Bug 244755 - Selinux issuing alerts, user has no clue what to do
Summary: Selinux issuing alerts, user has no clue what to do
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 7
Hardware: i386
OS: Linux
low
low
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact: Ben Levenson
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2007-06-18 23:58 UTC by John Williams
Modified: 2007-11-30 22:12 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2007-09-04 20:11:37 UTC
Type: ---
Embargoed:


Attachments (Terms of Use)

Description John Williams 2007-06-18 23:58:07 UTC
Description of problem:


Version-Release number of selected component (if applicable):

Latest updates applied.

How reproducible:

Don't know.

Steps to Reproduce:
1. Click on the selinux troubleshooting icon in the taskbar
2. Read about denials
3. Wonder if my box has been hacked, but have no clue
  
Actual results:

See attached info.  There are other alerts, this is just an example.

Expected results:

No false positives.

Detailed Description:

Summary
    SELinux is preventing sh (unconfined_t) "transition" to (null)
    (rpm_script_t).


    SELinux denied access requested by sh. It is not expected that this access
    is required by sh and this access may signal an intrusion attempt. It is
    also possible that the specific version or configuration of the application
    is causing it to require additional access.

Allowing Access
    You can generate a local policy module to allow this access - see
    http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385 Or you can disable
    SELinux protection altogether. Disabling SELinux protection is not
    recommended. Please file a http://bugzilla.redhat.com/bugzilla/enter_bug.cgi
    against this package.

Additional Information        

Source Context                system_u:system_r:unconfined_t
Target Context                system_u:system_r:rpm_script_t
Target Objects                (null) [ process ]
Affected RPM Packages         
Policy RPM                    selinux-policy-2.6.4-13.fc7
Selinux Enabled               True
Policy Type                   seedit
MLS Enabled                   True
Enforcing Mode                Permissive
Plugin Name                   plugins.catchall
Host Name                     lounge-eth.falcon
Platform                      Linux lounge-eth.falcon 2.6.21-1.3228.fc7 #1 SMP
                              Tue Jun 12 15:37:31 EDT 2007 i686 athlon
Alert Count                   8
First Seen                    Sun 10 Jun 2007 12:42:29 NZST
Last Seen                     Sun 17 Jun 2007 12:00:28 NZST
Local ID                      c749f0ce-3698-4501-ab5a-a5167e326670
Line Numbers                  

Raw Audit Messages            

avc: denied { transition } for comm="sh" cwd="/" dev=08:01 egid=0 euid=0
exe="/bin/bash" exit=0 fsgid=0 fsuid=0 gid=0 inode=751567 item=1 items=2
mode=0100755 name="bash" obj=system_u:object_r:unlabeled_t:s0 ogid=0 ouid=0
path=(null) pid=3592 rdev=00:00 scontext=system_u:system_r:unconfined_t:s0
sgid=0 subj=system_u:system_r:rpm_script_t:s0 suid=0 tclass=process
tcontext=system_u:system_r:rpm_script_t:s0 tty=(none) uid=0


Additional info:

Comment 1 Daniel Walsh 2007-06-19 13:00:28 UTC
The goal of this application is to inform the user that something has happened
on the system that SELinux has denied.  The explanation tries to explain what
happened and possible actions.  In this case the system was not able to find a
good diagnosis so it throws the catch all.  From examining the alert, it looks
like you have some kind of installation program that is running a shell program.
 What rpm type program are you running?  You also have something that is labeled
unlabeled_t which indicates you have a file system that SELinux does not
understand.  As far as telling the user whether there is an intrusion or not,
the tools are currently good enough to diagnose at that level.  From this
sealert, almost guaranteed this is a configuration/bug in SELinux and not an
intrusion.


Note You need to log in before you can comment on or make changes to this bug.