Bug 483212 - (staff_u???) SELinux is preventing auditd (auditd_t) "sys_admin" auditd_t.
(staff_u???) SELinux is preventing auditd (auditd_t) "sys_admin" auditd_t.
Status: CLOSED UPSTREAM
Product: Fedora
Classification: Fedora
Component: kernel (Show other bugs)
10
All Linux
low Severity medium
: ---
: ---
Assigned To: Eric Paris
Fedora Extras Quality Assurance
: Reopened, SELinux
: 483462 (view as bug list)
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2009-01-30 03:46 EST by Matěj Cepl
Modified: 2009-05-21 16:18 EDT (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2009-05-21 16:18:06 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Matěj Cepl 2009-01-30 03:46:32 EST
I am not sure whether being a staff_u as a user can have any effect on auditd daemon, but just to note it.

SELinux is preventing auditd (auditd_t) "sys_admin" auditd_t.

Podrobný popis:

SELinux denied access requested by auditd. It is not expected that this access
is required by auditd and this access may signal an intrusion attempt. It is
also possible that the specific version or configuration of the application is
causing it to require additional access.

Povolení přístupu:

You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Další informace:

Kontext zdroje                system_u:system_r:auditd_t:s0
Kontext cíle                 system_u:system_r:auditd_t:s0
Objekty cíle                 None [ capability ]
Zdroj                         auditd
Cesta zdroje                  <Neznámé>
Port                          <Neznámé>
Počítač                    viklef.ceplovi.cz
RPM balíčky zdroje          
RPM balíčky cíle           
RPM politiky                  selinux-policy-3.5.13-40.fc10
Selinux povolen               True
Typ politiky                  targeted
MLS povoleno                  True
Vynucovací režim            Enforcing
Název zásuvného modulu     catchall
Název počítače            viklef.ceplovi.cz
Platforma                     Linux viklef.ceplovi.cz
                              2.6.27.12-170.2.5.fc10.x86_64 #1 SMP Wed Jan 21
                              01:33:24 EST 2009 x86_64 x86_64
Počet upozornění           2
Poprvé viděno               Pá 30. leden 2009, 06:01:01 CET
Naposledy viděno             Pá 30. leden 2009, 06:00:57 CET
Místní ID                   9a6adf93-6bfb-4261-98ea-9d78a82d0cea
Čísla řádků              

Původní zprávy auditu      

node=viklef.ceplovi.cz type=AVC msg=audit(1233291657.459:139): avc:  denied  { sys_admin } for  pid=2090 comm="auditd" capability=21 scontext=system_u:system_r:auditd_t:s0 tcontext=system_u:system_r:auditd_t:s0 tclass=capability

node=viklef.ceplovi.cz type=AVC msg=audit(1233291657.459:139): avc:  denied  { sys_rawio } for  pid=2090 comm="auditd" capability=17 scontext=system_u:system_r:auditd_t:s0 tcontext=system_u:system_r:auditd_t:s0 tclass=capability

node=viklef.ceplovi.cz type=AVC msg=audit(1233291657.459:139): avc:  denied  { sys_admin } for  pid=2091 comm="audispd" capability=21 scontext=system_u:system_r:audisp_t:s0 tcontext=system_u:system_r:audisp_t:s0 tclass=capability

node=viklef.ceplovi.cz type=AVC msg=audit(1233291657.459:139): avc:  denied  { sys_resource } for  pid=2091 comm="audispd" capability=24 scontext=system_u:system_r:audisp_t:s0 tcontext=system_u:system_r:audisp_t:s0 tclass=capability

node=viklef.ceplovi.cz type=AVC msg=audit(1233291657.459:139): avc:  denied  { sys_rawio } for  pid=2091 comm="audispd" capability=17 scontext=system_u:system_r:audisp_t:s0 tcontext=system_u:system_r:audisp_t:s0 tclass=capability

node=viklef.ceplovi.cz type=AVC msg=audit(1233291657.459:139): avc:  denied  { sys_admin } for  pid=2092 comm="audispd" capability=21 scontext=system_u:system_r:audisp_t:s0 tcontext=system_u:system_r:audisp_t:s0 tclass=capability
Comment 1 Daniel Walsh 2009-01-30 08:50:03 EST
Are you running with ext4?
Comment 2 Matěj Cepl 2009-01-30 11:00:38 EST
Yes

[root@viklef ~]# uname -r
2.6.27.12-170.2.5.fc10.x86_64
[root@viklef ~]# mount
/dev/mapper/vg00-lvRoot on / type ext4 (rw)
/proc on /proc type proc (rw)
sysfs on /sys type sysfs (rw)
devpts on /dev/pts type devpts (rw,gid=5,mode=620)
/dev/sda1 on /boot type ext3 (rw)
/dev/dm-5 on /home type ext3 (rw)
tmpfs on /tmp type tmpfs (rw)
tmpfs on /dev/shm type tmpfs (rw)
none on /proc/sys/fs/binfmt_misc type binfmt_misc (rw)
sunrpc on /var/lib/nfs/rpc_pipefs type rpc_pipefs (rw)
gvfs-fuse-daemon on /home/matej/.gvfs type fuse.gvfs-fuse-daemon (rw,nosuid,nodev,user=matej)
[root@viklef ~]#
Comment 3 Daniel Walsh 2009-02-02 08:18:19 EST
These are issues with the kernel.  I believe there is an update on the way to fix this.
Comment 4 Eric Paris 2009-02-02 08:59:20 EST
ext4 things is CAP_SYS_RESOURCE not CAP_SYS_ADMIN....
Comment 5 Eric Paris 2009-02-02 09:04:59 EST
huh, this wants sys_admin, sys_rawio, and cap_sys_resource....
Comment 6 Eric Paris 2009-02-02 09:15:36 EST
ahhhh, did your OOM killer pop just seconds later?  Looks like these 3 called together is in the OOM killer when determining how valuable a given task is when looking for one to shoot.  upstream this is fixed by just not outputting the denial message.  I don't really see the need to backport it for such a corner case...
Comment 7 Matěj Cepl 2009-02-02 09:20:04 EST
(In reply to comment #6)
> ahhhh, did your OOM killer pop just seconds later?  Looks like these 3 called
> together is in the OOM killer when determining how valuable a given task is
> when looking for one to shoot.  upstream this is fixed by just not outputting
> the denial message.  I don't really see the need to backport it for such a
> corner case...

I don't know -- the only OOM killer I had recently was when tried pidgin in valgrind. It might be caused by that.
Comment 8 Eric Paris 2009-02-02 09:27:10 EST
ok, I'm going to close this as fixed upstream.  2.6.29 should keep these denials from popping out during an oom kill calculation.  If you ever see this type of thing and don't see an oom kill in the vicinity you can reopen.
Comment 9 Eric Paris 2009-02-02 13:00:21 EST
*** Bug 483462 has been marked as a duplicate of this bug. ***
Comment 10 Matěj Cepl 2009-02-04 01:21:02 EST
And this is duplicate of this bug as well, right?


Souhrn:

SELinux is preventing arping (netutils_t) "sys_module" netutils_t.

Podrobný popis:

SELinux denied access requested by arping. It is not expected that this access
is required by arping and this access may signal an intrusion attempt. It is
also possible that the specific version or configuration of the application is
causing it to require additional access.

Povolení přístupu:

You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Další informace:

Kontext zdroje                system_u:system_r:netutils_t:s0-s0:c0.c1023
Kontext cíle                 system_u:system_r:netutils_t:s0-s0:c0.c1023
Objekty cíle                 None [ capability ]
Zdroj                         arping
Cesta zdroje                  /sbin/arping
Port                          <Neznámé>
Počítač                    viklef.ceplovi.cz
RPM balíčky zdroje          iputils-20071127-6.fc10
RPM balíčky cíle           
RPM politiky                  selinux-policy-3.5.13-41.fc10
Selinux povolen               True
Typ politiky                  targeted
MLS povoleno                  True
Vynucovací režim            Enforcing
Název zásuvného modulu     catchall
Název počítače            viklef.ceplovi.cz
Platforma                     Linux viklef.ceplovi.cz
                              2.6.27.12-170.2.5.fc10.x86_64 #1 SMP Wed Jan 21
                              01:33:24 EST 2009 x86_64 x86_64
Počet upozornění           1
Poprvé viděno               St 4. únor 2009, 07:17:26 CET
Naposledy viděno             St 4. únor 2009, 07:17:26 CET
Místní ID                   cdb84e6f-af20-4b5a-96b4-1f1afd851ef8
Čísla řádků              

Původní zprávy auditu      

node=viklef.ceplovi.cz type=AVC msg=audit(1233728246.595:73): avc:  denied  { sys_module } for  pid=7540 comm="arping" capability=16 scontext=system_u:system_r:netutils_t:s0-s0:c0.c1023 tcontext=system_u:system_r:netutils_t:s0-s0:c0.c1023 tclass=capability

node=viklef.ceplovi.cz type=SYSCALL msg=audit(1233728246.595:73): arch=c000003e syscall=16 success=no exit=-19 a0=3 a1=8933 a2=7fff8472d1a0 a3=7fff8472bcd0 items=0 ppid=7539 pid=7540 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="arping" exe="/sbin/arping" subj=system_u:system_r:netutils_t:s0-s0:c0.c1023 key=(null)
Comment 11 Eric Paris 2009-02-04 08:57:57 EST
No, that is a different unrelated issue.
Comment 12 Daniel Walsh 2009-02-04 11:02:15 EST
Allowing network utilities to load kernel modules.   That seems like a good idea?

 :^(

Note You need to log in before you can comment on or make changes to this bug.