Re: SELinux kerneloops and dhclient issues
Stephen Croll wrote: > Daniel J Walsh wrote: >> So KDE+Konsole seems to be leaking a file descriptor. >> >> > Yes, that seems to be the case. With KDE 4.1, the fd is now 23 (if > that's somehow useful): > > [EMAIL PROTECTED] ~]# ls -lZ /proc/self/fd > lrwx-- root root > unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 0 -> /dev/pts/1 > lrwx-- root root > unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 1 -> /dev/pts/1 > lrwx-- root root > unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 2 -> /dev/pts/1 > lrwx-- root root > unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 23 -> socket:[31558] > lr-x-- root root > unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 3 -> /proc/5660/fd > > Also, NetworkManager, whether on or off, doesn't seem to make a > difference now. > -- > Steve Croll > > > > Report it as a bug to kde. You can CC me if you like. You can allow this rule or dontaudit it using audit2allow to build policy. Or you can tell setroubleshoot to ignore the avc. It will not cause you any problems and SELinux will close the leaked file descriptor before starting any confined domains. -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
Re: SELinux kerneloops and dhclient issues
Daniel J Walsh wrote: So KDE+Konsole seems to be leaking a file descriptor. Yes, that seems to be the case. With KDE 4.1, the fd is now 23 (if that's somehow useful): [EMAIL PROTECTED] ~]# ls -lZ /proc/self/fd lrwx-- root root unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 0 -> /dev/pts/1 lrwx-- root root unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 1 -> /dev/pts/1 lrwx-- root root unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 2 -> /dev/pts/1 lrwx-- root root unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 23 -> socket:[31558] lr-x-- root root unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 3 -> /proc/5660/fd Also, NetworkManager, whether on or off, doesn't seem to make a difference now. -- Steve Croll -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
Re: SELinux kerneloops and dhclient issues
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Stephen Croll wrote: > Daniel J Walsh wrote: >> So it looks like you already have a leaked file descriptor in the shell >> that you are running these commands from >> >> Does ls -lZ /proc/self/fd show anything stange? > Yes it does, fd 25: > > [EMAIL PROTECTED] ~]# ls -lZ /proc/self/fd > lrwx-- root root > unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 0 -> /dev/pts/0 > lrwx-- root root > unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 1 -> /dev/pts/0 > lrwx-- root root > unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 2 -> /dev/pts/0 > lrwx-- root root > unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 25 -> socket:[18571] > lr-x-- root root > unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 3 -> /proc/3446/fd > > It would appear fd 3 is what ls is using to read the entries in > /proc/self/fd (also verified with strace): > > [EMAIL PROTECTED] ~]# ls -lZ /proc/self/fd & > lrwx-- root root > unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 0 -> /dev/pts/0 > lrwx-- root root > unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 1 -> /dev/pts/0 > lrwx-- root root > unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 2 -> /dev/pts/0 > lrwx-- root root > unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 25 -> socket:[18571] > lr-x-- root root > unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 3 -> /proc/3463/fd > [1] 3463 > [1]+ Donels --color=auto -lZ /proc/self/fd > > I've been trying to figure out the mysteries of NetworkManager and > mixing wired and wireless connections. I just noticed that if I don't > have NetworkManager configured at boot, I don't get the AVC denial nor > do I see the socket on fd 25. > > Additionally, I noticed that even if NetworkManager is configured at > boot, I don't see the AVC denial/fd 25 issue when running in a virtual > terminal. Upon further investigation, this issue only seems to occur > when running KDE+konsole, but not KDE+gnome-terminal, nor > GNOME+konsole, nor GNOME+gnome-terminal. > So KDE+Konsole seems to be leaking a file descriptor. > Also, I don't see fd 25 when connecting remotely (over SSH) and > running the above ls command. > > -- > Steve Croll > > -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkjJEmsACgkQrlYvE4MpobMTdACfT+QrwVrak/MOH87xBdGUIlSn E7IAoJgAc1V5DnoFWJ5VfWqB1c42klib =cUNt -END PGP SIGNATURE- -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
Re: SELinux kerneloops and dhclient issues
Daniel J Walsh wrote: So it looks like you already have a leaked file descriptor in the shell that you are running these commands from Does ls -lZ /proc/self/fd show anything stange? Yes it does, fd 25: [EMAIL PROTECTED] ~]# ls -lZ /proc/self/fd lrwx-- root root unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 0 -> /dev/pts/0 lrwx-- root root unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 1 -> /dev/pts/0 lrwx-- root root unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 2 -> /dev/pts/0 lrwx-- root root unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 25 -> socket:[18571] lr-x-- root root unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 3 -> /proc/3446/fd It would appear fd 3 is what ls is using to read the entries in /proc/self/fd (also verified with strace): [EMAIL PROTECTED] ~]# ls -lZ /proc/self/fd & lrwx-- root root unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 0 -> /dev/pts/0 lrwx-- root root unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 1 -> /dev/pts/0 lrwx-- root root unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 2 -> /dev/pts/0 lrwx-- root root unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 25 -> socket:[18571] lr-x-- root root unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 3 -> /proc/3463/fd [1] 3463 [1]+ Donels --color=auto -lZ /proc/self/fd I've been trying to figure out the mysteries of NetworkManager and mixing wired and wireless connections. I just noticed that if I don't have NetworkManager configured at boot, I don't get the AVC denial nor do I see the socket on fd 25. Additionally, I noticed that even if NetworkManager is configured at boot, I don't see the AVC denial/fd 25 issue when running in a virtual terminal. Upon further investigation, this issue only seems to occur when running KDE+konsole, but not KDE+gnome-terminal, nor GNOME+konsole, nor GNOME+gnome-terminal. Also, I don't see fd 25 when connecting remotely (over SSH) and running the above ls command. -- Steve Croll -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
Re: SELinux kerneloops and dhclient issues
Stephen Croll wrote: > Daniel J Walsh wrote: >> The dhcp_t (/sbin/dhclient) trying to read/write an unconfined_t >> unix_stream_socket, is a leaked file descriptor. So it is a bug in some >> application that you are using to bring up your network. What app are >> you using for this? >> > > The following apps produce the issue: /sbin/ifup, /sbin/ifdown, and > /sbin/dhclient. Sample usage: > > [EMAIL PROTECTED] ~]# /sbin/ifconfig > loLink encap:Local Loopback > inet addr:127.0.0.1 Mask:255.0.0.0 > inet6 addr: ::1/128 Scope:Host > UP LOOPBACK RUNNING MTU:16436 Metric:1 > RX packets:3776 errors:0 dropped:0 overruns:0 frame:0 > TX packets:3776 errors:0 dropped:0 overruns:0 carrier:0 > collisions:0 txqueuelen:0 > RX bytes:188960 (184.5 KiB) TX bytes:188960 (184.5 KiB) > > [EMAIL PROTECTED] ~]# /sbin/ifup eth0<-- AVC Denial > > Determining IP information for eth0... done. > [EMAIL PROTECTED] ~]# /sbin/ifconfig > eth0 Link encap:Ethernet HWaddr 00:15:C5:3E:AC:A7 > inet addr:192.168.2.4 Bcast:192.168.2.255 Mask:255.255.255.0 > inet6 addr: fe80::215:c5ff:fe3e:aca7/64 Scope:Link > UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 > RX packets:15 errors:0 dropped:0 overruns:0 frame:0 > TX packets:152 errors:0 dropped:0 overruns:0 carrier:0 > collisions:0 txqueuelen:1000 > RX bytes:3507 (3.4 KiB) TX bytes:34235 (33.4 KiB) > Interrupt:17 > > loLink encap:Local Loopback > inet addr:127.0.0.1 Mask:255.0.0.0 > inet6 addr: ::1/128 Scope:Host > UP LOOPBACK RUNNING MTU:16436 Metric:1 > RX packets:3776 errors:0 dropped:0 overruns:0 frame:0 > TX packets:3776 errors:0 dropped:0 overruns:0 carrier:0 > collisions:0 txqueuelen:0 > RX bytes:188960 (184.5 KiB) TX bytes:188960 (184.5 KiB) > > [EMAIL PROTECTED] ~]# /sbin/ifdown eth0<-- AVC Denial > [EMAIL PROTECTED] ~]# /sbin/ifconfig > loLink encap:Local Loopback > inet addr:127.0.0.1 Mask:255.0.0.0 > inet6 addr: ::1/128 Scope:Host > UP LOOPBACK RUNNING MTU:16436 Metric:1 > RX packets:3776 errors:0 dropped:0 overruns:0 frame:0 > TX packets:3776 errors:0 dropped:0 overruns:0 carrier:0 > collisions:0 txqueuelen:0 > RX bytes:188960 (184.5 KiB) TX bytes:188960 (184.5 KiB) > > [EMAIL PROTECTED] ~]# /sbin/ifconfig eth0 up > [EMAIL PROTECTED] ~]# /sbin/ifconfig > eth0 Link encap:Ethernet HWaddr 00:15:C5:3E:AC:A7 > inet6 addr: fe80::215:c5ff:fe3e:aca7/64 Scope:Link > UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 > RX packets:16 errors:0 dropped:0 overruns:0 frame:0 > TX packets:164 errors:0 dropped:0 overruns:0 carrier:0 > collisions:0 txqueuelen:1000 > RX bytes:3571 (3.4 KiB) TX bytes:36889 (36.0 KiB) > Interrupt:17 > > loLink encap:Local Loopback > inet addr:127.0.0.1 Mask:255.0.0.0 > inet6 addr: ::1/128 Scope:Host > UP LOOPBACK RUNNING MTU:16436 Metric:1 > RX packets:3776 errors:0 dropped:0 overruns:0 frame:0 > TX packets:3776 errors:0 dropped:0 overruns:0 carrier:0 > collisions:0 txqueuelen:0 > RX bytes:188960 (184.5 KiB) TX bytes:188960 (184.5 KiB) > > [EMAIL PROTECTED] ~]# /sbin/dhclient eth0<-- AVC > Denial > [EMAIL PROTECTED] ~]# /sbin/ifconfig > eth0 Link encap:Ethernet HWaddr 00:15:C5:3E:AC:A7 > inet addr:192.168.2.4 Bcast:192.168.2.255 Mask:255.255.255.0 > inet6 addr: fe80::215:c5ff:fe3e:aca7/64 Scope:Link > UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 > RX packets:17 errors:0 dropped:0 overruns:0 frame:0 > TX packets:182 errors:0 dropped:0 overruns:0 carrier:0 > collisions:0 txqueuelen:1000 > RX bytes:3918 (3.8 KiB) TX bytes:41608 (40.6 KiB) > Interrupt:17 > > loLink encap:Local Loopback > inet addr:127.0.0.1 Mask:255.0.0.0 > inet6 addr: ::1/128 Scope:Host > UP LOOPBACK RUNNING MTU:16436 Metric:1 > RX packets:3776 errors:0 dropped:0 overruns:0 frame:0 > TX packets:3776 errors:0 dropped:0 overruns:0 carrier:0 > collisions:0 txqueuelen:0 > RX bytes:188960 (184.5 KiB) TX bytes:188960 (184.5 KiB) > -- > Steve Croll > So it looks like you already have a leaked file descriptor in the shell that you are running these commands from Does ls -lZ /proc/self/fd show anything stange? -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
Re: SELinux kerneloops and dhclient issues
Daniel J Walsh wrote: The dhcp_t (/sbin/dhclient) trying to read/write an unconfined_t unix_stream_socket, is a leaked file descriptor. So it is a bug in some application that you are using to bring up your network. What app are you using for this? The following apps produce the issue: /sbin/ifup, /sbin/ifdown, and /sbin/dhclient. Sample usage: [EMAIL PROTECTED] ~]# /sbin/ifconfig loLink encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 inet6 addr: ::1/128 Scope:Host UP LOOPBACK RUNNING MTU:16436 Metric:1 RX packets:3776 errors:0 dropped:0 overruns:0 frame:0 TX packets:3776 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:188960 (184.5 KiB) TX bytes:188960 (184.5 KiB) [EMAIL PROTECTED] ~]# /sbin/ifup eth0<-- AVC Denial Determining IP information for eth0... done. [EMAIL PROTECTED] ~]# /sbin/ifconfig eth0 Link encap:Ethernet HWaddr 00:15:C5:3E:AC:A7 inet addr:192.168.2.4 Bcast:192.168.2.255 Mask:255.255.255.0 inet6 addr: fe80::215:c5ff:fe3e:aca7/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:15 errors:0 dropped:0 overruns:0 frame:0 TX packets:152 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:3507 (3.4 KiB) TX bytes:34235 (33.4 KiB) Interrupt:17 loLink encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 inet6 addr: ::1/128 Scope:Host UP LOOPBACK RUNNING MTU:16436 Metric:1 RX packets:3776 errors:0 dropped:0 overruns:0 frame:0 TX packets:3776 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:188960 (184.5 KiB) TX bytes:188960 (184.5 KiB) [EMAIL PROTECTED] ~]# /sbin/ifdown eth0<-- AVC Denial [EMAIL PROTECTED] ~]# /sbin/ifconfig loLink encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 inet6 addr: ::1/128 Scope:Host UP LOOPBACK RUNNING MTU:16436 Metric:1 RX packets:3776 errors:0 dropped:0 overruns:0 frame:0 TX packets:3776 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:188960 (184.5 KiB) TX bytes:188960 (184.5 KiB) [EMAIL PROTECTED] ~]# /sbin/ifconfig eth0 up [EMAIL PROTECTED] ~]# /sbin/ifconfig eth0 Link encap:Ethernet HWaddr 00:15:C5:3E:AC:A7 inet6 addr: fe80::215:c5ff:fe3e:aca7/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:16 errors:0 dropped:0 overruns:0 frame:0 TX packets:164 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:3571 (3.4 KiB) TX bytes:36889 (36.0 KiB) Interrupt:17 loLink encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 inet6 addr: ::1/128 Scope:Host UP LOOPBACK RUNNING MTU:16436 Metric:1 RX packets:3776 errors:0 dropped:0 overruns:0 frame:0 TX packets:3776 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:188960 (184.5 KiB) TX bytes:188960 (184.5 KiB) [EMAIL PROTECTED] ~]# /sbin/dhclient eth0<-- AVC Denial [EMAIL PROTECTED] ~]# /sbin/ifconfig eth0 Link encap:Ethernet HWaddr 00:15:C5:3E:AC:A7 inet addr:192.168.2.4 Bcast:192.168.2.255 Mask:255.255.255.0 inet6 addr: fe80::215:c5ff:fe3e:aca7/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:17 errors:0 dropped:0 overruns:0 frame:0 TX packets:182 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:3918 (3.8 KiB) TX bytes:41608 (40.6 KiB) Interrupt:17 loLink encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 inet6 addr: ::1/128 Scope:Host UP LOOPBACK RUNNING MTU:16436 Metric:1 RX packets:3776 errors:0 dropped:0 overruns:0 frame:0 TX packets:3776 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:188960 (184.5 KiB) TX bytes:188960 (184.5 KiB) -- Steve Croll -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
Re: SELinux kerneloops and dhclient issues
Stephen Croll wrote: > Note: Originally posted to fedora-list. > > The "setroubleshoot browser" is reporting the following issues on Fedora 9: > > SELinux is preventing kerneloops (kerneloops_t) "signal" to > (kerneloops_t). > SELinux is preventing dhclient (dhcpc_t) "read write" to socket > (unconfined_t). > > The first issue occurred on boot, but no longer seems to be happening. > The second > issue occurs when I bring up eth0. > > Should I file a bug report, or might there be something more sinister > going on? > > For reference, the complete reports are as follows: > > Summary: > > SELinux is preventing kerneloops (kerneloops_t) "signal" to > (kerneloops_t). > > Detailed Description: > > SELinux denied access requested by kerneloops. It is not expected that this > access is required by kerneloops and this access may signal an intrusion > attempt. It is also possible that the specific version or configuration > of the > application is causing it to require additional access. > > Allowing Access: > > You can generate a local policy module to allow this access - see FAQ > (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can > disable > SELinux protection altogether. Disabling SELinux protection is not > recommended. > Please file a bug report > (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) > against this package. > > Additional Information: > > Source Contextsystem_u:system_r:kerneloops_t:s0 > Target Contextsystem_u:system_r:kerneloops_t:s0 > Target ObjectsNone [ process ] > Sourcekerneloops > Source Path /usr/sbin/kerneloops > Port > Host gerbil > Source RPM Packages kerneloops-0.11-1.fc9 > Target RPM PackagesPolicy RPM > selinux-policy-3.3.1-84.fc9 > Selinux Enabled True > Policy Type targeted > MLS Enabled True > Enforcing ModeEnforcing > Plugin Name catchall > Host Name gerbil > Platform Linux gerbil 2.6.25.14-108.fc9.x86_64 #1 > SMP Mon > Aug 4 13:46:35 EDT 2008 x86_64 x86_64 > Alert Count 2 > First SeenSun 07 Sep 2008 03:21:55 AM CDT > Last Seen Sun 07 Sep 2008 03:21:55 AM CDT > Local ID fa4c1bd0-faf1-48ba-ba55-74285538ef90 > Line Numbers Raw Audit Messages > host=gerbil type=AVC msg=audit(1220775715.59:8): avc: denied { signal > } for pid=2363 comm="kerneloops" > scontext=system_u:system_r:kerneloops_t:s0 > tcontext=system_u:system_r:kerneloops_t:s0 tclass=process > > host=gerbil type=SYSCALL msg=audit(1220775715.59:8): arch=c03e > syscall=234 success=no exit=-13 a0=93b a1=93b a2=6 a3=8 items=0 ppid=1 > pid=2363 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 > fsgid=0 tty=(none) ses=4294967295 comm="kerneloops" > exe="/usr/sbin/kerneloops" subj=system_u:system_r:kerneloops_t:s0 > key=(null) > > -and- > > Summary: > > SELinux is preventing dhclient (dhcpc_t) "read write" to socket > (unconfined_t). > > Detailed Description: > > SELinux denied access requested by dhclient. It is not expected that > this access > is required by dhclient and this access may signal an intrusion attempt. > It is > also possible that the specific version or configuration of the > application is > causing it to require additional access. > > Allowing Access: > > You can generate a local policy module to allow this access - see FAQ > (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can > disable > SELinux protection altogether. Disabling SELinux protection is not > recommended. > Please file a bug report > (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) > against this package. > > Additional Information: > > Source Contextunconfined_u:system_r:dhcpc_t:s0-s0:c0.c1023 > Target Context > unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1 > 023 > Target Objectssocket [ unix_stream_socket ] > Sourcedhclient > Source Path /sbin/dhclient > Port > Host gerbil > Source RPM Packages dhclient-4.0.0-14.fc9 > Target RPM PackagesPolicy RPM > selinux-policy-3.3.1-84.fc9 > Selinux Enabled True > Policy Type targeted > MLS Enabled True > Enforcing ModeEnforcing > Plugin Name catchall > Host Name gerbil > Platform Linux gerbil 2.6.25.14-108.fc9.x86_64 #1 > SMP Mon > Aug 4 13:46:35 EDT 2008 x86_64 x86_64 > Alert Count 16 > First Seen
Re: SELinux kerneloops and dhclient issues
On Sun, 2008-09-07 at 04:42 -0500, Stephen Croll wrote: > The "setroubleshoot browser" is reporting the following issues on Fedora 9: > > SELinux is preventing kerneloops (kerneloops_t) "signal" to > -- > Steve Croll Steve I would say pass this to the selinux list, a lot og good knowledge there. http://www.redhat.com/mailman/listinfo/fedora-selinux-list Frank -- gpg id EB547226 Revoked Forgot Password :( aMSN: Frankly3D http://www.frankly3d.com signature.asc Description: This is a digitally signed message part -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
SELinux kerneloops and dhclient issues
The "setroubleshoot browser" is reporting the following issues on Fedora 9: SELinux is preventing kerneloops (kerneloops_t) "signal" to (kerneloops_t). SELinux is preventing dhclient (dhcpc_t) "read write" to socket (unconfined_t). The first issue occurs on boot. The second issue occurs when I bring up eth0. Should I file a bug report, or might there be something more sinister going on? For reference, the complete reports are as follows: Summary: SELinux is preventing kerneloops (kerneloops_t) "signal" to (kerneloops_t). Detailed Description: SELinux denied access requested by kerneloops. It is not expected that this access is required by kerneloops and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: You can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package. Additional Information: Source Contextsystem_u:system_r:kerneloops_t:s0 Target Contextsystem_u:system_r:kerneloops_t:s0 Target ObjectsNone [ process ] Sourcekerneloops Source Path /usr/sbin/kerneloops Port Host gerbil Source RPM Packages kerneloops-0.11-1.fc9 Target RPM PackagesPolicy RPM selinux-policy-3.3.1-84.fc9 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing ModeEnforcing Plugin Name catchall Host Name gerbil Platform Linux gerbil 2.6.25.14-108.fc9.x86_64 #1 SMP Mon Aug 4 13:46:35 EDT 2008 x86_64 x86_64 Alert Count 2 First SeenSun 07 Sep 2008 03:21:55 AM CDT Last Seen Sun 07 Sep 2008 03:21:55 AM CDT Local ID fa4c1bd0-faf1-48ba-ba55-74285538ef90 Line Numbers Raw Audit Messages host=gerbil type=AVC msg=audit(1220775715.59:8): avc: denied { signal } for pid=2363 comm="kerneloops" scontext=system_u:system_r:kerneloops_t:s0 tcontext=system_u:system_r:kerneloops_t:s0 tclass=process host=gerbil type=SYSCALL msg=audit(1220775715.59:8): arch=c03e syscall=234 success=no exit=-13 a0=93b a1=93b a2=6 a3=8 items=0 ppid=1 pid=2363 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="kerneloops" exe="/usr/sbin/kerneloops" subj=system_u:system_r:kerneloops_t:s0 key=(null) -and- Summary: SELinux is preventing dhclient (dhcpc_t) "read write" to socket (unconfined_t). Detailed Description: SELinux denied access requested by dhclient. It is not expected that this access is required by dhclient and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: You can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package. Additional Information: Source Contextunconfined_u:system_r:dhcpc_t:s0-s0:c0.c1023 Target Context unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1 023 Target Objectssocket [ unix_stream_socket ] Sourcedhclient Source Path /sbin/dhclient Port Host gerbil Source RPM Packages dhclient-4.0.0-14.fc9 Target RPM PackagesPolicy RPM selinux-policy-3.3.1-84.fc9 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing ModeEnforcing Plugin Name catchall Host Name gerbil Platform Linux gerbil 2.6.25.14-108.fc9.x86_64 #1 SMP Mon Aug 4 13:46:35 EDT 2008 x86_64 x86_64 Alert Count 16 First SeenSun 07 Sep 2008 12:56:48 AM CDT Last Seen Sun 07 Sep 2008 03:23:07 AM CDT Local ID a3b5492a-0ef2-4cc3-bdd0-4c06696bae70 Line Numbers Raw Audit Messages host=gerbil type=AVC msg=audit(1220775787.407:21): avc: denied { read write } f