Bug 521937

Summary: selinux with glibc problem (maybe)
Product: [Fedora] Fedora Reporter: Martin Naď <martin.nad89>
Component: selinux-policyAssignee: Eric Paris <eparis>
Status: CLOSED NOTABUG QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: low Docs Contact:
Priority: low    
Version: 11CC: dwalsh, jkubin, mgrepl
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2009-09-09 06:04:37 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Martin Naď 2009-09-08 19:17:59 UTC
Description of problem:
SELinux is preventing pt_chown (unconfined_t) "mmap_zero" to <Unknown> (unconfined_t). 
Podrobný popis
SELinux denied access requested by pt_chown. The current boolean settings do not allow this access. If you have not setup pt_chown to require this access this may signal an intrusion attempt. If you do intend this access you need to change the booleans on this system to allow the access. 
Povolení přístupu
Confined processes can be configured to to run requiring different access, SELinux provides booleans to allow you to turn on/off access as needed. The boolean allow_unconfined_mmap_low is set incorrectly. Boolean Description:Allow unconfined domain to map low memory in the kernel
Příkaz pro opravu
# setsebool -P allow_unconfined_mmap_low 1
Další informace
Kontext zdroje:  unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
Kontext cíle:  unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
Objekty cíle:  None [ memprotect ]Zdroj:  pt_chown
Cesta zdroje:  /usr/libexec/pt_chownPort:  <Neznámé>
Počítač:  localhost.localdomain
RPM balíčky zdroje:  glibc-common-2.10.1-5
RPM balíčky cíle:  
RPM politiky:  selinux-policy-3.6.12-80.fc11
Selinux povolen:  True
Typ politiky:  targeted
MLS povoleno:  True
Vynucovací režim:  Enforcing
Název zásuvného modulu:  catchall_boolean
Název počítače:  localhost.localdomain
Platforma:  Linux localhost.localdomain 2.6.30.5-43.fc11.x86_64 #1 SMP Thu Aug 27 21:39:52 EDT 2009 x86_64 x86_64
Počet upozornění:  3
Poprvé viděno:  Út 8. září 2009, 22:39:08 CEST
Naposledy viděno:  Út 8. září 2009, 22:39:08 CEST
Místní ID:  f48f1fb8-2baa-4c8b-a0e8-805ab9848e4c
Čísla řádků:  
Původní zprávy auditu :
node=localhost.localdomain type=AVC msg=audit(1252442348.984:11): avc: denied { mmap_zero } for pid=2021 comm="pt_chown" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=memprotect node=localhost.localdomain type=AVC msg=audit(1252442348.984:11): avc: denied { mmap_zero } for pid=2021 comm="pt_chown" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=memprotect node=localhost.localdomain type=AVC msg=audit(1252442348.984:11): avc: denied { mmap_zero } for pid=2021 comm="pt_chown" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=memprotect node=localhost.localdomain type=SYSCALL msg=audit(1252442348.984:11): arch=c000003e syscall=125 success=yes exit=0 a0=7fff939a7014 a1=0 a2=7fff91d87e80 a3=7fff5364a690 items=0 ppid=2020 pid=2021 auid=500 uid=500 gid=500 euid=0 suid=0 fsuid=0 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm="pt_chown" exe="/usr/libexec/pt_chown" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null) 

Version-Release number of selected component (if applicable):
kernel-2.6.30.5-43.fc11.x86_64
libselinux-python-2.0.80-1.fc11.x86_64
selinux-policy-targeted-3.6.12-80.fc11.noarch
libselinux-utils-2.0.80-1.fc11.x86_64
libselinux-2.0.80-1.fc11.x86_64
libselinux-2.0.80-1.fc11.i586
selinux-policy-3.6.12-80.fc11.noarch
glibc-static-2.10.1-5.x86_64
glibc-2.10.1-5.i686
glibc-common-2.10.1-5.x86_64
glibc-devel-2.10.1-5.x86_64
glibc-headers-2.10.1-5.x86_64
glibc-2.10.1-5.x86_64
glibc-utils-2.10.1-5.x86_64

Actual:
If I don`t off selinux my network don`t work .
If I off selinux my network works
and that is only one avc in setroubleshot

Comment 1 Martin Naď 2009-09-09 06:04:37 UTC
sory selinux innocently I updated system and relabeling my network works