Description of problem: Version-Release number of selected component (if applicable): Latest updates applied. How reproducible: Don't know. Steps to Reproduce: 1. Click on the selinux troubleshooting icon in the taskbar 2. Read about denials 3. Wonder if my box has been hacked, but have no clue Actual results: See attached info. There are other alerts, this is just an example. Expected results: No false positives. Detailed Description: Summary SELinux is preventing sh (unconfined_t) "transition" to (null) (rpm_script_t). SELinux denied access requested by sh. It is not expected that this access is required by sh and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access You can generate a local policy module to allow this access - see http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385 Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this package. Additional Information Source Context system_u:system_r:unconfined_t Target Context system_u:system_r:rpm_script_t Target Objects (null) [ process ] Affected RPM Packages Policy RPM selinux-policy-2.6.4-13.fc7 Selinux Enabled True Policy Type seedit MLS Enabled True Enforcing Mode Permissive Plugin Name plugins.catchall Host Name lounge-eth.falcon Platform Linux lounge-eth.falcon 2.6.21-1.3228.fc7 #1 SMP Tue Jun 12 15:37:31 EDT 2007 i686 athlon Alert Count 8 First Seen Sun 10 Jun 2007 12:42:29 NZST Last Seen Sun 17 Jun 2007 12:00:28 NZST Local ID c749f0ce-3698-4501-ab5a-a5167e326670 Line Numbers Raw Audit Messages avc: denied { transition } for comm="sh" cwd="/" dev=08:01 egid=0 euid=0 exe="/bin/bash" exit=0 fsgid=0 fsuid=0 gid=0 inode=751567 item=1 items=2 mode=0100755 name="bash" obj=system_u:object_r:unlabeled_t:s0 ogid=0 ouid=0 path=(null) pid=3592 rdev=00:00 scontext=system_u:system_r:unconfined_t:s0 sgid=0 subj=system_u:system_r:rpm_script_t:s0 suid=0 tclass=process tcontext=system_u:system_r:rpm_script_t:s0 tty=(none) uid=0 Additional info:
The goal of this application is to inform the user that something has happened on the system that SELinux has denied. The explanation tries to explain what happened and possible actions. In this case the system was not able to find a good diagnosis so it throws the catch all. From examining the alert, it looks like you have some kind of installation program that is running a shell program. What rpm type program are you running? You also have something that is labeled unlabeled_t which indicates you have a file system that SELinux does not understand. As far as telling the user whether there is an intrusion or not, the tools are currently good enough to diagnose at that level. From this sealert, almost guaranteed this is a configuration/bug in SELinux and not an intrusion.