The following was filed automatically by setroubleshoot: Summary: Your system may be seriously compromised! Detailed Description: [nscd has a permissive type (nscd_t). This access was not denied.] SELinux has denied the nscd the ability to mmap low area of the kernel address space. The ability to mmap a low area of the address space, as configured by /proc/sys/kernel/mmap_min_addr. Preventing such mappings helps protect against exploiting null deref bugs in the kernel. All applications that need this access should have already had policy written for them. If a compromised application tries modify the kernel this AVC would be generated. This is a serious issue. Your system may very well be compromised. Allowing Access: Contact your security administrator and report this issue. Additional Information: Source Context unconfined_u:system_r:nscd_t:s0 Target Context unconfined_u:system_r:nscd_t:s0 Target Objects None [ memprotect ] Source nscd Source Path /usr/sbin/nscd Port <Unknown> Host (removed) Source RPM Packages nscd-2.10.90-20 Target RPM Packages Policy RPM selinux-policy-3.6.30-2.fc12 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name mmap_zero Host Name (removed) Platform Linux (removed) 2.6.31-0.190.rc8.fc12.x86_64 #1 SMP Fri Aug 28 18:51:58 EDT 2009 x86_64 x86_64 Alert Count 6 First Seen Thu 03 Sep 2009 06:33:36 AM PDT Last Seen Thu 03 Sep 2009 06:33:36 AM PDT Local ID 5005f5c8-e9c9-4b14-89cd-6a939395d9d0 Line Numbers Raw Audit Messages node=(removed) type=AVC msg=audit(1251984816.956:50): avc: denied { mmap_zero } for pid=2669 comm="nscd" scontext=unconfined_u:system_r:nscd_t:s0 tcontext=unconfined_u:system_r:nscd_t:s0 tclass=memprotect node=(removed) type=AVC msg=audit(1251984816.956:50): avc: denied { mmap_zero } for pid=2669 comm="nscd" scontext=unconfined_u:system_r:nscd_t:s0 tcontext=unconfined_u:system_r:nscd_t:s0 tclass=memprotect node=(removed) type=AVC msg=audit(1251984816.956:50): avc: denied { mmap_zero } for pid=2669 comm="nscd" scontext=unconfined_u:system_r:nscd_t:s0 tcontext=unconfined_u:system_r:nscd_t:s0 tclass=memprotect node=(removed) type=SYSCALL msg=audit(1251984816.956:50): arch=c000003e syscall=125 success=yes exit=0 a0=7fff3469a214 a1=0 a2=7fff32031e80 a3=24 items=0 ppid=2668 pid=2669 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="nscd" exe="/usr/sbin/nscd" subj=unconfined_u:system_r:nscd_t:s0 key=(null) audit2allow suggests: #============= nscd_t ============== allow nscd_t self:memprotect mmap_zero;
BTW, I received these after I had updated to glibc-2.10.90-20.x86_64 glibc-headers-2.10.90-20.x86_64 glibc-common-2.10.90-20.x86_64 nscd-2.10.90-20.x86_64 glibc-debuginfo-2.10.90-18.x86_64 glibc-devel-2.10.90-20.x86_64 and before I rebooted. I've since rebooted and I have not yet seen this again.....
Needless to say, nscd should not need to mmap_zero.
syscall=capget This is about the 4th one of those. Ok, ok, I'll figure out how the fsck sys_capget manages to do this. It's deffinitly NOT nscd's fault, it's a kernel problem....
Eric, any idea about this? There are hopefully more and more programs using capabilities and if this is a wide spread problem it can create big disruptions.
*** This bug has been marked as a duplicate of bug 525537 ***