Bug 526531
| Summary: | setroubleshoot: SELinux is preventing /usr/libexec/pt_chown "mmap_zero" access on <Unknown>. | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Nicolas Mailhot <nicolas.mailhot> |
| Component: | selinux-policy | Assignee: | Eric Paris <eparis> |
| Status: | CLOSED DUPLICATE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | rawhide | CC: | dwalsh, mgrepl |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | x86_64 | ||
| OS: | Linux | ||
| Whiteboard: | setroubleshoot_trace_hash:717d1c4c926570ed2453e48b48b949e9c3b5375995d3fd1a960b0e8eca5b8950 | ||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2009-10-05 14:12:09 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
What did you do to trigger this? Boot? (I usually remove all remaining selinux events, then reboot, then report the new list afterwards) *** This bug has been marked as a duplicate of bug 525537 *** |
The following was filed automatically by setroubleshoot: Résumé: SELinux is preventing /usr/libexec/pt_chown "mmap_zero" access on <Unknown>. Description détaillée: [pt_chown has a permissive type (unconfined_t). This access was not denied.] SELinux denied access requested by pt_chown. The current boolean settings do not allow this access. If you have not setup pt_chown to require this access this may signal an intrusion attempt. If you do intend this access you need to change the booleans on this system to allow the access. Autoriser l'accès: Confined processes can be configured to run requiring different access, SELinux provides booleans to allow you to turn on/off access as needed. The boolean mmap_low_allowed is set incorrectly. Boolean Description: Allow certain domains to map low memory in the kernel Commande de correction: # setsebool -P mmap_low_allowed 1 Informations complémentaires: Contexte source unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1 023 Contexte cible unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1 023 Objets du contexte None [ memprotect ] source pt_chown Chemin de la source /usr/libexec/pt_chown Port <Inconnu> Hôte (removed) Paquetages RPM source glibc-common-2.10.90-24 Paquetages RPM cible Politique RPM selinux-policy-3.6.32-12.fc12 Selinux activé True Type de politique targeted MLS activé True Mode strict Enforcing Nom du plugin catchall_boolean Nom de l'hôte (removed) Plateforme Linux (removed) 2.6.31.1-56.fc12.x86_64 #1 SMP Tue Sep 29 16:16:22 EDT 2009 x86_64 x86_64 Compteur d'alertes 3 Première alerte mer. 30 sept. 2009 20:15:40 CEST Dernière alerte mer. 30 sept. 2009 20:15:40 CEST ID local c71fda22-e7a7-4643-97b8-9ba6e22fce37 Numéros des lignes Messages d'audit bruts node=(removed) type=AVC msg=audit(1254334540.70:19): avc: denied { mmap_zero } for pid=2372 comm="pt_chown" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=memprotect node=(removed) type=AVC msg=audit(1254334540.70:19): avc: denied { mmap_zero } for pid=2372 comm="pt_chown" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=memprotect node=(removed) type=AVC msg=audit(1254334540.70:19): avc: denied { mmap_zero } for pid=2372 comm="pt_chown" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=memprotect node=(removed) type=SYSCALL msg=audit(1254334540.70:19): arch=c000003e syscall=125 success=yes exit=0 a0=7fff9190b014 a1=0 a2=7fff90c83e80 a3=7fff111c64a0 items=0 ppid=2371 pid=2372 auid=500 uid=500 gid=500 euid=0 suid=0 fsuid=0 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm="pt_chown" exe="/usr/libexec/pt_chown" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null) Hash String generated from selinux-policy-3.6.32-12.fc12,catchall_boolean,pt_chown,unconfined_t,unconfined_t,memprotect,mmap_zero audit2allow suggests: #============= unconfined_t ============== allow unconfined_t self:memprotect mmap_zero;