Attachment 309357 Details for Bug 448333 – sealerts

sealerts

selinux_alert.txt (text/plain), 10.44 KB, created by Frank Murphy on 2008-06-14 11:44:37 UTC

(hide)

Description:

Filename:

MIME Type:

Creator: Frank Murphy

Created: 2008-06-14 11:44:37 UTC

Size: 10.44 KB

patch

obsolete

>
>Summary:
>
>SELinux is preventing pam_timestamp_c (unlabeled_t) "getattr" to / (root_t).
>
>Detailed Description:
>
>SELinux denied access requested by pam_timestamp_c. It is not expected that this
>access is required by pam_timestamp_c and this access may signal an intrusion
>attempt. It is also possible that the specific version or configuration of the
>application is causing it to require additional access.
>
>Allowing Access:
>
>Sometimes labeling problems can cause SELinux denials. You could try to restore
>the default system file context for /,
>
>restorecon -v '/'
>
>If this does not work, there is currently no automatic way to allow this access.
>Instead, you can generate a local policy module to allow this access - see FAQ
>(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
>SELinux protection altogether. Disabling SELinux protection is not recommended.
>Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
>against this package.
>
>Additional Information:
>
>Source Context                system_u:object_r:unlabeled_t:s0
>Target Context                system_u:object_r:root_t:s0
>Target Objects                / [ dir ]
>Source                        pam_timestamp_c
>Source Path                   /sbin/pam_timestamp_check
>Port                          <Unknown>
>Host                          rawhide-02
>Source RPM Packages           pam-1.0.1-4.fc9
>Target RPM Packages           filesystem-2.4.13-1.fc9
>Policy RPM                    selinux-policy-3.3.1-64.fc9
>Selinux Enabled               True
>Policy Type                   targeted
>MLS Enabled                   True
>Enforcing Mode                Enforcing
>Plugin Name                   catchall_file
>Host Name                     rawhide-02
>Platform                      Linux rawhide-02 2.6.25.6-55.fc9.i686 #1 SMP Tue
>                              Jun 10 16:27:49 EDT 2008 i686 i686
>Alert Count                   23
>First Seen                    Sat 14 Jun 2008 12:22:01 PM IST
>Last Seen                     Sat 14 Jun 2008 12:24:35 PM IST
>Local ID                      44c8faba-729d-49e8-9522-aea82f73b43b
>Line Numbers                  
>
>Raw Audit Messages            
>
>host=rawhide-02 type=AVC msg=audit(1213442675.0:203): avc:  denied  { getattr } for  pid=2523 comm="pam_timestamp_c" path="/" dev=dm-0 ino=2 scontext=system_u:object_r:unlabeled_t:s0 tcontext=system_u:object_r:root_t:s0 tclass=dir
>
>host=rawhide-02 type=SYSCALL msg=audit(1213442675.0:203): arch=40000003 syscall=196 success=no exit=-13 a0=bf8908b4 a1=bf8907e0 a2=29fff4 a3=0 items=0 ppid=2503 pid=2523 auid=500 uid=500 gid=500 euid=0 suid=0 fsuid=0 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm="pam_timestamp_c" exe="/sbin/pam_timestamp_check" subj=system_u:object_r:unlabeled_t:s0 key=(null)
>
>
>
>
>Summary:
>
>SELinux is preventing pam_timestamp_c (unlabeled_t) "search" to / (root_t).
>
>Detailed Description:
>
>SELinux denied access requested by pam_timestamp_c. It is not expected that this
>access is required by pam_timestamp_c and this access may signal an intrusion
>attempt. It is also possible that the specific version or configuration of the
>application is causing it to require additional access.
>
>Allowing Access:
>
>Sometimes labeling problems can cause SELinux denials. You could try to restore
>the default system file context for /,
>
>restorecon -v '/'
>
>If this does not work, there is currently no automatic way to allow this access.
>Instead, you can generate a local policy module to allow this access - see FAQ
>(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
>SELinux protection altogether. Disabling SELinux protection is not recommended.
>Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
>against this package.
>
>Additional Information:
>
>Source Context                system_u:object_r:unlabeled_t:s0
>Target Context                system_u:object_r:root_t:s0
>Target Objects                / [ dir ]
>Source                        pam_timestamp_c
>Source Path                   /sbin/pam_timestamp_check
>Port                          <Unknown>
>Host                          rawhide-02
>Source RPM Packages           pam-1.0.1-4.fc9
>Target RPM Packages           filesystem-2.4.13-1.fc9
>Policy RPM                    selinux-policy-3.3.1-64.fc9
>Selinux Enabled               True
>Policy Type                   targeted
>MLS Enabled                   True
>Enforcing Mode                Enforcing
>Plugin Name                   catchall_file
>Host Name                     rawhide-02
>Platform                      Linux rawhide-02 2.6.25.6-55.fc9.i686 #1 SMP Tue
>                              Jun 10 16:27:49 EDT 2008 i686 i686
>Alert Count                   23
>First Seen                    Sat 14 Jun 2008 12:22:01 PM IST
>Last Seen                     Sat 14 Jun 2008 12:24:35 PM IST
>Local ID                      13111b77-27fa-4b7a-9896-89da811449e7
>Line Numbers                  
>
>Raw Audit Messages            
>
>host=rawhide-02 type=AVC msg=audit(1213442675.0:204): avc:  denied  { search } for  pid=2523 comm="pam_timestamp_c" name="/" dev=dm-0 ino=2 scontext=system_u:object_r:unlabeled_t:s0 tcontext=system_u:object_r:root_t:s0 tclass=dir
>
>host=rawhide-02 type=SYSCALL msg=audit(1213442675.0:204): arch=40000003 syscall=5 success=no exit=-13 a0=2741a6 a1=0 a2=1b6 a3=2741a6 items=0 ppid=2503 pid=2523 auid=500 uid=500 gid=500 euid=0 suid=0 fsuid=0 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm="pam_timestamp_c" exe="/sbin/pam_timestamp_check" subj=system_u:object_r:unlabeled_t:s0 key=(null)
>
>
>
>
>Summary:
>
>SELinux is preventing pam_timestamp_c (unlabeled_t) "create" to <Unknown>
>(unlabeled_t).
>
>Detailed Description:
>
>SELinux denied access requested by pam_timestamp_c. It is not expected that this
>access is required by pam_timestamp_c and this access may signal an intrusion
>attempt. It is also possible that the specific version or configuration of the
>application is causing it to require additional access.
>
>Allowing Access:
>
>You can generate a local policy module to allow this access - see FAQ
>(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
>SELinux protection altogether. Disabling SELinux protection is not recommended.
>Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
>against this package.
>
>Additional Information:
>
>Source Context                system_u:object_r:unlabeled_t:s0
>Target Context                system_u:object_r:unlabeled_t:s0
>Target Objects                None [ unix_dgram_socket ]
>Source                        pam_timestamp_c
>Source Path                   /sbin/pam_timestamp_check
>Port                          <Unknown>
>Host                          rawhide-02
>Source RPM Packages           pam-1.0.1-4.fc9
>Target RPM Packages           
>Policy RPM                    selinux-policy-3.3.1-64.fc9
>Selinux Enabled               True
>Policy Type                   targeted
>MLS Enabled                   True
>Enforcing Mode                Enforcing
>Plugin Name                   catchall
>Host Name                     rawhide-02
>Platform                      Linux rawhide-02 2.6.25.6-55.fc9.i686 #1 SMP Tue
>                              Jun 10 16:27:49 EDT 2008 i686 i686
>Alert Count                   23
>First Seen                    Sat 14 Jun 2008 12:22:01 PM IST
>Last Seen                     Sat 14 Jun 2008 12:24:35 PM IST
>Local ID                      c8b7cd17-3b71-4efb-875e-80e4afc01588
>Line Numbers                  
>
>Raw Audit Messages            
>
>host=rawhide-02 type=AVC msg=audit(1213442675.0:205): avc:  denied  { create } for  pid=2523 comm="pam_timestamp_c" scontext=system_u:object_r:unlabeled_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=unix_dgram_socket
>
>host=rawhide-02 type=SYSCALL msg=audit(1213442675.0:205): arch=40000003 syscall=102 success=no exit=-13 a0=1 a1=bf8905b0 a2=29fff4 a3=14 items=0 ppid=2503 pid=2523 auid=500 uid=500 gid=500 euid=0 suid=0 fsuid=0 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm="pam_timestamp_c" exe="/sbin/pam_timestamp_check" subj=system_u:object_r:unlabeled_t:s0 key=(null)
>
>
>
>
>Summary:
>
>SELinux is preventing pam_timestamp_c (unlabeled_t) "use" to pipe
>(unconfined_t).
>
>Detailed Description:
>
>SELinux denied access requested by pam_timestamp_c. It is not expected that this
>access is required by pam_timestamp_c and this access may signal an intrusion
>attempt. It is also possible that the specific version or configuration of the
>application is causing it to require additional access.
>
>Allowing Access:
>
>You can generate a local policy module to allow this access - see FAQ
>(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
>SELinux protection altogether. Disabling SELinux protection is not recommended.
>Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
>against this package.
>
>Additional Information:
>
>Source Context                system_u:object_r:unlabeled_t:s0
>Target Context                unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1
>                              023
>Target Objects                pipe [ fd ]
>Source                        pam_timestamp_c
>Source Path                   /sbin/pam_timestamp_check
>Port                          <Unknown>
>Host                          rawhide-02
>Source RPM Packages           pam-1.0.1-4.fc9
>Target RPM Packages           
>Policy RPM                    selinux-policy-3.3.1-64.fc9
>Selinux Enabled               True
>Policy Type                   targeted
>MLS Enabled                   True
>Enforcing Mode                Enforcing
>Plugin Name                   catchall
>Host Name                     rawhide-02
>Platform                      Linux rawhide-02 2.6.25.6-55.fc9.i686 #1 SMP Tue
>                              Jun 10 16:27:49 EDT 2008 i686 i686
>Alert Count                   23
>First Seen                    Sat 14 Jun 2008 12:22:01 PM IST
>Last Seen                     Sat 14 Jun 2008 12:24:35 PM IST
>Local ID                      31018b81-b4ca-4402-9a49-0499ecf69da6
>Line Numbers                  
>
>Raw Audit Messages            
>
>host=rawhide-02 type=AVC msg=audit(1213442675.0:206): avc:  denied  { use } for  pid=2523 comm="pam_timestamp_c" path="pipe:[20173]" dev=pipefs ino=20173 scontext=system_u:object_r:unlabeled_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=fd
>
>host=rawhide-02 type=SYSCALL msg=audit(1213442675.0:206): arch=40000003 syscall=4 success=no exit=-13 a0=1 a1=b7f90000 a2=2 a3=2 items=0 ppid=2503 pid=2523 auid=500 uid=500 gid=500 euid=0 suid=0 fsuid=0 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm="pam_timestamp_c" exe="/sbin/pam_timestamp_check" subj=system_u:object_r:unlabeled_t:s0 key=(null)
>
>

Actions: View

Attachments on bug 448333: 309357