Linux Archive

Linux Archive (http://www.linux-archive.org/)
-   Fedora SELinux Support (http://www.linux-archive.org/fedora-selinux-support/)
-   -   Funny AVC from USB CD plugin (http://www.linux-archive.org/fedora-selinux-support/30327-funny-avc-usb-cd-plugin.html)

"Tom London" 01-06-2008 05:50 PM

Funny AVC from USB CD plugin
 
Running latest Rawhide, targeted/enforcing.

Plugging in an 'old USB CD drive', I got the following audit message:

[root@localhost ~]# sealert -l fb77e7e0-3515-4866-9a8f-e1db99f9b4b8

Summary:

SELinux is preventing ln(/bin/ln) (udev_t) "create" to <Unknown> (etc_t).

Detailed Description:

SELinux denied access requested by ln(/bin/ln). It is not expected that this
access is required by ln(/bin/ln) and this access may signal an intrusion
attempt. It is also possible that the specific version or configuration of the
application is causing it to require additional access.

Allowing Access:

Sometimes labeling problems can cause SELinux denials. You could try to restore
the default system file context for <Unknown>, restorecon -v <Unknown> If this
does not work, there is currently no automatic way to allow this access.
Instead, you can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Additional Information:

Source Context system_u:system_r:udev_t:SystemLow-SystemHigh
Target Context system_u:object_r:etc_t
Target Objects None [ lnk_file ]
Source ln(/bin/ln)
Port <Unknown>
Host localhost.localdomain
Source RPM Packages
Target RPM Packages
Policy RPM selinux-policy-3.2.5-8.fc9
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name catchall_file
Host Name localhost.localdomain
Platform Linux localhost.localdomain
2.6.24-0.136.rc6.git12.fc9 #1 SMP Sat Jan 5
12:46:45 EST 2008 i686 i686
Alert Count 2
First Seen Sun Jan 6 10:30:15 2008
Last Seen Sun Jan 6 10:30:15 2008
Local ID fb77e7e0-3515-4866-9a8f-e1db99f9b4b8
Line Numbers

Raw Audit Messages

host=localhost.localdomain type=AVC msg=audit(1199644215.878:31): avc:
denied { create } for pid=6933 comm="ln" name=".is-writeable"
scontext=system_u:system_r:udev_t:s0-s0:c0.c1023
tcontext=system_u:object_r:etc_t:s0 tclass=lnk_file

host=localhost.localdomain type=SYSCALL msg=audit(1199644215.878:31):
arch=40000003 syscall=83 success=no exit=-13 a0=bff3ddc3 a1=bff3ddcd
a2=804f77c a3=0 items=0 ppid=6931 pid=6933 auid=4294967295 uid=0 gid=0
euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="ln"
exe="/bin/ln" subj=system_u:system_r:udev_t:s0-s0:c0.c1023 key=(null)


Here are the messages from /var/log/messages:

Jan 6 10:30:05 localhost kernel: usb 2-2: new full speed USB device
using uhci_hcd and address 4
Jan 6 10:30:06 localhost kernel: usb 2-2: configuration #1 chosen from 1 choice
Jan 6 10:30:06 localhost kernel: scsi8 : SCSI emulation for USB Mass
Storage devices
Jan 6 10:30:06 localhost kernel: usb-storage: device found at 4
Jan 6 10:30:06 localhost kernel: usb-storage: waiting for device to
settle before scanning
Jan 6 10:30:11 localhost kernel: usb-storage: device scan complete
Jan 6 10:30:11 localhost kernel: scsi 8:0:0:0: CD-ROM IBM
USB CD-ROM 20A4 PQ: 0 ANSI: 0 CCS
Jan 6 10:30:11 localhost kernel: sr1: scsi3-mmc drive: 10x/10x cd/rw
xa/form2 cdda pop-up
Jan 6 10:30:11 localhost kernel: sr 8:0:0:0: Attached scsi CD-ROM sr1
Jan 6 10:30:11 localhost kernel: sr 8:0:0:0: Attached scsi generic sg2 type 5
Jan 6 10:30:18 localhost setroubleshoot: #012 SELinux is
preventing ln(/bin/ln) (udev_t) "create" to &lt;Unknown&gt;
(etc_t).#012 For complete SELinux messages. run sealert -l
fb77e7e0-3515-4866-9a8f-e1db99f9b4b8


Putting system in permissive mode, I get these:

type=AVC msg=audit(1199645179.126:34): avc: denied { create } for
pid=7782 comm="ln" name=".is-writeable"
scontext=system_u:system_r:udev_t:s0-s0:c0.c1023
tcontext=system_u:object_r:etc_t:s0 tclass=lnk_file
type=SYSCALL msg=audit(1199645179.126:34): arch=40000003 syscall=83
success=yes exit=0 a0=bfb56db6 a1=bfb56dc0 a2=804f77c a3=0 items=0
ppid=7780 pid=7782 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0
egid=0 sgid=0 fsgid=0 tty=(none) comm="ln" exe="/bin/ln"
subj=system_u:system_r:udev_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1199645179.245:35): avc: denied { unlink } for
pid=7783 comm="rm" name=".is-writeable" dev=dm-0 ino=11076747
scontext=system_u:system_r:udev_t:s0-s0:c0.c1023
tcontext=system_u:object_r:etc_t:s0 tclass=lnk_file
type=SYSCALL msg=audit(1199645179.245:35): arch=40000003 syscall=301
success=yes exit=0 a0=ffffff9c a1=bfa17dc0 a2=0 a3=bfa17dc0 items=0
ppid=7780 pid=7783 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0
egid=0 sgid=0 fsgid=0 tty=(none) comm="rm" exe="/bin/rm"
subj=system_u:system_r:udev_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1199645179.255:36): avc: denied { append } for
pid=7780 comm="write_cd_rules" name="70-persistent-cd.rules" dev=dm-0
ino=11076866 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023
tcontext=system_u:object_r:etc_t:s0 tclass=file
type=SYSCALL msg=audit(1199645179.255:36): arch=40000003 syscall=5
success=yes exit=3 a0=8a98400 a1=8441 a2=1b6 a3=8441 items=0 ppid=7761
pid=7780 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
sgid=0 fsgid=0 tty=(none) comm="write_cd_rules" exe="/bin/bash"
subj=system_u:system_r:udev_t:s0-s0:c0.c1023 key=(null)

udev issue?

tom
--
Tom London

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list

Daniel J Walsh 01-07-2008 03:56 PM

Funny AVC from USB CD plugin
 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Tom London wrote:
> Running latest Rawhide, targeted/enforcing.
>
> Plugging in an 'old USB CD drive', I got the following audit message:
>
> [root@localhost ~]# sealert -l fb77e7e0-3515-4866-9a8f-e1db99f9b4b8
>
> Summary:
>
> SELinux is preventing ln(/bin/ln) (udev_t) "create" to <Unknown> (etc_t).
>
> Detailed Description:
>
> SELinux denied access requested by ln(/bin/ln). It is not expected that this
> access is required by ln(/bin/ln) and this access may signal an intrusion
> attempt. It is also possible that the specific version or configuration of the
> application is causing it to require additional access.
>
> Allowing Access:
>
> Sometimes labeling problems can cause SELinux denials. You could try to restore
> the default system file context for <Unknown>, restorecon -v <Unknown> If this
> does not work, there is currently no automatic way to allow this access.
> Instead, you can generate a local policy module to allow this access - see FAQ
> (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
> SELinux protection altogether. Disabling SELinux protection is not recommended.
> Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
> against this package.
>
> Additional Information:
>
> Source Context system_u:system_r:udev_t:SystemLow-SystemHigh
> Target Context system_u:object_r:etc_t
> Target Objects None [ lnk_file ]
> Source ln(/bin/ln)
> Port <Unknown>
> Host localhost.localdomain
> Source RPM Packages
> Target RPM Packages
> Policy RPM selinux-policy-3.2.5-8.fc9
> Selinux Enabled True
> Policy Type targeted
> MLS Enabled True
> Enforcing Mode Enforcing
> Plugin Name catchall_file
> Host Name localhost.localdomain
> Platform Linux localhost.localdomain
> 2.6.24-0.136.rc6.git12.fc9 #1 SMP Sat Jan 5
> 12:46:45 EST 2008 i686 i686
> Alert Count 2
> First Seen Sun Jan 6 10:30:15 2008
> Last Seen Sun Jan 6 10:30:15 2008
> Local ID fb77e7e0-3515-4866-9a8f-e1db99f9b4b8
> Line Numbers
>
> Raw Audit Messages
>
> host=localhost.localdomain type=AVC msg=audit(1199644215.878:31): avc:
> denied { create } for pid=6933 comm="ln" name=".is-writeable"
> scontext=system_u:system_r:udev_t:s0-s0:c0.c1023
> tcontext=system_u:object_r:etc_t:s0 tclass=lnk_file
>
> host=localhost.localdomain type=SYSCALL msg=audit(1199644215.878:31):
> arch=40000003 syscall=83 success=no exit=-13 a0=bff3ddc3 a1=bff3ddcd
> a2=804f77c a3=0 items=0 ppid=6931 pid=6933 auid=4294967295 uid=0 gid=0
> euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="ln"
> exe="/bin/ln" subj=system_u:system_r:udev_t:s0-s0:c0.c1023 key=(null)
>
>
> Here are the messages from /var/log/messages:
>
> Jan 6 10:30:05 localhost kernel: usb 2-2: new full speed USB device
> using uhci_hcd and address 4
> Jan 6 10:30:06 localhost kernel: usb 2-2: configuration #1 chosen from 1 choice
> Jan 6 10:30:06 localhost kernel: scsi8 : SCSI emulation for USB Mass
> Storage devices
> Jan 6 10:30:06 localhost kernel: usb-storage: device found at 4
> Jan 6 10:30:06 localhost kernel: usb-storage: waiting for device to
> settle before scanning
> Jan 6 10:30:11 localhost kernel: usb-storage: device scan complete
> Jan 6 10:30:11 localhost kernel: scsi 8:0:0:0: CD-ROM IBM
> USB CD-ROM 20A4 PQ: 0 ANSI: 0 CCS
> Jan 6 10:30:11 localhost kernel: sr1: scsi3-mmc drive: 10x/10x cd/rw
> xa/form2 cdda pop-up
> Jan 6 10:30:11 localhost kernel: sr 8:0:0:0: Attached scsi CD-ROM sr1
> Jan 6 10:30:11 localhost kernel: sr 8:0:0:0: Attached scsi generic sg2 type 5
> Jan 6 10:30:18 localhost setroubleshoot: #012 SELinux is
> preventing ln(/bin/ln) (udev_t) "create" to &lt;Unknown&gt;
> (etc_t).#012 For complete SELinux messages. run sealert -l
> fb77e7e0-3515-4866-9a8f-e1db99f9b4b8
>
>
> Putting system in permissive mode, I get these:
>
> type=AVC msg=audit(1199645179.126:34): avc: denied { create } for
> pid=7782 comm="ln" name=".is-writeable"
> scontext=system_u:system_r:udev_t:s0-s0:c0.c1023
> tcontext=system_u:object_r:etc_t:s0 tclass=lnk_file
> type=SYSCALL msg=audit(1199645179.126:34): arch=40000003 syscall=83
> success=yes exit=0 a0=bfb56db6 a1=bfb56dc0 a2=804f77c a3=0 items=0
> ppid=7780 pid=7782 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0
> egid=0 sgid=0 fsgid=0 tty=(none) comm="ln" exe="/bin/ln"
> subj=system_u:system_r:udev_t:s0-s0:c0.c1023 key=(null)
> type=AVC msg=audit(1199645179.245:35): avc: denied { unlink } for
> pid=7783 comm="rm" name=".is-writeable" dev=dm-0 ino=11076747
> scontext=system_u:system_r:udev_t:s0-s0:c0.c1023
> tcontext=system_u:object_r:etc_t:s0 tclass=lnk_file
> type=SYSCALL msg=audit(1199645179.245:35): arch=40000003 syscall=301
> success=yes exit=0 a0=ffffff9c a1=bfa17dc0 a2=0 a3=bfa17dc0 items=0
> ppid=7780 pid=7783 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0
> egid=0 sgid=0 fsgid=0 tty=(none) comm="rm" exe="/bin/rm"
> subj=system_u:system_r:udev_t:s0-s0:c0.c1023 key=(null)
> type=AVC msg=audit(1199645179.255:36): avc: denied { append } for
> pid=7780 comm="write_cd_rules" name="70-persistent-cd.rules" dev=dm-0
> ino=11076866 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023
> tcontext=system_u:object_r:etc_t:s0 tclass=file
> type=SYSCALL msg=audit(1199645179.255:36): arch=40000003 syscall=5
> success=yes exit=3 a0=8a98400 a1=8441 a2=1b6 a3=8441 items=0 ppid=7761
> pid=7780 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
> sgid=0 fsgid=0 tty=(none) comm="write_cd_rules" exe="/bin/bash"
> subj=system_u:system_r:udev_t:s0-s0:c0.c1023 key=(null)
>
> udev issue?
>
> tom
Yes report it as a bug there. I have a fealing it should be something
done in the post install script and not by udev. udev writing its own
config files is probably a bad idea.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkeCWc0ACgkQrlYvE4MpobMJQwCgicGwHVWLjo 3mFaVNx7ExilO1
jDsAoNlzbXVlmqkGeea7KaI8HmEJwqlg
=tBkg
-----END PGP SIGNATURE-----

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list

"Tom London" 01-07-2008 04:25 PM

Funny AVC from USB CD plugin
 
On Jan 7, 2008 8:56 AM, Daniel J Walsh <dwalsh@redhat.com> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
>
> Tom London wrote:
> > Running latest Rawhide, targeted/enforcing.
> >
> > Plugging in an 'old USB CD drive', I got the following audit message:
> >
> > [root@localhost ~]# sealert -l fb77e7e0-3515-4866-9a8f-e1db99f9b4b8
> >
> > Summary:
> >
> > SELinux is preventing ln(/bin/ln) (udev_t) "create" to <Unknown> (etc_t).
> >
> > Detailed Description:
> >
> > SELinux denied access requested by ln(/bin/ln). It is not expected that this
> > access is required by ln(/bin/ln) and this access may signal an intrusion
> > attempt. It is also possible that the specific version or configuration of the
> > application is causing it to require additional access.
> >
> > Allowing Access:
> >
> > Sometimes labeling problems can cause SELinux denials. You could try to restore
> > the default system file context for <Unknown>, restorecon -v <Unknown> If this
> > does not work, there is currently no automatic way to allow this access.
> > Instead, you can generate a local policy module to allow this access - see FAQ
> > (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
> > SELinux protection altogether. Disabling SELinux protection is not recommended.
> > Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
> > against this package.
> >
> > Additional Information:
> >
> > Source Context system_u:system_r:udev_t:SystemLow-SystemHigh
> > Target Context system_u:object_r:etc_t
> > Target Objects None [ lnk_file ]
> > Source ln(/bin/ln)
> > Port <Unknown>
> > Host localhost.localdomain
> > Source RPM Packages
> > Target RPM Packages
> > Policy RPM selinux-policy-3.2.5-8.fc9
> > Selinux Enabled True
> > Policy Type targeted
> > MLS Enabled True
> > Enforcing Mode Enforcing
> > Plugin Name catchall_file
> > Host Name localhost.localdomain
> > Platform Linux localhost.localdomain
> > 2.6.24-0.136.rc6.git12.fc9 #1 SMP Sat Jan 5
> > 12:46:45 EST 2008 i686 i686
> > Alert Count 2
> > First Seen Sun Jan 6 10:30:15 2008
> > Last Seen Sun Jan 6 10:30:15 2008
> > Local ID fb77e7e0-3515-4866-9a8f-e1db99f9b4b8
> > Line Numbers
> >
> > Raw Audit Messages
> >
> > host=localhost.localdomain type=AVC msg=audit(1199644215.878:31): avc:
> > denied { create } for pid=6933 comm="ln" name=".is-writeable"
> > scontext=system_u:system_r:udev_t:s0-s0:c0.c1023
> > tcontext=system_u:object_r:etc_t:s0 tclass=lnk_file
> >
> > host=localhost.localdomain type=SYSCALL msg=audit(1199644215.878:31):
> > arch=40000003 syscall=83 success=no exit=-13 a0=bff3ddc3 a1=bff3ddcd
> > a2=804f77c a3=0 items=0 ppid=6931 pid=6933 auid=4294967295 uid=0 gid=0
> > euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="ln"
> > exe="/bin/ln" subj=system_u:system_r:udev_t:s0-s0:c0.c1023 key=(null)
> >
> >
> > Here are the messages from /var/log/messages:
> >
> > Jan 6 10:30:05 localhost kernel: usb 2-2: new full speed USB device
> > using uhci_hcd and address 4
> > Jan 6 10:30:06 localhost kernel: usb 2-2: configuration #1 chosen from 1 choice
> > Jan 6 10:30:06 localhost kernel: scsi8 : SCSI emulation for USB Mass
> > Storage devices
> > Jan 6 10:30:06 localhost kernel: usb-storage: device found at 4
> > Jan 6 10:30:06 localhost kernel: usb-storage: waiting for device to
> > settle before scanning
> > Jan 6 10:30:11 localhost kernel: usb-storage: device scan complete
> > Jan 6 10:30:11 localhost kernel: scsi 8:0:0:0: CD-ROM IBM
> > USB CD-ROM 20A4 PQ: 0 ANSI: 0 CCS
> > Jan 6 10:30:11 localhost kernel: sr1: scsi3-mmc drive: 10x/10x cd/rw
> > xa/form2 cdda pop-up
> > Jan 6 10:30:11 localhost kernel: sr 8:0:0:0: Attached scsi CD-ROM sr1
> > Jan 6 10:30:11 localhost kernel: sr 8:0:0:0: Attached scsi generic sg2 type 5
> > Jan 6 10:30:18 localhost setroubleshoot: #012 SELinux is
> > preventing ln(/bin/ln) (udev_t) "create" to &lt;Unknown&gt;
> > (etc_t).#012 For complete SELinux messages. run sealert -l
> > fb77e7e0-3515-4866-9a8f-e1db99f9b4b8
> >
> >
> > Putting system in permissive mode, I get these:
> >
> > type=AVC msg=audit(1199645179.126:34): avc: denied { create } for
> > pid=7782 comm="ln" name=".is-writeable"
> > scontext=system_u:system_r:udev_t:s0-s0:c0.c1023
> > tcontext=system_u:object_r:etc_t:s0 tclass=lnk_file
> > type=SYSCALL msg=audit(1199645179.126:34): arch=40000003 syscall=83
> > success=yes exit=0 a0=bfb56db6 a1=bfb56dc0 a2=804f77c a3=0 items=0
> > ppid=7780 pid=7782 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0
> > egid=0 sgid=0 fsgid=0 tty=(none) comm="ln" exe="/bin/ln"
> > subj=system_u:system_r:udev_t:s0-s0:c0.c1023 key=(null)
> > type=AVC msg=audit(1199645179.245:35): avc: denied { unlink } for
> > pid=7783 comm="rm" name=".is-writeable" dev=dm-0 ino=11076747
> > scontext=system_u:system_r:udev_t:s0-s0:c0.c1023
> > tcontext=system_u:object_r:etc_t:s0 tclass=lnk_file
> > type=SYSCALL msg=audit(1199645179.245:35): arch=40000003 syscall=301
> > success=yes exit=0 a0=ffffff9c a1=bfa17dc0 a2=0 a3=bfa17dc0 items=0
> > ppid=7780 pid=7783 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0
> > egid=0 sgid=0 fsgid=0 tty=(none) comm="rm" exe="/bin/rm"
> > subj=system_u:system_r:udev_t:s0-s0:c0.c1023 key=(null)
> > type=AVC msg=audit(1199645179.255:36): avc: denied { append } for
> > pid=7780 comm="write_cd_rules" name="70-persistent-cd.rules" dev=dm-0
> > ino=11076866 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023
> > tcontext=system_u:object_r:etc_t:s0 tclass=file
> > type=SYSCALL msg=audit(1199645179.255:36): arch=40000003 syscall=5
> > success=yes exit=3 a0=8a98400 a1=8441 a2=1b6 a3=8441 items=0 ppid=7761
> > pid=7780 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
> > sgid=0 fsgid=0 tty=(none) comm="write_cd_rules" exe="/bin/bash"
> > subj=system_u:system_r:udev_t:s0-s0:c0.c1023 key=(null)
> >
> > udev issue?
> >
> > tom
> Yes report it as a bug there. I have a fealing it should be something
> done in the post install script and not by udev. udev writing its own
> config files is probably a bad idea.

BZ: https://bugzilla.redhat.com/show_bug.cgi?id=427808

--
Tom London

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list


All times are GMT. The time now is 08:37 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.