Linux Archive

Linux Archive (http://www.linux-archive.org/)
-   Fedora SELinux Support (http://www.linux-archive.org/fedora-selinux-support/)
-   -   Problem with SELinux and rkhunter on Fedora 8 (http://www.linux-archive.org/fedora-selinux-support/60814-problem-selinux-rkhunter-fedora-8-a.html)

"Pedro Jose" 03-26-2008 07:18 PM

Problem with SELinux and rkhunter on Fedora 8
 
Hello:

I'm a spanish user of Fedora 8, a great distribution. I send this mail
because I see a alert of SElinux troubleshooter with rkhunter. I have
received two alerts:

ResúmenSELinux is preventing sendmail (system_mail_t) "append" to
/var/rkhunter/tmp/rkhcronlog.mFxQaF5049 (var_t). Descripción
DetalladaSELinux denied access requested by sendmail. It is not
expected that this access is required by sendmail and this access may
signal an intrusion attempt. It is also possible that the specific
version or configuration of the application is causing it to require
additional access. Permitiendo AccesoSometimes labeling problems can
cause SELinux denials. You could try to restore the default system
file context for /var/rkhunter/tmp/rkhcronlog.mFxQaF5049, restorecon
-v '/var/rkhunter/tmp/rkhcronlog.mFxQaF5049' If this does not work,
there is currently no automatic way to allow this access. Instead, you
can generate a local policy module to allow this access - see FAQ Or
you can disable SELinux protection altogether. Disabling SELinux
protection is not recommended. Please file a bug report against this
package. Información AdicionalContexto Fuente:
system_u:system_r:system_mail_t:s0Contexto Destino:
system_u:object_r:var_t:s0Objetos Destino:
/var/rkhunter/tmp/rkhcronlog.mFxQaF5049 [ file ]Source:
sendmailSource Path: /usr/sbin/sendmail.sendmailPort:
<Desconocido>Host: localhost.localdomainSource RPM Packages:
sendmail-8.14.2-1.fc8Target RPM Packages: RPM de Políticas:
selinux-policy-3.0.8-93.fc8SELinux Activado: TrueTipo de Política:
targetedMLS Activado: TrueModo Obediente: EnforcingNombre de Plugin:
catchall_fileNombre de Equipo: localhost.localdomainPlataforma:
Linux localhost.localdomain 2.6.24.3-34.fc8 #1 SMP Wed Mar 12 18:17:20
EDT 2008 i686 i686Cantidad de Alertas: 1First Seen: mié 26 mar 2008
18:47:43 CETLast Seen: mié 26 mar 2008 18:47:43 CETLocal ID:
65abd64d-1a3f-4d68-a9b0-5ea5cf268d85Números de Línea: Mensajes de
Auditoría Crudos :host=localhost.localdomain type=AVC
msg=audit(1206553663.4:30): avc: denied { append } for pid=21759
comm="sendmail" path="/var/rkhunter/tmp/rkhcronlog.mFxQaF5049"
dev=sda6 ino=1766018 scontext=system_u:system_r:system_mail_t:s0
tcontext=system_u:object_r:var_t:s0 tclass=file
host=localhost.localdomain type=SYSCALL msg=audit(1206553663.4:30):
arch=40000003 syscall=11 success=yes exit=0 a0=805848b a1=956760c
a2=bfc98a58 a3=956760c items=0 ppid=21758 pid=21759 auid=4294967295
uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=51 sgid=51 fsgid=51 tty=(none)
comm="sendmail" exe="/usr/sbin/sendmail.sendmail"
subj=system_u:system_r:system_mail_t:s0 key=(null)

The second alert it's same, because change the destiny file.

How do I solve it?

Sorry, because my english is very bad.
--
Saludos,


Pedro

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list

"Pedro Jose" 03-26-2008 07:20 PM

Problem with SELinux and rkhunter on Fedora 8
 
Forgiveness, not paste good warning. Here, have a more readable

Thanks.

Resúmen:

SELinux is preventing sendmail (system_mail_t) "append" to
/var/rkhunter/tmp/rkhcronlog.mFxQaF5049 (var_t).

Descripción Detallada:

SELinux denied access requested by sendmail. It is not expected that this access
is required by sendmail and this access may signal an intrusion attempt. It is
also possible that the specific version or configuration of the application is
causing it to require additional access.

Permitiendo Acceso:

Sometimes labeling problems can cause SELinux denials. You could try to restore
the default system file context for /var/rkhunter/tmp/rkhcronlog.mFxQaF5049,

restorecon -v '/var/rkhunter/tmp/rkhcronlog.mFxQaF5049'

If this does not work, there is currently no automatic way to allow this access.
Instead, you can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Información Adicional:

Contexto Fuente system_u:system_r:system_mail_t:s0
Contexto Destino system_u:object_r:var_t:s0
Objetos Destino /var/rkhunter/tmp/rkhcronlog.mFxQaF5049 [ file ]
Source sendmail
Source Path /usr/sbin/sendmail.sendmail
Port <Desconocido>
Host localhost.localdomain
Source RPM Packages sendmail-8.14.2-1.fc8
Target RPM Packages
RPM de Políticas selinux-policy-3.0.8-93.fc8
SELinux Activado True
Tipo de Política targeted
MLS Activado True
Modo Obediente Enforcing
Nombre de Plugin catchall_file
Nombre de Equipo localhost.localdomain
Plataforma Linux localhost.localdomain 2.6.24.3-34.fc8 #1 SMP
Wed Mar 12 18:17:20 EDT 2008 i686 i686
Cantidad de Alertas 1
First Seen mié 26 mar 2008 18:47:43 CET
Last Seen mié 26 mar 2008 18:47:43 CET
Local ID 65abd64d-1a3f-4d68-a9b0-5ea5cf268d85
Números de Línea

Mensajes de Auditoría Crudos

host=localhost.localdomain type=AVC msg=audit(1206553663.4:30): avc:
denied { append } for pid=21759 comm="sendmail"
path="/var/rkhunter/tmp/rkhcronlog.mFxQaF5049" dev=sda6 ino=1766018
scontext=system_u:system_r:system_mail_t:s0
tcontext=system_u:object_r:var_t:s0 tclass=file

host=localhost.localdomain type=SYSCALL msg=audit(1206553663.4:30):
arch=40000003 syscall=11 success=yes exit=0 a0=805848b a1=956760c
a2=bfc98a58 a3=956760c items=0 ppid=21758 pid=21759 auid=4294967295
uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=51 sgid=51 fsgid=51 tty=(none)
comm="sendmail" exe="/usr/sbin/sendmail.sendmail"
subj=system_u:system_r:system_mail_t:s0 key=(null)

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list

Josef Kubin 03-27-2008 10:44 AM

Problem with SELinux and rkhunter on Fedora 8
 
Hello, it needs a new SELinux policy for rkhunter:
I'm currently working on it ...
Relational thing is https://bugzilla.redhat.com/show_bug.cgi?id=438576

Josef

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list

Daniel J Walsh 03-29-2008 04:07 PM

Problem with SELinux and rkhunter on Fedora 8
 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Josef Kubin wrote:
> Hello, it needs a new SELinux policy for rkhunter:
> I'm currently working on it ...
> Relational thing is https://bugzilla.redhat.com/show_bug.cgi?id=438576
>
> Josef
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
Joseph and I played around with a policy for rkhunter and quickly found
it to be too cumbersome to confine. Pretty much needs unconfined_domain
to do its thing. rkhunter package is moving it's log files to /var/log
and other files to /var/run, We can then make policy for sendmail to
dontaudit writes. This is a perfect example of allowing sendmail
Read/Write but no Open.

Pedro, you can allow this access by executing

# grep mail /var/log/audit/audit.log | audit2allow -M myrkhunter
# semodule -i myrkhunter.pp
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkfud2kACgkQrlYvE4MpobP0NACghVmyJZHkrZ XjhZfkU1PvJzTz
EpwAniKVdm6r34QiHcS6sq5OVttSiBwZ
=ee01
-----END PGP SIGNATURE-----

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list


All times are GMT. The time now is 12:20 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.