Attachment 948457 Details for Bug 1154567 – Sealert parse of audit.log

Sealert parse of audit.log

sealertoutput.txt (text/plain), 10.18 KB, created by Tzach Shefi on 2014-10-20 08:13:20 UTC

(hide)

Description:

Filename:

MIME Type:

Creator: Tzach Shefi

Created: 2014-10-20 08:13:20 UTC

Size: 10.18 KB

patch

obsolete

>type=AVC msg=audit(1413725783.696:1152): avc:  denied  { mounton } for  pid=28653 comm="systemd-logind" path="/run/user/0" dev="tmpfs" ino=9043 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:user_tmp_t:s0 tclass=dir
> 
>**** Invalid AVC allowed in current policy ***
>
>type=AVC msg=audit(1413725783.696:1151): avc:  denied  { mounton } for  pid=28653 comm="systemd-logind" path="/run/user/0" dev="tmpfs" ino=9043 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:user_tmp_t:s0 tclass=dir
> 
>**** Invalid AVC allowed in current policy ***
>
>type=AVC msg=audit(1413725783.696:1153): avc:  denied  { mounton } for  pid=28653 comm="systemd-logind" path="/run/user/0" dev="tmpfs" ino=9043 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:user_tmp_t:s0 tclass=dir
> 
>**** Invalid AVC allowed in current policy ***
>
>'list' object has no attribute 'split'
>
>found 4 alerts in /var/log/audit/audit.log
>--------------------------------------------------------------------------------
>
>SELinux is preventing /usr/sbin/sshd from using the dyntransition access on a process.
>
>*****  Plugin catchall (100. confidence) suggests   **************************
>
>If you believe that sshd should be allowed dyntransition access on processes labeled sshd_net_t by default.
>Then you should report this as a bug.
>You can generate a local policy module to allow this access.
>Do
>allow this access for now by executing:
># grep sshd /var/log/audit/audit.log | audit2allow -M mypol
># semodule -i mypol.pp
>
>
>Additional Information:
>Source Context                system_u:system_r:unconfined_service_t:s0
>Target Context                system_u:system_r:sshd_net_t:s0
>Target Objects                Unknown [ process ]
>Source                        sshd
>Source Path                   /usr/sbin/sshd
>Port                          <Unknown>
>Host                          <Unknown>
>Source RPM Packages           openssh-server-6.6.1p1-5.fc21.1.x86_64
>Target RPM Packages           
>Policy RPM                    selinux-policy-3.13.1-86.fc21.noarch
>Selinux Enabled               True
>Policy Type                   targeted
>Enforcing Mode                Enforcing
>Host Name                     cougar12.scl.lab.tlv.redhat.com
>Platform                      Linux cougar12.scl.lab.tlv.redhat.com
>                              3.11.10-301.fc20.x86_64 #1 SMP Thu Dec 5 14:01:17
>                              UTC 2013 x86_64 x86_64
>Alert Count                   3
>First Seen                    2014-10-20 09:30:51 IDT
>Last Seen                     2014-10-20 10:41:40 IDT
>Local ID                      d8ecb9c7-74c6-42b1-a564-7f10e2157cc2
>
>Raw Audit Messages
>type=AVC msg=audit(1413790900.505:1600): avc:  denied  { dyntransition } for  pid=27752 comm="sshd" scontext=system_u:system_r:unconfined_service_t:s0 tcontext=system_u:system_r:sshd_net_t:s0 tclass=process
>
>
>type=SYSCALL msg=audit(1413790900.505:1600): arch=x86_64 syscall=write success=no exit=EACCES a0=6 a1=7f131be8b3e0 a2=20 a3=85b items=0 ppid=27751 pid=27752 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm=sshd exe=/usr/sbin/sshd subj=system_u:system_r:unconfined_service_t:s0 key=(null)
>
>Hash: sshd,unconfined_service_t,sshd_net_t,process,dyntransition
>
>--------------------------------------------------------------------------------
>
>SELinux is preventing /usr/sbin/sshd from using the dyntransition access on a process.
>
>*****  Plugin catchall (100. confidence) suggests   **************************
>
>If you believe that sshd should be allowed dyntransition access on processes labeled unconfined_t by default.
>Then you should report this as a bug.
>You can generate a local policy module to allow this access.
>Do
>allow this access for now by executing:
># grep sshd /var/log/audit/audit.log | audit2allow -M mypol
># semodule -i mypol.pp
>
>
>Additional Information:
>Source Context                system_u:system_r:unconfined_service_t:s0
>Target Context                unconfined_u:unconfined_r:unconfined_t:s0
>Target Objects                Unknown [ process ]
>Source                        sshd
>Source Path                   /usr/sbin/sshd
>Port                          <Unknown>
>Host                          <Unknown>
>Source RPM Packages           openssh-server-6.6.1p1-5.fc21.1.x86_64
>Target RPM Packages           
>Policy RPM                    selinux-policy-3.13.1-86.fc21.noarch
>Selinux Enabled               True
>Policy Type                   targeted
>Enforcing Mode                Enforcing
>Host Name                     cougar12.scl.lab.tlv.redhat.com
>Platform                      Linux cougar12.scl.lab.tlv.redhat.com
>                              3.11.10-301.fc20.x86_64 #1 SMP Thu Dec 5 14:01:17
>                              UTC 2013 x86_64 x86_64
>Alert Count                   5
>First Seen                    2014-10-20 09:31:19 IDT
>Last Seen                     2014-10-20 10:42:08 IDT
>Local ID                      c70add38-31a3-4f86-b905-cfc387b3fd22
>
>Raw Audit Messages
>type=AVC msg=audit(1413790928.204:1614): avc:  denied  { dyntransition } for  pid=27751 comm="sshd" scontext=system_u:system_r:unconfined_service_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0 tclass=process
>
>
>type=SYSCALL msg=audit(1413790928.204:1614): arch=x86_64 syscall=write success=no exit=EACCES a0=4 a1=7f131be972a0 a2=2a a3=666e6f636e753a72 items=0 ppid=30106 pid=27751 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=169 tty=(none) comm=sshd exe=/usr/sbin/sshd subj=system_u:system_r:unconfined_service_t:s0 key=(null)
>
>Hash: sshd,unconfined_service_t,unconfined_t,process,dyntransition
>
>--------------------------------------------------------------------------------
>
>SELinux is preventing /usr/sbin/sshd from using the transition access on a process.
>
>*****  Plugin catchall (100. confidence) suggests   **************************
>
>If you believe that sshd should be allowed transition access on processes labeled unconfined_t by default.
>Then you should report this as a bug.
>You can generate a local policy module to allow this access.
>Do
>allow this access for now by executing:
># grep sshd /var/log/audit/audit.log | audit2allow -M mypol
># semodule -i mypol.pp
>
>
>Additional Information:
>Source Context                system_u:system_r:unconfined_service_t:s0
>Target Context                unconfined_u:unconfined_r:unconfined_t:s0
>Target Objects                /usr/bin/bash [ process ]
>Source                        sshd
>Source Path                   /usr/sbin/sshd
>Port                          <Unknown>
>Host                          <Unknown>
>Source RPM Packages           openssh-server-6.6.1p1-5.fc21.1.x86_64
>Target RPM Packages           bash-4.3.30-2.fc21.x86_64
>Policy RPM                    selinux-policy-3.13.1-86.fc21.noarch
>Selinux Enabled               True
>Policy Type                   targeted
>Enforcing Mode                Enforcing
>Host Name                     cougar12.scl.lab.tlv.redhat.com
>Platform                      Linux cougar12.scl.lab.tlv.redhat.com
>                              3.11.10-301.fc20.x86_64 #1 SMP Thu Dec 5 14:01:17
>                              UTC 2013 x86_64 x86_64
>Alert Count                   2
>First Seen                    2014-10-20 09:31:19 IDT
>Last Seen                     2014-10-20 10:42:08 IDT
>Local ID                      b2812cf5-0112-4aba-a521-eb456282df64
>
>Raw Audit Messages
>type=AVC msg=audit(1413790928.308:1622): avc:  denied  { transition } for  pid=27755 comm="sshd" path="/usr/bin/bash" dev="dm-1" ino=10093109 scontext=system_u:system_r:unconfined_service_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0 tclass=process
>
>
>type=SYSCALL msg=audit(1413790928.308:1622): arch=x86_64 syscall=execve success=no exit=EACCES a0=7f131be8b9f0 a1=7fffe95187f0 a2=7f131be8b100 a3=8 items=0 ppid=27751 pid=27755 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=169 tty=pts0 comm=sshd exe=/usr/sbin/sshd subj=system_u:system_r:unconfined_service_t:s0 key=(null)
>
>Hash: sshd,unconfined_service_t,unconfined_t,process,transition
>
>--------------------------------------------------------------------------------
>
>SELinux is preventing /usr/sbin/sshd from using the sigchld access on a process.
>
>*****  Plugin catchall (100. confidence) suggests   **************************
>
>If you believe that sshd should be allowed sigchld access on processes labeled unconfined_service_t by default.
>Then you should report this as a bug.
>You can generate a local policy module to allow this access.
>Do
>allow this access for now by executing:
># grep sshd /var/log/audit/audit.log | audit2allow -M mypol
># semodule -i mypol.pp
>
>
>Additional Information:
>Source Context                system_u:system_r:sshd_net_t:s0
>Target Context                system_u:system_r:unconfined_service_t:s0
>Target Objects                Unknown [ process ]
>Source                        sshd
>Source Path                   /usr/sbin/sshd
>Port                          <Unknown>
>Host                          <Unknown>
>Source RPM Packages           openssh-server-6.6.1p1-5.fc21.1.x86_64
>Target RPM Packages           
>Policy RPM                    selinux-policy-3.13.1-86.fc21.noarch
>Selinux Enabled               True
>Policy Type                   targeted
>Enforcing Mode                Enforcing
>Host Name                     cougar12.scl.lab.tlv.redhat.com
>Platform                      Linux cougar12.scl.lab.tlv.redhat.com
>                              3.11.10-301.fc20.x86_64 #1 SMP Thu Dec 5 14:01:17
>                              UTC 2013 x86_64 x86_64
>Alert Count                   1
>First Seen                    2014-10-20 09:33:17 IDT
>Last Seen                     2014-10-20 09:33:17 IDT
>Local ID                      e0d89901-3334-4887-ba09-b2cec2c3a886
>
>Raw Audit Messages
>type=AVC msg=audit(1413786797.934:1563): avc:  denied  { sigchld } for  pid=27505 comm="sshd" scontext=system_u:system_r:sshd_net_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=process
>
>
>type=SYSCALL msg=audit(1413786797.934:1563): arch=x86_64 syscall=wait4 success=yes exit=27506 a0=6b72 a1=7fff55641240 a2=0 a3=0 items=0 ppid=30106 pid=27505 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm=sshd exe=/usr/sbin/sshd subj=system_u:system_r:unconfined_service_t:s0 key=(null)
>
>Hash: sshd,sshd_net_t,unconfined_service_t,process,sigchld
>

Actions: View

Attachments on bug 1154567: 948456 | 948457