Bug 545463

Summary: SELinux is preventing /usr/sbin/snort-plain "module_request" access.
Product: [Fedora] Fedora Reporter: Prinse Wang <prinseer>
Component: selinux-policyAssignee: Daniel Walsh <dwalsh>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: low    
Version: 12CC: dwalsh, mgrepl
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard: setroubleshoot_trace_hash:372e670dad0da3c5cfc24f7b92f25ea7e4a49f165c4fec29d869668401398b09
Fixed In Version: 3.6.32-66.fc12 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2010-01-08 20:08:00 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Prinse Wang 2009-12-08 16:26:36 UTC 
概述:

SELinux is preventing /usr/sbin/snort-plain "module_request" access.

详细描述:

SELinux denied access requested by snort. It is not expected that this access is
required by snort and this access may signal an intrusion attempt. It is also
possible that the specific version or configuration of the application is
causing it to require additional access.

允许访问:

You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Please file a bug
report.

附加信息:

源上下文                  system_u:system_r:snort_t:s0
目标上下文               system_u:system_r:kernel_t:s0
目标对象                  None [ system ]
源                           snort
源路径                     /usr/sbin/snort-plain
端口                        <未知>
主机                        (removed)
源 RPM 软件包             snort-2.8.5.1-1.fc12
目标 RPM 软件包          
策略 RPM                    selinux-policy-3.6.32-55.fc12
启用 Selinux                True
策略类型                  targeted
Enforcing 模式              Enforcing
插件名称                  catchall
主机名                     (removed)
平台                        Linux (removed)
                              2.6.31.6-162.fc12.x86_64 #1 SMP Fri Dec 4 00:06:26
                              EST 2009 x86_64 x86_64
警报计数                  10
第一个                     2009年12月06日 星期日 04时13分38秒
最后一个                  2009年12月09日 星期三 00时01分33秒
本地 ID                     2b4167f4-685e-4fc8-944e-15d2b167de30
行号                        

原始核查信息            

node=(removed) type=AVC msg=audit(1260288093.78:23): avc:  denied  { module_request } for  pid=1664 comm="snort" scontext=system_u:system_r:snort_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=system

node=(removed) type=SYSCALL msg=audit(1260288093.78:23): arch=c000003e syscall=41 success=no exit=-97 a0=1f a1=3 a2=1 a3=0 items=0 ppid=1663 pid=1664 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="snort" exe="/usr/sbin/snort-plain" subj=system_u:system_r:snort_t:s0 key=(null)



Hash String generated from  selinux-policy-3.6.32-55.fc12,catchall,snort,snort_t,kernel_t,system,module_request
audit2allow suggests:

#============= snort_t ==============
allow snort_t kernel_t:system module_request;
Comment 1 Daniel Walsh 2009-12-23 17:38:49 UTC 
Did you disable ipv6?
Comment 2 Prinse Wang 2009-12-24 20:55:56 UTC 
No, ipv6 is enabled.
Comment 3 Daniel Walsh 2009-12-27 13:04:48 UTC 
You can add these rules for now using

# grep avc /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Fixed in selinux-policy-3.6.32-65.fc12.noarch
Comment 4 Fedora Update System 2010-01-04 21:51:25 UTC 
selinux-policy-3.6.32-66.fc12 has been submitted as an update for Fedora 12.
http://admin.fedoraproject.org/updates/selinux-policy-3.6.32-66.fc12
Comment 5 Fedora Update System 2010-01-05 22:47:18 UTC 
selinux-policy-3.6.32-66.fc12 has been pushed to the Fedora 12 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update selinux-policy'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F12/FEDORA-2010-0184
Comment 6 Fedora Update System 2010-01-08 20:02:07 UTC 
selinux-policy-3.6.32-66.fc12 has been pushed to the Fedora 12 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 7 Prinse Wang 2010-01-09 14:22:50 UTC 
Thank you, Daniel Walsh, the problem was fixed by updating selinux-policy to selinux-policy-3.6.32-66.fc12.

But some new problems appear related to vmware virtual network interface. I will report it later on.