Bug 217127 - A slew of recent selinux denials
A slew of recent selinux denials
Status: CLOSED RAWHIDE
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted (Show other bugs)
rawhide
All Linux
medium Severity medium
: ---
: ---
Assigned To: Daniel Walsh
Ben Levenson
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2006-11-24 01:32 EST by Deji Akingunola
Modified: 2007-11-30 17:11 EST (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-04-16 23:38:57 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Deji Akingunola 2006-11-24 01:32:36 EST
Description of problem:
Maybe these are not real denials but potential denials (cause am presently
'setenforce 0'). Below are excerpts of selinux related enties in my message log
file; setroubleshoot also shows them for me.

This one is dueto nvidia driver, if I dont load nvidia module, I don't see it,
(I get a lot of similar messages)
>>
Nov 24 00:48:16 agape setroubleshoot:      SELinux is preventing /usr/bin/Xorg
(xdm_t) "execmem" access to <Unknown> (xdm_t).      For complete SELinux
messages. run sealert -l 1a5ff924-0848-410a-a0e4-dc3c3d7970d5
Nov 24 00:48:16 agape setroubleshoot:      SELinux is preventing /usr/bin/Xorg
(xdm_t) "execstack" access to <Unknown> (xdm_t).      For complete SELinux
messages. run sealert -l ebe67bef-f0e6-4dc5-b48e-700bce366ffd
<<<

This one happens when I put in a music cd,
>>
Nov 24 00:52:48 agape setroubleshoot:      SELinux is preventing
/usr/bin/gnome-cd from changing a writable memory segment executable.      For
complete SELinux messages. run sealert -l b30859cf-3156-4371-998c-68f144f82f9a
<<

This ones were written while doing a yum update,
<<
Nov 24 00:54:55 agape setroubleshoot:      SELinux is preventing
/usr/sbin/groupadd (groupadd_t) "sys_tty_config" to <Unknown> (groupadd_t).    
 For complete SELinux messages. run sealert -l 1bf6ed8a-1578-48fe-9ae7-8efb64b736c4
Nov 24 00:54:55 agape setroubleshoot:      SELinux is preventing
/usr/sbin/useradd (useradd_t) "sys_tty_config" to <Unknown> (useradd_t).     
For complete SELinux messages. run sealert -l 019ea4e3-fd4b-499a-b61b-5e701de930dc
>>

Also this
<<
Nov 24 00:57:16 agape setroubleshoot:      SELinux is preventing
/usr/bin/mplayer from changing a writable memory segment executable.      For
complete SELinux messages. run sealert -l b30859cf-3156-4371-998c-68f144f82f9a

and these from auditlog
<<
type=AVC msg=audit(1164348519.756:63): avc:  denied  { execstack } for  pid=3511
comm="mixer_applet2" scontext=user_u:system_r:unconfined_t:s0
tcontext=user_u:system_r:unconfined_t:s0 tclass=process
type=AVC msg=audit(1164348519.756:63): avc:  denied  { execmem } for  pid=3511
comm="mixer_applet2" scontext=user_u:system_r:unconfined_t:s0
tcontext=user_u:system_r:unconfined_t:s0 tclass=process
<<

Setroubleshoot also reports
<<
avc: denied { sys_tty_config } for comm="genhomedircon" egid=0 euid=0
exe="/usr/bin/python" exit=0 fsgid=0 fsuid=0 gid=0 items=0 pid=7664
scontext=system_u:system_r:semanage_t:s0 sgid=0
subj=system_u:system_r:semanage_t:s0 suid=0 tclass=capability
tcontext=system_u:system_r:semanage_t:s0 tty=(none) uid=0 
avc: denied { sys_tty_config } for comm="restorecon" egid=0 euid=0
exe="/sbin/restorecon" exit=0 fsgid=0 fsuid=0 gid=0 items=0 pid=3179
scontext=system_u:system_r:restorecon_t:s0 sgid=0
subj=system_u:system_r:restorecon_t:s0 suid=0 tclass=capability
tcontext=system_u:system_r:restorecon_t:s0 tty=(none) uid=0 

Version-Release number of selected component (if applicable):
selinux-policy-targeted-2.4.5-3.fc7


How reproducible:


Steps to Reproduce:
1.
2.
3.
  
Actual results:


Expected results:


Additional info:
Comment 1 Daniel Walsh 2006-11-27 11:42:41 EST
Please report these as separate bugzilla's or at least include the audit.log.

Nov 24 00:52:48 agape setroubleshoot:      SELinux is preventing
/usr/bin/gnome-cd from changing a writable memory segment executable.      For
complete SELinux messages. run sealert -l b30859cf-3156-4371-998c-68f144f82f9a
<<

This should be reported as a bugzilla against gnome-cd.  

and these from auditlog
<<
type=AVC msg=audit(1164348519.756:63): avc:  denied  { execstack } for  pid=3511
comm="mixer_applet2" scontext=user_u:system_r:unconfined_t:s0
tcontext=user_u:system_r:unconfined_t:s0 tclass=process
type=AVC msg=audit(1164348519.756:63): avc:  denied  { execmem } for  pid=3511
comm="mixer_applet2" scontext=user_u:system_r:unconfined_t:s0
tcontext=user_u:system_r:unconfined_t:s0 tclass=process
<<

Should be reported against gnome-applets

The others I will fix in 

selinux-policy-2.4.5-4
Comment 2 Deji Akingunola 2006-11-27 16:33:11 EST
I got this too, for compiz;
avc: denied { execstack } for comm="compiz" egid=500 euid=500
exe="/usr/bin/compiz" exit=0 fsgid=500 fsuid=500 gid=500 items=0 pid=2784
scontext=user_u:system_r:unconfined_t:s0 sgid=500
subj=user_u:system_r:unconfined_t:s0 suid=500 tclass=process
tcontext=user_u:system_r:unconfined_t:s0 tty=(none) uid=500 

should it be filed against compiz or you'll take care of it?
Comment 3 Daniel Walsh 2006-11-27 16:35:45 EST
File a bug against compiz.
Comment 4 Daniel Walsh 2006-11-27 16:38:52 EST
BTW you can chcon -t unconfined_execmem_t compiz if you want it to work without
setting the allow_execstack boolean.

Otherwise you can turn on allow_execstack boolean.

setsebool allow_execstack=1
Comment 5 Deji Akingunola 2006-11-29 17:16:33 EST
Since you've not closed this, (and setroubleshoot doesn't offere me a
work-around), here is another avc denial;

avc: denied { read } for comm="ifconfig" dev=pipefs egid=0 euid=0
exe="/sbin/ifconfig" exit=0 fsgid=0 fsuid=0 gid=0 items=0 name="[14565]"
path="pipe:[15024]" pid=3102 scontext=system_u:system_r:ifconfig_t:s0 sgid=0
subj=system_u:system_r:ifconfig_t:s0 suid=0 tclass=fifo_file
tcontext=system_u:system_r:unconfined_t:s0 tty=(none) uid=0 
Comment 6 Daniel Walsh 2006-11-29 17:25:04 EST
Fixed in selinux-policy-2.4.6-2
Comment 7 Deji Akingunola 2006-11-29 18:26:39 EST
I hope you don't mind me adding more stuff to this bug ;). This one I just got
while updating,

avc: denied { ioctl } for comm="genhomedircon" dev=pipefs egid=0 euid=0
exe="/usr/bin/python" exit=-22 fsgid=0 fsuid=0 gid=0 items=0 name="[9971]"
path="pipe:[9971]" pid=4071 scontext=system_u:system_r:semanage_t:s0 sgid=0
subj=system_u:system_r:semanage_t:s0 suid=0 tclass=fifo_file
tcontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tty=(none) uid=0 
Comment 8 Deji Akingunola 2007-04-16 23:38:57 EDT
I guess these are now all fixed one way or other.

Note You need to log in before you can comment on or make changes to this bug.