0:c0.c1023 > tclass=memprotect > > which isn't particularly readable but I would guess means that it > blocked the ocsinventory-agent from getting the monitor type. Not > sure why that is supposed to be helpful, but it also doesn't sound > fatal. And somewhat irrelevant on a normally headless server. > > Does that dbus error looks serious? > Aug 20 14:02:42 opennms-h-03 dbus-daemon: 'list' object has no attribute > 'split' > > -- > Les Mikesell > lesmikes...@gmail.com > _______________________________________________ > CentOS mailing list > CentOS@centos.org > http://lists.centos.org/mailman/listinfo/centos mmap_zero is a fairly dangerous access. It means the object is attempting to memeory map low memory in the kernel. Bugs in the kernel have been known to allow priv escallation, can be prevented by this check.
http://eparis.livejournal.com/ Talks about the access check. I usually tell people to avoid these apps, but if you need to run it, you can turn the protection off as the alert told you. setsebool -P mmap_low_allowed 1 _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos