Bug 514980 - Your system may be seriously compromised!
Summary: Your system may be seriously compromised!
Keywords:
Status: CLOSED WORKSFORME
Alias: None
Product: Fedora
Classification: Fedora
Component: bind
Version: rawhide
Hardware: All
OS: Linux
low
medium
Target Milestone: ---
Assignee: Adam Tkac
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks: F12Blocker, F12FinalBlocker
TreeView+ depends on / blocked
 
Reported: 2009-07-31 18:29 UTC by Nicolas Mailhot
Modified: 2013-04-30 23:44 UTC (History)
3 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2009-08-06 11:11:26 UTC
Type: ---
Embargoed:

Attachments (Terms of Use)

Description Nicolas Mailhot 2009-07-31 18:29:48 UTC 
Your system may be seriously compromised!

SELinux has denied the named the ability to mmap low area of the kernel address space. The ability to mmap a low area of the address space, as configured by /proc/sys/kernel/mmap_min_addr. Preventing such mappings helps protect against exploiting null deref bugs in the kernel. All applications that need this access should have already had policy written for them. If a compromised application tries modify the kernel this AVC would be generated. This is a serious issue. Your system may very well be compromised.

Contact your security administrator and report this issue.


Contexte source:  unconfined_u:system_r:named_t:s0
Contexte cible:  unconfined_u:system_r:named_t:s0
Objets du contexte:  None [ memprotect ]source:  named
Chemin de la source:  /usr/sbin/namedPort:  <Inconnu>
Hôte:  
Paquetages RPM source:  bind-9.6.1-6.P1.fc12
Paquetages RPM cible:  
Politique RPM:  selinux-policy-3.6.26-2.fc12
Selinux activé:  True
Type de politique:  targeted
MLS activé:  True
Mode strict:  Enforcing
Nom du plugin:  mmap_zero
Nom de l'hôte:  
Plateforme:  Linux  2.6.31-0.112.rc4.git3.fc12.x86_64 #1 SMP Thu Jul 30 15:29:28 EDT 2009 x86_64 x86_64
Compteur d'alertes:  12
Première alerte:  ven. 31 juil. 2009 20:19:00 CEST
Dernière alerte:  ven. 31 juil. 2009 20:19:00 CEST
ID local:  f0c205ff-5c07-40c7-b0c0-bb040db09024
Numéros des lignes:  
Messages d'audit bruts :

node= type=AVC msg=audit(1249064340.25:68): avc: denied { mmap_zero } for pid=2844 comm="named" scontext=unconfined_u:system_r:named_t:s0 tcontext=unconfined_u:system_r:named_t:s0 tclass=memprotect

node= type=AVC msg=audit(1249064340.25:68): avc: denied { mmap_zero } for pid=2844 comm="named" scontext=unconfined_u:system_r:named_t:s0 tcontext=unconfined_u:system_r:named_t:s0 tclass=memprotect

node= type=AVC msg=audit(1249064340.25:68): avc: denied { mmap_zero } for pid=2844 comm="named" scontext=unconfined_u:system_r:named_t:s0 tcontext=unconfined_u:system_r:named_t:s0 tclass=memprotect

node= type=SYSCALL msg=audit(1249064340.25:68): arch=c000003e syscall=125 success=yes exit=0 a0=7fffdf697374 a1=0 a2=7fffdbf1fe80 a3=24 items=0 ppid=2843 pid=2844 auid=500 uid=25 gid=25 euid=25 suid=25 fsuid=25 egid=25 sgid=25 fsgid=25 tty=(none) ses=1 comm="named" exe="/usr/sbin/named" subj=unconfined_u:system_r:named_t:s0 key=(null)
Comment 1 Adam Tkac 2009-08-04 14:54:10 UTC 
Would it be possible to tell me how did you reproduced this issue, please? I have installed:

bind-9.6.1-6.P1.fc12.x86_64
selinux-policy-targeted-3.6.26-2.fc12.noarch

and I'm running on 2.6.31-0.118.rc5.fc12.x86_64 kernel with no SELinux denial.
Comment 2 Nicolas Mailhot 2009-08-05 07:21:05 UTC 
If I can reproduce it I'll post the info. There have been several selinux, bind and glibc updates in rawhide since
Comment 3 Adam Tkac 2009-08-06 11:11:26 UTC 
(In reply to comment #2)
> If I can reproduce it I'll post the info. There have been several selinux, bind
> and glibc updates in rawhide since  

Ok, if it happens again please reopen this issue. For not I'm closing this ticket.
Note You need to log in before you can comment on or make changes to this bug.