FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora SELinux Support

 
 
LinkBack Thread Tools
 
Old 03-03-2009, 12:23 AM
Antonio Olivares
 
Default avcs on rawhide new and old one

Summary:

SELinux is preventing crontab (admin_crontab_t) "read write" unconfined_t.

Detailed Description:

SELinux denied access requested by crontab. It is not expected that this access
is required by crontab and this access may signal an intrusion attempt. It is
also possible that the specific version or configuration of the application is
causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Additional Information:

Source Context unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0
.c1023
Target Context unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1
023
Target Objects socket [ unix_stream_socket ]
Source crontab
Source Path /usr/bin/crontab
Port <Unknown>
Host riohigh
Source RPM Packages cronie-1.2-6.fc11
Target RPM Packages
Policy RPM selinux-policy-3.6.6-8.fc11
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name catchall
Host Name riohigh
Platform Linux riohigh 2.6.29-0.176.rc6.git5.fc11.i586 #1
SMP Sat Feb 28 20:51:15 EST 2009 i686 athlon
Alert Count 16
First Seen Mon 02 Mar 2009 07:11:37 PM CST
Last Seen Mon 02 Mar 2009 07:11:39 PM CST
Local ID 3883b140-4d39-40f5-9262-ce2c4c4e2e16
Line Numbers

Raw Audit Messages

node=riohigh type=AVC msg=audit(1236042699.560:325): avc: denied { read write } for pid=7023 comm="crontab" path="socket:[15740]" dev=sockfs ino=15740 scontext=unconfined_u:unconfined_r:admin_crontab_t :s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket

node=riohigh type=AVC msg=audit(1236042699.560:325): avc: denied { read write } for pid=7023 comm="crontab" path="socket:[15509]" dev=sockfs ino=15509 scontext=unconfined_u:unconfined_r:admin_crontab_t :s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket

node=riohigh type=AVC msg=audit(1236042699.560:325): avc: denied { read write } for pid=7023 comm="crontab" path="socket:[15509]" dev=sockfs ino=15509 scontext=unconfined_u:unconfined_r:admin_crontab_t :s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket

node=riohigh type=AVC msg=audit(1236042699.560:325): avc: denied { read write } for pid=7023 comm="crontab" path="socket:[15509]" dev=sockfs ino=15509 scontext=unconfined_u:unconfined_r:admin_crontab_t :s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket

node=riohigh type=AVC msg=audit(1236042699.560:325): avc: denied { read write } for pid=7023 comm="crontab" path="socket:[15509]" dev=sockfs ino=15509 scontext=unconfined_u:unconfined_r:admin_crontab_t :s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket

node=riohigh type=AVC msg=audit(1236042699.560:325): avc: denied { read write } for pid=7023 comm="crontab" path="socket:[15509]" dev=sockfs ino=15509 scontext=unconfined_u:unconfined_r:admin_crontab_t :s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket

node=riohigh type=AVC msg=audit(1236042699.560:325): avc: denied { read write } for pid=7023 comm="crontab" path="socket:[15509]" dev=sockfs ino=15509 scontext=unconfined_u:unconfined_r:admin_crontab_t :s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket

node=riohigh type=AVC msg=audit(1236042699.560:325): avc: denied { read write } for pid=7023 comm="crontab" path="socket:[15509]" dev=sockfs ino=15509 scontext=unconfined_u:unconfined_r:admin_crontab_t :s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket

node=riohigh type=SYSCALL msg=audit(1236042699.560:325): arch=40000003 syscall=11 success=yes exit=0 a0=9756cc8 a1=9765140 a2=9750a18 a3=9765140 items=0 ppid=6988 pid=7023 auid=500 uid=500 gid=500 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts4 ses=1 comm="crontab" exe="/usr/bin/crontab" subj=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 key=(null)



Summary:

SELinux prevented kde4-config from writing .kde.

Detailed Description:

SELinux prevented kde4-config from writing .kde. If .kde is a core file, you may
want to allow this. If .kde is not a core file, this could signal a intrusion
attempt.

Allowing Access:

Changing the "allow_daemons_dump_core" boolean to true will allow this access:
"setsebool -P allow_daemons_dump_core=1."

Fix Command:

setsebool -P allow_daemons_dump_core=1

Additional Information:

Source Context system_u:system_r:xdm_t:s0-s0:c0.c1023
Target Context system_ubject_r:root_t:s0
Target Objects .kde [ dir ]
Source kde4-config
Source Path /usr/bin/kde4-config
Port <Unknown>
Host riohigh
Source RPM Packages kdelibs-4.2.1-1.fc11
Target RPM Packages
Policy RPM selinux-policy-3.6.6-8.fc11
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name allow_daemons_dump_core
Host Name riohigh
Platform Linux riohigh 2.6.29-0.176.rc6.git5.fc11.i586 #1
SMP Sat Feb 28 20:51:15 EST 2009 i686 athlon
Alert Count 16
First Seen Tue 17 Feb 2009 08:36:03 AM CST
Last Seen Mon 02 Mar 2009 03:49:11 PM CST
Local ID 6d47417b-4b4b-4c4f-9c12-6210059fc418
Line Numbers

Raw Audit Messages

node=riohigh type=AVC msg=audit(1236030551.278:7): avc: denied { create } for pid=2361 comm="kde4-config" name=".kde" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_ubject_r:root_t:s0 tclass=dir

node=riohigh type=SYSCALL msg=audit(1236030551.278:7): arch=40000003 syscall=39 success=no exit=-13 a0=9e843f8 a1=1c0 a2=60cf8c a3=0 items=0 ppid=2360 pid=2361 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="kde4-config" exe="/usr/bin/kde4-config" subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null)




Thanks,

Antonio






--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 03-03-2009, 01:46 PM
Daniel J Walsh
 
Default avcs on rawhide new and old one

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Antonio Olivares wrote:
>
>
>
> Summary:
>
> SELinux is preventing crontab (admin_crontab_t) "read write" unconfined_t.
>
> Detailed Description:
>
> SELinux denied access requested by crontab. It is not expected that this access
> is required by crontab and this access may signal an intrusion attempt. It is
> also possible that the specific version or configuration of the application is
> causing it to require additional access.
>
> Allowing Access:
>
> You can generate a local policy module to allow this access - see FAQ
> (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
> SELinux protection altogether. Disabling SELinux protection is not recommended.
> Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
> against this package.
>
> Additional Information:
>
> Source Context unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0
> .c1023
> Target Context unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1
> 023
> Target Objects socket [ unix_stream_socket ]
> Source crontab
> Source Path /usr/bin/crontab
> Port <Unknown>
> Host riohigh
> Source RPM Packages cronie-1.2-6.fc11
> Target RPM Packages
> Policy RPM selinux-policy-3.6.6-8.fc11
> Selinux Enabled True
> Policy Type targeted
> MLS Enabled True
> Enforcing Mode Enforcing
> Plugin Name catchall
> Host Name riohigh
> Platform Linux riohigh 2.6.29-0.176.rc6.git5.fc11.i586 #1
> SMP Sat Feb 28 20:51:15 EST 2009 i686 athlon
> Alert Count 16
> First Seen Mon 02 Mar 2009 07:11:37 PM CST
> Last Seen Mon 02 Mar 2009 07:11:39 PM CST
> Local ID 3883b140-4d39-40f5-9262-ce2c4c4e2e16
> Line Numbers
>
> Raw Audit Messages
>
> node=riohigh type=AVC msg=audit(1236042699.560:325): avc: denied { read write } for pid=7023 comm="crontab" path="socket:[15740]" dev=sockfs ino=15740 scontext=unconfined_u:unconfined_r:admin_crontab_t :s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket
>
> node=riohigh type=AVC msg=audit(1236042699.560:325): avc: denied { read write } for pid=7023 comm="crontab" path="socket:[15509]" dev=sockfs ino=15509 scontext=unconfined_u:unconfined_r:admin_crontab_t :s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket
>
> node=riohigh type=AVC msg=audit(1236042699.560:325): avc: denied { read write } for pid=7023 comm="crontab" path="socket:[15509]" dev=sockfs ino=15509 scontext=unconfined_u:unconfined_r:admin_crontab_t :s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket
>
> node=riohigh type=AVC msg=audit(1236042699.560:325): avc: denied { read write } for pid=7023 comm="crontab" path="socket:[15509]" dev=sockfs ino=15509 scontext=unconfined_u:unconfined_r:admin_crontab_t :s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket
>
> node=riohigh type=AVC msg=audit(1236042699.560:325): avc: denied { read write } for pid=7023 comm="crontab" path="socket:[15509]" dev=sockfs ino=15509 scontext=unconfined_u:unconfined_r:admin_crontab_t :s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket
>
> node=riohigh type=AVC msg=audit(1236042699.560:325): avc: denied { read write } for pid=7023 comm="crontab" path="socket:[15509]" dev=sockfs ino=15509 scontext=unconfined_u:unconfined_r:admin_crontab_t :s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket
>
> node=riohigh type=AVC msg=audit(1236042699.560:325): avc: denied { read write } for pid=7023 comm="crontab" path="socket:[15509]" dev=sockfs ino=15509 scontext=unconfined_u:unconfined_r:admin_crontab_t :s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket
>
> node=riohigh type=AVC msg=audit(1236042699.560:325): avc: denied { read write } for pid=7023 comm="crontab" path="socket:[15509]" dev=sockfs ino=15509 scontext=unconfined_u:unconfined_r:admin_crontab_t :s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket
>
> node=riohigh type=SYSCALL msg=audit(1236042699.560:325): arch=40000003 syscall=11 success=yes exit=0 a0=9756cc8 a1=9765140 a2=9750a18 a3=9765140 items=0 ppid=6988 pid=7023 auid=500 uid=500 gid=500 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts4 ses=1 comm="crontab" exe="/usr/bin/crontab" subj=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 key=(null)
>
>
>
> Summary:
>
> SELinux prevented kde4-config from writing .kde.
>
> Detailed Description:
>
> SELinux prevented kde4-config from writing .kde. If .kde is a core file, you may
> want to allow this. If .kde is not a core file, this could signal a intrusion
> attempt.
>
> Allowing Access:
>
> Changing the "allow_daemons_dump_core" boolean to true will allow this access:
> "setsebool -P allow_daemons_dump_core=1."
>
> Fix Command:
>
> setsebool -P allow_daemons_dump_core=1
>
> Additional Information:
>
> Source Context system_u:system_r:xdm_t:s0-s0:c0.c1023
> Target Context system_ubject_r:root_t:s0
> Target Objects .kde [ dir ]
> Source kde4-config
> Source Path /usr/bin/kde4-config
> Port <Unknown>
> Host riohigh
> Source RPM Packages kdelibs-4.2.1-1.fc11
> Target RPM Packages
> Policy RPM selinux-policy-3.6.6-8.fc11
> Selinux Enabled True
> Policy Type targeted
> MLS Enabled True
> Enforcing Mode Enforcing
> Plugin Name allow_daemons_dump_core
> Host Name riohigh
> Platform Linux riohigh 2.6.29-0.176.rc6.git5.fc11.i586 #1
> SMP Sat Feb 28 20:51:15 EST 2009 i686 athlon
> Alert Count 16
> First Seen Tue 17 Feb 2009 08:36:03 AM CST
> Last Seen Mon 02 Mar 2009 03:49:11 PM CST
> Local ID 6d47417b-4b4b-4c4f-9c12-6210059fc418
> Line Numbers
>
> Raw Audit Messages
>
> node=riohigh type=AVC msg=audit(1236030551.278:7): avc: denied { create } for pid=2361 comm="kde4-config" name=".kde" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_ubject_r:root_t:s0 tclass=dir
>
> node=riohigh type=SYSCALL msg=audit(1236030551.278:7): arch=40000003 syscall=39 success=no exit=-13 a0=9e843f8 a1=1c0 a2=60cf8c a3=0 items=0 ppid=2360 pid=2361 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="kde4-config" exe="/usr/bin/kde4-config" subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null)
>
>
>
>
> Thanks,
>
> Antonio
>
>
>
>
>
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
THe .kde problem has been reported, to kdebase.

THe crontab trying to talk to unconfined_t unix stream socket, I think
is a leaked file descriptor caused by restarting cron, perhaps from a
konsole?


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkmtQuIACgkQrlYvE4MpobNRvgCg0/AgI5iDOwBlv7t9QO4kIAMj
FNEAoNuT68US7f92FwgxqFGoQ0Kt9p/n
=K84y
-----END PGP SIGNATURE-----

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 

Thread Tools




All times are GMT. The time now is 07:50 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org