Bug 520728 - SELinux has prevented iw from loading a kernel module
Summary: SELinux has prevented iw from loading a kernel module
Keywords:
Status: CLOSED NEXTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: rawhide
Hardware: i386
OS: Linux
low
medium
Target Milestone: ---
Assignee: Eric Paris
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: setroubleshoot_trace_hash:ef16c28be48...
: 481618 522962 (view as bug list)
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2009-09-02 01:47 UTC by R. Jobe
Modified: 2009-09-16 20:01 UTC (History)
7 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2009-09-16 20:01:51 UTC
Type: ---
Embargoed:

Attachments (Terms of Use)

Description R. Jobe 2009-09-02 01:47:46 UTC 
The following was filed automatically by setroubleshoot:

Summary:

Your system may be seriously compromised!

Detailed Description:

SELinux has prevented iw from loading a kernel module. All confined programs
that need to load kernel modules should have already had policy written for
them. If a compromised application tries to modify the kernel this AVC will be
generated. This is a serious issue. Your system may very well be compromised.

Allowing Access:

Contact your security administrator and report this issue.

Additional Information:

Source Context                system_u:system_r:udev_t:s0-s0:c0.c1023
Target Context                system_u:system_r:udev_t:s0-s0:c0.c1023
Target Objects                None [ capability ]
Source                        iw
Source Path                   /usr/bin/iw
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           iw-0.9.16-1.fc12
Target RPM Packages           
Policy RPM                    selinux-policy-3.6.28-9.fc12
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   sys_module
Host Name                     (removed)
Platform                      Linux (removed)
                              2.6.31-0.190.rc8.fc12.i686.PAE #1 SMP Fri Aug 28
                              18:51:47 EDT 2009 i686 i686
Alert Count                   2
First Seen                    Sun 30 Aug 2009 10:25:55 PM EDT
Last Seen                     Tue 01 Sep 2009 06:12:26 PM EDT
Local ID                      aa49ace2-2a83-46f4-8745-a2d454a124cc
Line Numbers                  

Raw Audit Messages            

node=(removed) type=AVC msg=audit(1251843146.759:51): avc:  denied  { sys_module } for  pid=1735 comm="iw" capability=16 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tclass=capability

node=(removed) type=SYSCALL msg=audit(1251843146.759:51): arch=40000003 syscall=54 success=no exit=-19 a0=4 a1=8933 a2=bf8171dc a3=4 items=0 ppid=1722 pid=1735 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="iw" exe="/usr/bin/iw" subj=system_u:system_r:udev_t:s0-s0:c0.c1023 key=(null)


audit2allow suggests:

#============= udev_t ==============
allow udev_t self:capability sys_module;
Comment 1 Eric Paris 2009-09-02 14:23:59 UTC 
the kernel changes to stop this type of denial aren't scheduled to go into mainline until 2.6.32.  James, do you see any reason I shouldn't push them to rawhide kernels now?
Comment 2 James Morris 2009-09-03 02:21:16 UTC 
(In reply to comment #1)
> the kernel changes to stop this type of denial aren't scheduled to go into
> mainline until 2.6.32.  James, do you see any reason I shouldn't push them to
> rawhide kernels now?  

No,
Comment 3 Eric Paris 2009-09-14 17:07:31 UTC 
*** Bug 522962 has been marked as a duplicate of this bug. ***
Comment 4 Eric Paris 2009-09-16 15:35:58 UTC 
*** Bug 481618 has been marked as a duplicate of this bug. ***
Comment 5 Eric Paris 2009-09-16 20:01:51 UTC 
A Fix has been commited in CVS for the next fedora 12 kernel build.  It should be in kernels kernel-2.6.31-24.fc12 or newer whenever they get built.
Note You need to log in before you can comment on or make changes to this bug.