FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora User

 
 
LinkBack Thread Tools
 
Old 02-04-2010, 05:50 PM
Kevin Kempter
 
Default SELinux detecting suspicious behavior on my system

Hi All;

I've seen several of the below SELinux messages recently, I do have root
logins disables in my /etc/ssh/sshd_config file:

<snip>
PermitRootLogin no
</snip>



Any thoughts on this? Is it cause for concern?




================================================== ====
SELinux message:
================================================== ====

Summary:

SELinux is preventing /usr/libexec/polkit-1/polkitd "search" access on
/root/.config.

Detailed Description:

[SELinux is in permissive mode. This access was not denied.]

SELinux denied access requested by polkitd. It is not expected that this
access
is required by polkitd and this access may signal an intrusion attempt. It is
also possible that the specific version or configuration of the application is
causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Please file a bug
report.

Additional Information:

Source Context system_u:system_rolicykit_t:s0-s0:c0.c1023
Target Context system_ubject_r:gnome_home_t:s0
Target Objects /root/.config [ dir ]
Source polkitd
Source Path /usr/libexec/polkit-1/polkitd
Port <Unknown>
Host Issac.consistentstate.com
Source RPM Packages polkit-0.95-0.git20090913.3.fc12
Target RPM Packages
Policy RPM selinux-policy-3.6.32-78.fc12
Selinux Enabled True
Policy Type targeted
Enforcing Mode Permissive
Plugin Name catchall
Host Name Issac.consistentstate.com
Platform Linux Issac.consistentstate.com
2.6.31.12-174.2.3.fc12.x86_64 #1 SMP Mon Jan 18
19:52:07 UTC 2010 x86_64 x86_64
Alert Count 11
First Seen Wed 03 Feb 2010 05:13:02 PM MST
Last Seen Thu 04 Feb 2010 08:00:56 AM MST
Local ID 69fff773-fb91-4b4f-b309-25e3e2455071
Line Numbers

Raw Audit Messages

node=Issac.consistentstate.com type=AVC msg=audit(1265295656.734:13): avc:
denied { search } for pid=1831 comm="polkitd" name=".config" dev=sda1
ino=5283846 scontext=system_u:system_rolicykit_t:s0-s0:c0.c1023
tcontext=system_ubject_r:gnome_home_t:s0 tclass=dir

node=Issac.consistentstate.com type=SYSCALL msg=audit(1265295656.734:13):
arch=c000003e syscall=2 success=no exit=-2 a0=100e640 a1=0 a2=0 a3=1d items=0
ppid=1830 pid=1831 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="polkitd"
exe="/usr/libexec/polkit-1/polkitd" subj=system_u:system_rolicykit_t:s0-
s0:c0.c1023 key=(null)


--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
 
Old 02-04-2010, 07:00 PM
Daniel J Walsh
 
Default SELinux detecting suspicious behavior on my system

On 02/04/2010 01:50 PM, Kevin Kempter wrote:
> Hi All;
>
> I've seen several of the below SELinux messages recently, I do have root
> logins disables in my /etc/ssh/sshd_config file:
>
> <snip>
> PermitRootLogin no
> </snip>
>
>
>
> Any thoughts on this? Is it cause for concern?
>
>
>
>
> ================================================== ====
> SELinux message:
> ================================================== ====
>
> Summary:
>
> SELinux is preventing /usr/libexec/polkit-1/polkitd "search" access on
> /root/.config.
>
> Detailed Description:
>
> [SELinux is in permissive mode. This access was not denied.]
>
> SELinux denied access requested by polkitd. It is not expected that this
> access
> is required by polkitd and this access may signal an intrusion attempt. It is
> also possible that the specific version or configuration of the application is
> causing it to require additional access.
>
> Allowing Access:
>
> You can generate a local policy module to allow this access - see FAQ
> (http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Please file a bug
> report.
>
> Additional Information:
>
> Source Context system_u:system_rolicykit_t:s0-s0:c0.c1023
> Target Context system_ubject_r:gnome_home_t:s0
> Target Objects /root/.config [ dir ]
> Source polkitd
> Source Path /usr/libexec/polkit-1/polkitd
> Port <Unknown>
> Host Issac.consistentstate.com
> Source RPM Packages polkit-0.95-0.git20090913.3.fc12
> Target RPM Packages
> Policy RPM selinux-policy-3.6.32-78.fc12
> Selinux Enabled True
> Policy Type targeted
> Enforcing Mode Permissive
> Plugin Name catchall
> Host Name Issac.consistentstate.com
> Platform Linux Issac.consistentstate.com
> 2.6.31.12-174.2.3.fc12.x86_64 #1 SMP Mon Jan 18
> 19:52:07 UTC 2010 x86_64 x86_64
> Alert Count 11
> First Seen Wed 03 Feb 2010 05:13:02 PM MST
> Last Seen Thu 04 Feb 2010 08:00:56 AM MST
> Local ID 69fff773-fb91-4b4f-b309-25e3e2455071
> Line Numbers
>
> Raw Audit Messages
>
> node=Issac.consistentstate.com type=AVC msg=audit(1265295656.734:13): avc:
> denied { search } for pid=1831 comm="polkitd" name=".config" dev=sda1
> ino=5283846 scontext=system_u:system_rolicykit_t:s0-s0:c0.c1023
> tcontext=system_ubject_r:gnome_home_t:s0 tclass=dir
>
> node=Issac.consistentstate.com type=SYSCALL msg=audit(1265295656.734:13):
> arch=c000003e syscall=2 success=no exit=-2 a0=100e640 a1=0 a2=0 a3=1d items=0
> ppid=1830 pid=1831 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
> sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="polkitd"
> exe="/usr/libexec/polkit-1/polkitd" subj=system_u:system_rolicykit_t:s0-
> s0:c0.c1023 key=(null)
>
>

Fixed in selinux-policy-3.6.32-83.fc12
--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
 

Thread Tools




All times are GMT. The time now is 11:05 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org