Description of problem: When I was running CVE-2007-4465 as part of 2007:0911 errata I've got the following AVC message: time->Thu Oct 18 07:23:01 2007 type=SYSCALL msg=audit(1192706581.416:56911): arch=40000003 syscall=5 success=no exit=-13 a0=806028b a1=0 a2=1b6 a3=82bf518 items=0 ppid=18248 pid=18251 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="netstat" exe="/bin/netstat" subj=root:system_r:httpd_t:s0 key=(null) type=AVC msg=audit(1192706581.416:56911): avc: denied { search } for pid=18251 comm="netstat" name="net" dev=proc ino=-268435431 scontext=root:system_r:httpd_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=dir When I disabled NSS module in Apache the warning disappeared. Version-Release number of selected component (if applicable): selinux-policy-2.4.6-30.el5.noarch selinux-policy-targeted-2.4.6-30.el5.noarch httpd-2.2.4-5.el5s2.x86_64 mod_nss-1.0.3-4.el5.x86_64 How reproducible: 100% Steps to Reproduce: 1. Install RHEL5 2. Install RH App. Stack v2 from ISO (for instance) - required by the CVE test 3. Run CVE-2007-4465 (/mnt/testarea/tests/httpd/security/CVE-2007-4465/runtest.sh) Actual results: AVC failure. Expected results: No failure. Additional info:
This is a bug in the way libnss is built. It is execing netstat rather then using /dev/rand and/or /dev/urand for generation of random data. It has been previously reported and hopfully the library will be backported to RHEL5.
Martin, what version of package nss.rpm is installed in your environment? The fix you need is contained in RHEL 5.1 You need nss 3.11.7-1.2 or newer
Hello, I can't tell you. The errata was successfully released and thus this issue is now irrelevant I think.
per last bug council, marking modified so QE can verify
This request was evaluated by Red Hat Product Management for inclusion in a Red Hat Enterprise Linux maintenance release. Product Management has requested further review of this request by Red Hat Engineering, for potential inclusion in a Red Hat Enterprise Linux Update release for currently deployed products. This request is not yet committed for inclusion in an Update release.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2012-0291.html