Bug 443262
Summary: | SELinux denied access requested by kismet_server. | ||||||
---|---|---|---|---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Need Real Name <kodis> | ||||
Component: | selinux-policy | Assignee: | Daniel Walsh <dwalsh> | ||||
Status: | CLOSED RAWHIDE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||
Severity: | low | Docs Contact: | |||||
Priority: | low | ||||||
Version: | 8 | CC: | jkubin, rh-bugzilla | ||||
Target Milestone: | --- | ||||||
Target Release: | --- | ||||||
Hardware: | All | ||||||
OS: | Linux | ||||||
Whiteboard: | |||||||
Fixed In Version: | Doc Type: | Bug Fix | |||||
Doc Text: | Story Points: | --- | |||||
Clone Of: | Environment: | ||||||
Last Closed: | 2008-05-02 19:54:57 UTC | Type: | --- | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Attachments: |
|
Description
Need Real Name
2008-04-19 20:58:36 UTC
reassigning from 'kismet' to 'selinux-policy'... Are there any avc messages in /var/log/audit/audit.log? No audit.log, but messages has: setroubleshoot: SELinux is preventing kismet_server (kismet_t) "create" to <Unknown> (kismet_t). For complete SELinux messages. run sealert -l e85c155b-d5d3-4423-9d44-dc30ddddfa83 The sealert output reports: # sealert -l e85c155b-d5d3-4423-9d44-dc30ddddfa83 Summary: SELinux is preventing kismet_server (kismet_t) "create" to <Unknown> (kismet_t). Detailed Description: SELinux denied access requested by kismet_server. It is not expected that this access is required by kismet_server and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: You can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package. Additional Information: Source Context system_u:system_r:kismet_t:s0 Target Context system_u:system_r:kismet_t:s0 Target Objects None [ packet_socket ] Source kismet_server Source Path /usr/bin/kismet_server Port <Unknown> Host papa.home Source RPM Packages kismet-0.0.2007.10.R1-0.fc8 Target RPM Packages Policy RPM selinux-policy-3.0.8-95.fc8 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name catchall Host Name papa.home Platform Linux papa.home 2.6.24.4-64.fc8 #1 SMP Sat Mar 29 09:15:49 EDT 2008 x86_64 x86_64 Alert Count 5 First Seen Sat Apr 19 16:51:39 2008 Last Seen Sun Apr 20 09:15:06 2008 Local ID e85c155b-d5d3-4423-9d44-dc30ddddfa83 Line Numbers Raw Audit Messages host=papa.home type=AVC msg=audit(1208697306.99:1292): avc: denied { create } for pid=24263 comm="kismet_server" scontext=system_u:system_r:kismet_t:s0 tcontext=system_u:system_r:kismet_t:s0 tclass=packet_socket host=papa.home type=SYSCALL msg=audit(1208697306.99:1292): arch=c000003e syscall=41 success=no exit=-13 a0=11 a1=3 a2=300 a3=3df95529f0 items=0 ppid=24262 pid=24263 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 comm="kismet_server" exe="/usr/bin/kismet_server" subj=system_u:system_r:kismet_t:s0 key=(null) But wait, there's more! If I set enforcing to 0, kismet starts up, but there are many more selinux messages in the log: Apr 20 09:36:38 papa dbus: avc: received setenforce notice (enforcing=0) Apr 20 09:36:43 papa setroubleshoot: SELinux is preventing kismet_server (kismet_t) "ioctl" to socket (kismet_t). For complete SELinux messages. run sealert -l ff8de3d9-1268-47eb-b6e8-13dc2dc56c5f Apr 20 09:36:43 papa setroubleshoot: SELinux is preventing kismet_server (kismet_t) "create" to <Unknown> (kismet_t). For complete SELinux messages. run sealert -l e85c155b-d5d3-4423-9d44-dc30ddddfa83 Apr 20 09:36:43 papa setroubleshoot: SELinux is preventing kismet_server (kismet_t) "bind" to <Unknown> (kismet_t). For complete SELinux messages. run sealert -l 4f644161-601f-41ff-9678-d0587a3607ba Apr 20 09:36:43 papa setroubleshoot: SELinux is preventing kismet_server (kismet_t) "create" to <Unknown> (kismet_t). For complete SELinux messages. run sealert -l 2a70fae6-4e5b-4237-93d2-2e5f8c17c098 Apr 20 09:36:43 papa setroubleshoot: SELinux is preventing kismet_server (kismet_t) "setopt" to <Unknown> (kismet_t). For complete SELinux messages. run sealert -l 27f9b21a-bcd2-4b97-9d0b-58467f811b28 Apr 20 09:36:43 papa setroubleshoot: SELinux is preventing kismet_server (kismet_t) "getopt" to <Unknown> (kismet_t). For complete SELinux messages. run sealert -l 8fd16776-2e9b-4646-87e9-9b6c46d64790 Apr 20 09:36:43 papa setroubleshoot: SELinux is preventing kismet_server (kismet_t) "write" to system_bus_socket (system_dbusd_var_run_t). For complete SELinux messages. run sealert -l c4b9bb16-56a4-4974-968a-eeb4e3b8e50c Apr 20 09:36:43 papa setroubleshoot: SELinux is preventing the kismet_server (kismet_t) from binding to port 2501. For complete SELinux messages. run sealert -l f57f4891-3bac-4d1b-9e7d-9b8e7b9cc267 Apr 20 09:36:43 papa setroubleshoot: SELinux is preventing kismet_server (kismet_t) "listen" to <Unknown> (kismet_t). For complete SELinux messages. run sealert -l 6dedd413-9cd4-4f59-8be3-69df233575ab Apr 20 09:36:43 papa setroubleshoot: SELinux is preventing kismet_server (kismet_t) "read" to <Unknown> (kismet_t). For complete SELinux messages. run sealert -l c58dfadd-0584-4109-8834-5f555ad612b6 Apr 20 09:36:43 papa setroubleshoot: SELinux is preventing kismet_server (kismet_t) "write" to <Unknown> (kismet_t). For complete SELinux messages. run sealert -l cb57f0df-ef44-44e8-87b1-857411c0c03c Apr 20 09:36:43 papa setroubleshoot: SELinux is preventing kismet_server (kismet_t) "read" to <Unknown> (kismet_t). For complete SELinux messages. run sealert -l fc616aba-b641-464d-91cf-86db38f0efbb Apr 20 09:36:47 papa setroubleshoot: SELinux is preventing the kismet_client from using potentially mislabeled files (./group_map). For complete SELinux messages. run sealert -l 138ac0b4-7ecb-4067-928e-28a8f525d898 Apr 20 09:36:47 papa setroubleshoot: SELinux is preventing kismet_client (kismet_t) "read" to ./info (proc_t). For complete SELinux messages. run sealert -l c2625b1d-32b2-4b1f-969f-cc34c02d65d2 Apr 20 09:36:47 papa setroubleshoot: SELinux is preventing the kismet_client from using potentially mislabeled files (/root/group_map). For complete SELinux messages. run sealert -l eaad1860-bdc3-4a66-8b79-b352cf9edce6 Apr 20 09:36:47 papa setroubleshoot: SELinux is preventing the kismet_client (kismet_t) from connecting to port 2501. For complete SELinux messages. run sealert -l 55af7385-2997-4ec7-999a-70226628e971 Apr 20 09:36:47 papa setroubleshoot: SELinux is preventing kismet_client (kismet_t) "node_bind" to <Unknown> (inaddr_any_node_t). For complete SELinux messages. run sealert -l 16f6ba86-5a12-46fa-9943-f23f9d5bc3d6 Apr 20 09:36:47 papa setroubleshoot: SELinux is preventing kismet_server (kismet_t) "accept" to <Unknown> (kismet_t). For complete SELinux messages. run sealert -l 87c1623d-aae6-4aa7-9866-d02c36ccf2c8 Apr 20 09:36:47 papa setroubleshoot: SELinux is preventing kismet_client (kismet_t) "read" to xterm (usr_t). For complete SELinux messages. run sealert -l 7beeb23f-e2fe-48ae-bb72-e327e7b9841d Apr 20 09:36:50 papa setroubleshoot: SELinux is preventing play (kismet_t) "read" to ./traffic.wav (usr_t). For complete SELinux messages. run sealert -l 145b033d-e2eb-42ac-8051-10f76d1c3110 Apr 20 09:36:50 papa setroubleshoot: SELinux is preventing play (kismet_t) "getattr" to /usr/share/kismet/wav/traffic.wav (usr_t). For complete SELinux messages. run sealert -l d8f223c1-62ba-4473-a189-7a6fa96df0cb Apr 20 09:36:50 papa setroubleshoot: SELinux is preventing the play from using potentially mislabeled files (/root/.pulse-cookie). For complete SELinux messages. run sealert -l 0fea8eee-a5d9-4edb-a9b5-f057cfcd0397 Apr 20 09:36:50 papa setroubleshoot: SELinux is preventing the play from using potentially mislabeled files (./.pulse-cookie). For complete SELinux messages. run sealert -l bae0056b-fd09-4664-a8e5-d9d6616121e3 Apr 20 09:36:50 papa setroubleshoot: SELinux is preventing play (kismet_t) "read" to / (tmpfs_t). For complete SELinux messages. run sealert -l 6745348d-fe59-4430-bd09-043f51e1e410 Apr 20 09:36:50 papa setroubleshoot: SELinux is preventing play (kismet_t) "write" to / (tmpfs_t). For complete SELinux messages. run sealert -l a020d729-0eb3-4b48-97f7-22a323a54e5a Apr 20 09:36:50 papa setroubleshoot: SELinux is preventing play (kismet_t) "kill" to <Unknown> (kismet_t). For complete SELinux messages. run sealert -l 70e3d894-d10b-4ac8-b2c2-7193867733ad Apr 20 09:36:50 papa setroubleshoot: SELinux is preventing play (kismet_t) "getattr" to / (tmpfs_t). For complete SELinux messages. run sealert -l a02dbbc0-5b70-4e13-983e-e9ebd529df08 Apr 20 09:36:50 papa setroubleshoot: SELinux is preventing play (kismet_t) "dac_override" to <Unknown> (kismet_t). For complete SELinux messages. run sealert -l c216c108-c8ac-457c-906b-ce0e1e8b8c77 Apr 20 09:36:50 papa setroubleshoot: SELinux is preventing play (kismet_t) "getattr" to /dev/shm/pulse-shm-3394103506 (unconfined_tmpfs_t). For complete SELinux messages. run sealert -l 8f205aa4-8b96-4744-8522-e665f99de743 Apr 20 09:36:50 papa setroubleshoot: SELinux is preventing play (kismet_t) "remove_name" to ./pulse-shm-771863178 (tmpfs_t). For complete SELinux messages. run sealert -l 14811fce-38ff-4970-8883-85d3f7cca477 Apr 20 09:36:56 papa setroubleshoot: SELinux is preventing kismet_client (kismet_t) "sigkill" to <Unknown> (kismet_t). For complete SELinux messages. run sealert -l 9250cbe3-0828-4b86-ac9e-6a5069505cd7 Apr 20 09:36:56 papa setroubleshoot: SELinux is preventing kismet (kismet_t) "signal" to <Unknown> (kismet_t). For complete SELinux messages. run sealert -l 52c45f8a-3bde-46de-8e6e-834008a35044 Apr 20 09:37:24 papa dbus: avc: received setenforce notice (enforcing=1) Please attach the /var/log/audit/audit.log Created attachment 304163 [details]
/var/log/audit/audit.log
I've recently upgraded to Fedora 9 Preview, and am seeing the same SElinux denials when running kismet. Attached is the audit.log file that results from truncating the log, setting selinux enforcing to 0, and running kismet as root. This looks like kismet is running in an xterm? Also looks like kismet is playing pulseaudio? I think something is wrong. Fixed in selinux-policy-3.0.8-102.fc8 I changed context to only effect kismet_server and added appropriate audit messages. Fixed in selinux-policy-3.3.1-44.fc9 |