kernel oops, dhclient, NetworkManager denials

Daniel J Walsh dwalsh at redhat.com
Sat Mar 7 14:47:52 UTC 2009


On 03/06/2009 06:10 PM, Antonio Olivares wrote:
> Dear selinux experts,
>
> I am running rawhide and I have encountered the following denied avc's.  Thank you all for your help in anticipation :).
>
>
> Summary:
>
> SELinux is preventing kerneloops (kerneloops_t) "read" inotifyfs_t.
>
> Detailed Description:
>
> SELinux denied access requested by kerneloops. It is not expected that this
> access is required by kerneloops and this access may signal an intrusion
> attempt. It is also possible that the specific version or configuration of the
> application is causing it to require additional access.
>
> Allowing Access:
>
> You can generate a local policy module to allow this access - see FAQ
> (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
> SELinux protection altogether. Disabling SELinux protection is not recommended.
> Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
> against this package.
>
> Additional Information:
>
> Source Context                system_u:system_r:kerneloops_t:s0-s0:c0.c1023
> Target Context                system_u:object_r:inotifyfs_t:s0
> Target Objects                inotify [ dir ]
> Source                        kerneloops
> Source Path                   /usr/sbin/kerneloops
> Port<Unknown>
> Host                          riohigh
> Source RPM Packages           kerneloops-0.12-3.fc11
> Target RPM Packages
> Policy RPM                    selinux-policy-3.6.7-2.fc11
> Selinux Enabled               True
> Policy Type                   targeted
> MLS Enabled                   True
> Enforcing Mode                Enforcing
> Plugin Name                   catchall
> Host Name                     riohigh
> Platform                      Linux riohigh 2.6.29-0.203.rc7.fc11.i586 #1 SMP
>                                Wed Mar 4 18:03:29 EST 2009 i686 athlon
> Alert Count                   2
> First Seen                    Fri 06 Mar 2009 08:37:41 AM CST
> Last Seen                     Fri 06 Mar 2009 04:13:48 PM CST
> Local ID                      a255a610-ce27-4ae2-8583-5e79658a0022
> Line Numbers
>
> Raw Audit Messages
>
> node=riohigh type=AVC msg=audit(1236377628.970:206): avc:  denied  { read } for  pid=14322 comm="kerneloops" path="inotify" dev=inotifyfs ino=1 scontext=system_u:system_r:kerneloops_t:s0-s0:c0.c1023 tcontext=system_u:object_r:inotifyfs_t:s0 tclass=dir
>
> node=riohigh type=SYSCALL msg=audit(1236377628.970:206): arch=40000003 syscall=11 success=yes exit=0 a0=987de20 a1=987dde8 a2=987d008 a3=9880368 items=0 ppid=14321 pid=14322 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="kerneloops" exe="/usr/sbin/kerneloops" subj=system_u:system_r:kerneloops_t:s0-s0:c0.c1023 key=(null)
>
>
>
>
> Summary:
>
> SELinux is preventing NetworkManager (NetworkManager_t) "read write"
> unconfined_t.
>
> Detailed Description:
>
> SELinux denied access requested by NetworkManager. It is not expected that this
> access is required by NetworkManager and this access may signal an intrusion
> attempt. It is also possible that the specific version or configuration of the
> application is causing it to require additional access.
>
> Allowing Access:
>
> You can generate a local policy module to allow this access - see FAQ
> (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
> SELinux protection altogether. Disabling SELinux protection is not recommended.
> Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
> against this package.
>
> Additional Information:
>
> Source Context                unconfined_u:system_r:NetworkManager_t:s0
> Target Context                unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1
>                                023
> Target Objects                socket [ unix_stream_socket ]
> Source                        NetworkManager
> Source Path                   /usr/sbin/NetworkManager
> Port<Unknown>
> Host                          riohigh
> Source RPM Packages           NetworkManager-0.7.0.99-1.fc11
> Target RPM Packages
> Policy RPM                    selinux-policy-3.6.7-2.fc11
> Selinux Enabled               True
> Policy Type                   targeted
> MLS Enabled                   True
> Enforcing Mode                Enforcing
> Plugin Name                   catchall
> Host Name                     riohigh
> Platform                      Linux riohigh 2.6.29-0.203.rc7.fc11.i586 #1 SMP
>                                Wed Mar 4 18:03:29 EST 2009 i686 athlon
> Alert Count                   5
> First Seen                    Mon 23 Feb 2009 07:23:54 AM CST
> Last Seen                     Fri 06 Mar 2009 04:15:00 PM CST
> Local ID                      f192ed25-15af-43fd-aa2e-524cca16b88a
> Line Numbers
>
> Raw Audit Messages
>
> node=riohigh type=AVC msg=audit(1236377700.684:236): avc:  denied  { read write } for  pid=14462 comm="NetworkManager" path="socket:[26116]" dev=sockfs ino=26116 scontext=unconfined_u:system_r:NetworkManager_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket
>
> node=riohigh type=AVC msg=audit(1236377700.684:236): avc:  denied  { read write } for  pid=14462 comm="NetworkManager" path="socket:[26116]" dev=sockfs ino=26116 scontext=unconfined_u:system_r:NetworkManager_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket
>
> node=riohigh type=AVC msg=audit(1236377700.684:236): avc:  denied  { read write } for  pid=14462 comm="NetworkManager" path="socket:[26116]" dev=sockfs ino=26116 scontext=unconfined_u:system_r:NetworkManager_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket
>
> node=riohigh type=SYSCALL msg=audit(1236377700.684:236): arch=40000003 syscall=11 success=yes exit=0 a0=84f2ee0 a1=84f2e30 a2=84f2268 a3=84f2e30 items=0 ppid=14461 pid=14462 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=10 comm="NetworkManager" exe="/usr/sbin/NetworkManager" subj=unconfined_u:system_r:NetworkManager_t:s0 key=(null)
>
>
>
>
> Summary:
>
> SELinux is preventing consoletype (consoletype_t) "read write" unconfined_t.
>
> Detailed Description:
>
> SELinux denied access requested by consoletype. It is not expected that this
> access is required by consoletype and this access may signal an intrusion
> attempt. It is also possible that the specific version or configuration of the
> application is causing it to require additional access.
>
> Allowing Access:
>
> You can generate a local policy module to allow this access - see FAQ
> (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
> SELinux protection altogether. Disabling SELinux protection is not recommended.
> Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
> against this package.
>
> Additional Information:
>
> Source Context                unconfined_u:system_r:consoletype_t:s0
> Target Context                unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1
>                                023
> Target Objects                socket [ unix_stream_socket ]
> Source                        consoletype
> Source Path                   /sbin/consoletype
> Port<Unknown>
> Host                          riohigh
> Source RPM Packages           initscripts-8.89-2
> Target RPM Packages
> Policy RPM                    selinux-policy-3.6.7-2.fc11
> Selinux Enabled               True
> Policy Type                   targeted
> MLS Enabled                   True
> Enforcing Mode                Enforcing
> Plugin Name                   catchall
> Host Name                     riohigh
> Platform                      Linux riohigh 2.6.29-0.203.rc7.fc11.i586 #1 SMP
>                                Wed Mar 4 18:03:29 EST 2009 i686 athlon
> Alert Count                   10
> First Seen                    Mon 23 Feb 2009 07:23:51 AM CST
> Last Seen                     Fri 06 Mar 2009 04:15:00 PM CST
> Local ID                      2797c459-0038-4c1e-a419-d4bc54691e3a
> Line Numbers
>
> Raw Audit Messages
>
> node=riohigh type=AVC msg=audit(1236377700.541:235): avc:  denied  { read write } for  pid=14459 comm="consoletype" path="socket:[26116]" dev=sockfs ino=26116 scontext=unconfined_u:system_r:consoletype_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket
>
> node=riohigh type=AVC msg=audit(1236377700.541:235): avc:  denied  { read write } for  pid=14459 comm="consoletype" path="socket:[26116]" dev=sockfs ino=26116 scontext=unconfined_u:system_r:consoletype_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket
>
> node=riohigh type=AVC msg=audit(1236377700.541:235): avc:  denied  { read write } for  pid=14459 comm="consoletype" path="socket:[26116]" dev=sockfs ino=26116 scontext=unconfined_u:system_r:consoletype_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket
>
> node=riohigh type=SYSCALL msg=audit(1236377700.541:235): arch=40000003 syscall=11 success=yes exit=0 a0=8fe0470 a1=8fe0078 a2=8fe01c8 a3=8fe0078 items=0 ppid=14458 pid=14459 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=10 comm="consoletype" exe="/sbin/consoletype" subj=unconfined_u:system_r:consoletype_t:s0 key=(null)
>
>
>
> Summary:
>
> SELinux is preventing dhclient (dhcpc_t) "read write" unconfined_t.
>
> Detailed Description:
>
> SELinux denied access requested by dhclient. It is not expected that this access
> is required by dhclient and this access may signal an intrusion attempt. It is
> also possible that the specific version or configuration of the application is
> causing it to require additional access.
>
> Allowing Access:
>
> You can generate a local policy module to allow this access - see FAQ
> (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
> SELinux protection altogether. Disabling SELinux protection is not recommended.
> Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
> against this package.
>
> Additional Information:
>
> Source Context                unconfined_u:system_r:dhcpc_t:s0-s0:c0.c1023
> Target Context                unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1
>                                023
> Target Objects                socket [ unix_stream_socket ]
> Source                        dhclient
> Source Path                   /sbin/dhclient
> Port<Unknown>
> Host                          riohigh
> Source RPM Packages           dhclient-4.1.0-9.fc11
> Target RPM Packages
> Policy RPM                    selinux-policy-3.6.7-2.fc11
> Selinux Enabled               True
> Policy Type                   targeted
> MLS Enabled                   True
> Enforcing Mode                Enforcing
> Plugin Name                   catchall
> Host Name                     riohigh
> Platform                      Linux riohigh 2.6.29-0.203.rc7.fc11.i586 #1 SMP
>                                Wed Mar 4 18:03:29 EST 2009 i686 athlon
> Alert Count                   3
> First Seen                    Fri 06 Mar 2009 04:16:01 PM CST
> Last Seen                     Fri 06 Mar 2009 04:16:01 PM CST
> Local ID                      a9c1d6de-334d-4f45-99bb-470f0f97e3ff
> Line Numbers
>
> Raw Audit Messages
>
> node=riohigh type=AVC msg=audit(1236377761.743:243): avc:  denied  { read write } for  pid=14537 comm="dhclient" path="socket:[26116]" dev=sockfs ino=26116 scontext=unconfined_u:system_r:dhcpc_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket
>
> node=riohigh type=AVC msg=audit(1236377761.743:243): avc:  denied  { read write } for  pid=14537 comm="dhclient" path="socket:[26116]" dev=sockfs ino=26116 scontext=unconfined_u:system_r:dhcpc_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket
>
> node=riohigh type=AVC msg=audit(1236377761.743:243): avc:  denied  { read write } for  pid=14537 comm="dhclient" path="socket:[26116]" dev=sockfs ino=26116 scontext=unconfined_u:system_r:dhcpc_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket
>
> node=riohigh type=SYSCALL msg=audit(1236377761.743:243): arch=40000003 syscall=11 success=yes exit=0 a0=8d98e40 a1=8da51d0 a2=8d891b8 a3=8da51d0 items=0 ppid=14469 pid=14537 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts2 ses=10 comm="dhclient" exe="/sbin/dhclient" subj=unconfined_u:system_r:dhcpc_t:s0-s0:c0.c1023 key=(null)
>
>
>
> I first started the system, then I saw that there was no connection, so I did a service NetworkManager stop, followed by a start and then the denied avc.  I did not get a working internet connection, so I then went to call dhclient, the command worked, but selinux kicked in.  Thank you for your help.  Will get back to work on Monday :)
>
> Regards,
>
> Antonio
>
>
>
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
kerneloops should be fixed in current rawhide.
selinux-policy-3.6.8-1.fc11

THe other leaks are probably caused by running konsole/kde.  Which leaks 
file descriptors like crazy.  You can create a policy te file like the 
following


cat > kdeleaks.te << __eof
policy_module(kdeleaks, 1.0)

require {
	type unconfined_t;
	attribute domain;
	class unix_stream_socket { read write };
}

#============= dhcpc_t ==============
dontaudit domain unconfined_t:unix_stream_socket { read write };

_eof
# make -f /usr/share/selinux/devel/Makefile
# semodule -i kdeleaks.pp




More information about the fedora-selinux-list mailing list