Bug 514980

Summary: Your system may be seriously compromised!
Product: [Fedora] Fedora Reporter: Nicolas Mailhot <nicolas.mailhot>
Component: bindAssignee: Adam Tkac <atkac>
Status: CLOSED WORKSFORME QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: low    
Version: rawhideCC: atkac, ovasik, pwouters
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2009-08-06 07:11:26 EDT Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
Bug Depends On:    
Bug Blocks: 473303    

Description Nicolas Mailhot 2009-07-31 14:29:48 EDT
Your system may be seriously compromised!

SELinux has denied the named the ability to mmap low area of the kernel address space. The ability to mmap a low area of the address space, as configured by /proc/sys/kernel/mmap_min_addr. Preventing such mappings helps protect against exploiting null deref bugs in the kernel. All applications that need this access should have already had policy written for them. If a compromised application tries modify the kernel this AVC would be generated. This is a serious issue. Your system may very well be compromised.

Contact your security administrator and report this issue.


Contexte source:  unconfined_u:system_r:named_t:s0
Contexte cible:  unconfined_u:system_r:named_t:s0
Objets du contexte:  None [ memprotect ]source:  named
Chemin de la source:  /usr/sbin/namedPort:  <Inconnu>
Hôte:  
Paquetages RPM source:  bind-9.6.1-6.P1.fc12
Paquetages RPM cible:  
Politique RPM:  selinux-policy-3.6.26-2.fc12
Selinux activé:  True
Type de politique:  targeted
MLS activé:  True
Mode strict:  Enforcing
Nom du plugin:  mmap_zero
Nom de l'hôte:  
Plateforme:  Linux  2.6.31-0.112.rc4.git3.fc12.x86_64 #1 SMP Thu Jul 30 15:29:28 EDT 2009 x86_64 x86_64
Compteur d'alertes:  12
Première alerte:  ven. 31 juil. 2009 20:19:00 CEST
Dernière alerte:  ven. 31 juil. 2009 20:19:00 CEST
ID local:  f0c205ff-5c07-40c7-b0c0-bb040db09024
Numéros des lignes:  
Messages d'audit bruts :

node= type=AVC msg=audit(1249064340.25:68): avc: denied { mmap_zero } for pid=2844 comm="named" scontext=unconfined_u:system_r:named_t:s0 tcontext=unconfined_u:system_r:named_t:s0 tclass=memprotect

node= type=AVC msg=audit(1249064340.25:68): avc: denied { mmap_zero } for pid=2844 comm="named" scontext=unconfined_u:system_r:named_t:s0 tcontext=unconfined_u:system_r:named_t:s0 tclass=memprotect

node= type=AVC msg=audit(1249064340.25:68): avc: denied { mmap_zero } for pid=2844 comm="named" scontext=unconfined_u:system_r:named_t:s0 tcontext=unconfined_u:system_r:named_t:s0 tclass=memprotect

node= type=SYSCALL msg=audit(1249064340.25:68): arch=c000003e syscall=125 success=yes exit=0 a0=7fffdf697374 a1=0 a2=7fffdbf1fe80 a3=24 items=0 ppid=2843 pid=2844 auid=500 uid=25 gid=25 euid=25 suid=25 fsuid=25 egid=25 sgid=25 fsgid=25 tty=(none) ses=1 comm="named" exe="/usr/sbin/named" subj=unconfined_u:system_r:named_t:s0 key=(null)
Comment 1 Adam Tkac 2009-08-04 10:54:10 EDT
Would it be possible to tell me how did you reproduced this issue, please? I have installed:

bind-9.6.1-6.P1.fc12.x86_64
selinux-policy-targeted-3.6.26-2.fc12.noarch

and I'm running on 2.6.31-0.118.rc5.fc12.x86_64 kernel with no SELinux denial.
Comment 2 Nicolas Mailhot 2009-08-05 03:21:05 EDT
If I can reproduce it I'll post the info. There have been several selinux, bind and glibc updates in rawhide since
Comment 3 Adam Tkac 2009-08-06 07:11:26 EDT
(In reply to comment #2)
> If I can reproduce it I'll post the info. There have been several selinux, bind
> and glibc updates in rawhide since  

Ok, if it happens again please reopen this issue. For not I'm closing this ticket.