The following was filed automatically by setroubleshoot: Summary: SELinux is preventing /usr/sbin/sshd "module_request" access. Detailed Description: SELinux denied access requested by sshd. It is not expected that this access is required by sshd and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: You can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Please file a bug report. Additional Information: Source Context system_u:system_r:sshd_t:s0-s0:c0.c1023 Target Context system_u:system_r:kernel_t:s0 Target Objects None [ system ] Source sshd Source Path /usr/sbin/sshd Port <Unknown> Host (removed) Source RPM Packages openssh-server-5.2p1-28.fc12 Target RPM Packages Policy RPM selinux-policy-3.6.32-21.fc12 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name catchall Host Name (removed) Platform Linux (removed) 2.6.31.1-58.fc12.x86_64 #1 SMP Fri Oct 2 16:17:33 EDT 2009 x86_64 x86_64 Alert Count 49 First Seen Tue 06 Oct 2009 12:16:03 PM CEST Last Seen Thu 08 Oct 2009 11:15:44 AM CEST Local ID 6c72bc5f-a8b1-4b7d-8815-32c6dd7ff715 Line Numbers Raw Audit Messages node=(removed) type=AVC msg=audit(1254993344.997:107): avc: denied { module_request } for pid=15831 comm="sshd" scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:kernel_t:s0 tclass=system node=(removed) type=SYSCALL msg=audit(1254993344.997:107): arch=c000003e syscall=41 success=no exit=-97 a0=a a1=1 a2=6 a3=7fff592851a0 items=0 ppid=15822 pid=15831 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=7 comm="sshd" exe="/usr/sbin/sshd" subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 key=(null) Hash String generated from selinux-policy-3.6.32-21.fc12,catchall,sshd,sshd_t,kernel_t,system,module_request audit2allow suggests: #============= sshd_t ============== allow sshd_t kernel_t:system module_request;
Fixed in selinux-policy-3.6.32-23.fc12.noarch It would really be nice if the AVC included a message about what module was requested. Eric?
This should not be needed.... Almost certainly this was IPv6, and it should have been loaded by something already and we should get into this situation. I'll look to see if we can emit some message when we deny module_request.
I have ipv6 disabled
cat /etc/modprobe.d/ipv6_blacklist.conf contains: blacklist ipv6 install ipv6 /bin/true
So that's almost certainly it. Everything that tries to do anything with IPv6 is going to cause the kernel to try to auto load the ipv6 module. Some things pass the security check (udev, ifconfig, etc), but then just call /bin/true, which leaves the module unloaded. Later things (sshd, sendmail) will then cause the kernel to try to autoload the IPv6 module since it was not loaded, but will be denied by the security hook. I'm trying to think of a way to solve this problem, but not much other than dontaudit rules is immediately springing to mind... -eric
dontaudit domain kernel_t: module_request since any app that uses the network can cause this.
*** Bug 527939 has been marked as a duplicate of this bug. ***
*** Bug 529758 has been marked as a duplicate of this bug. ***
*** Bug 527938 has been marked as a duplicate of this bug. ***
*** Bug 530668 has been marked as a duplicate of this bug. ***
*** Bug 531867 has been marked as a duplicate of this bug. ***
*** Bug 532254 has been marked as a duplicate of this bug. ***
*** Bug 532625 has been marked as a duplicate of this bug. ***
*** Bug 533609 has been marked as a duplicate of this bug. ***
*** Bug 536722 has been marked as a duplicate of this bug. ***
*** Bug 536747 has been marked as a duplicate of this bug. ***
*** Bug 537696 has been marked as a duplicate of this bug. ***
This bug appears to have been reported against 'rawhide' during the Fedora 12 development cycle. Changing version to '12'. More information and reason for this action is here: http://fedoraproject.org/wiki/BugZappers/HouseKeeping
*** Bug 538402 has been marked as a duplicate of this bug. ***
*** Bug 538404 has been marked as a duplicate of this bug. ***
*** Bug 538494 has been marked as a duplicate of this bug. ***
*** Bug 538815 has been marked as a duplicate of this bug. ***
*** Bug 538816 has been marked as a duplicate of this bug. ***
*** Bug 538817 has been marked as a duplicate of this bug. ***
*** Bug 539260 has been marked as a duplicate of this bug. ***
*** Bug 539461 has been marked as a duplicate of this bug. ***
*** Bug 539882 has been marked as a duplicate of this bug. ***
*** Bug 539881 has been marked as a duplicate of this bug. ***
*** Bug 540182 has been marked as a duplicate of this bug. ***
I have the problem and I also have ipv6 disabled. The reason is that I have a crappy ISP box that make believe to my Fedora box it has an ipv6 DNS. So every network operation is delayed by a DNS timeout (web navigation, package upgrade, etc). So I have to tell Fedora to not use ipv6 at all.
We are working on a fix to the kernel to report the name of the modules the kernel is trying to load, once we have that we can check if ipv5 is disabled, and not show the avc if it hits.
*** Bug 540859 has been marked as a duplicate of this bug. ***
*** Bug 542125 has been marked as a duplicate of this bug. ***
*** Bug 542127 has been marked as a duplicate of this bug. ***
*** Bug 542406 has been marked as a duplicate of this bug. ***
*** Bug 542912 has been marked as a duplicate of this bug. ***
This bug has reoccurred in the new kernel version 2.6.31.6-145.fc12.x86_64 which is in upgrade repo... Zusammenfassung: SELinux is preventing /usr/sbin/sshd "module_request" access. Detaillierte Beschreibung: SELinux denied access requested by sshd. It is not expected that this access is required by sshd and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Zugriff erlauben: You can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Please file a bug report. Zusätzliche Informationen: Quellkontext system_u:system_r:sshd_t:s0-s0:c0.c1023 Zielkontext system_u:system_r:kernel_t:s0 Zielobjekte None [ system ] Quelle sshd Quellen-Pfad /usr/sbin/sshd Port <Unbekannt> Host (removed) Quellen-RPM-Pakete openssh-server-5.2p1-31.fc12 Ziel-RPM-Pakete RPM-Richtlinie selinux-policy-3.6.32-46.fc12 SELinux aktiviert True Richtlinienversion targeted Enforcing-Modus Enforcing Plugin-Name catchall Hostname (removed) Plattform Linux hp550-01.slnet 2.6.31.6-145.fc12.x86_64 #1 SMP Sat Nov 21 15:57:45 EST 2009 x86_64 x86_64 Anzahl der Alarme 2 Zuerst gesehen Mi 02 Dez 2009 18:34:08 CET Zuletzt gesehen Mi 02 Dez 2009 18:34:08 CET Lokale ID 6b9fe65f-24ec-45c4-a914-96aaac0ee005 Zeilennummern Raw-Audit-Meldungen node=hp550-01.slnet type=AVC msg=audit(1259775248.256:8): avc: denied { module_request } for pid=1051 comm="sshd" scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:kernel_t:s0 tclass=system node=hp550-01.slnet type=SYSCALL msg=audit(1259775248.256:8): arch=c000003e syscall=41 success=no exit=-97 a0=a a1=1 a2=6 a3=fffffffffffffee8 items=0 ppid=1048 pid=1051 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="sshd" exe="/usr/sbin/sshd" subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 key=(null)
*** Bug 544146 has been marked as a duplicate of this bug. ***
*** Bug 544394 has been marked as a duplicate of this bug. ***
*** Bug 545713 has been marked as a duplicate of this bug. ***
*** Bug 545717 has been marked as a duplicate of this bug. ***
*** Bug 545833 has been marked as a duplicate of this bug. ***
*** Bug 545938 has been marked as a duplicate of this bug. ***
I have been taking bleeding-edge pacakges from koji and this isn't getting fixed.
We are waiting for a kernel update to identify the module that is loading. At the time this kernel update gets out, I will modify setroubleshoot to check if ipv6 is disabled and then ignore any AVC message that attempts to load the ipv6 kernel module. This is the best we can do.
*** Bug 546870 has been marked as a duplicate of this bug. ***
*** Bug 546886 has been marked as a duplicate of this bug. ***
*** Bug 547604 has been marked as a duplicate of this bug. ***
*** Bug 548343 has been marked as a duplicate of this bug. ***
*** Bug 543625 has been marked as a duplicate of this bug. ***
*** Bug 549970 has been marked as a duplicate of this bug. ***
*** Bug 550131 has been marked as a duplicate of this bug. ***
*** Bug 550605 has been marked as a duplicate of this bug. ***
*** Bug 550602 has been marked as a duplicate of this bug. ***
*** Bug 551575 has been marked as a duplicate of this bug. ***
(In reply to comment #45) > We are waiting for a kernel update to identify the module that is loading. At > the time this kernel update gets out, I will modify setroubleshoot to check if > ipv6 is disabled and then ignore any AVC message that attempts to load the ipv6 > kernel module. This is the best we can do. What about other modules, such as 'tun'? Is there a knob that would turn the warning off for all modules? In the long run pretty much any application can cause module load (mount loading an fs module, etc)...
(In reply to comment #45) > We are waiting for a kernel update to identify the module that is loading. At > the time this kernel update gets out, I will modify setroubleshoot to check if > ipv6 is disabled and then ignore any AVC message that attempts to load the ipv6 > kernel module. This is the best we can do. would it be possible to have some workaround in selinux policy? It's quite annoying when once a while sealert shows up with another module request. Especially when managing more computers.
Adding ## <desc> ## <p> ## Allow all domains to have the kernel load modules ## </p> ## </desc> # gen_tunable(domain_kernel_load_modules, false) tunable_policy(`domain_kernel_load_modules',` kernel_request_load_module(domain) ') This will be turned off by default, but if turned on, all confined domains will be allowed to request the kernel to load a module. Fixed in selinux-policy-3.6.32-66.fc12.noarch
*** Bug 548612 has been marked as a duplicate of this bug. ***
*** Bug 559063 has been marked as a duplicate of this bug. ***
Dan I'm going to reassign this to setroubleshootd. The 2.6.34 kernels in rawhide will report an additional kmod=pf-net-10 if it is IPv6 being autoloaded. setroubleshoot should look in the modprobe blacklist for ipv6 and just ignore the message if it was disabled.
Sure could you give me pseudo code of what I am looking for? IE where would you put the modprobe blacklist?
egrep "blacklist[ \t].*ipv6" /etc/modprobe.d/ -R RET = $? if $RET == 0 don't complain if $RET == 1 complain
*** Bug 550372 has been marked as a duplicate of this bug. ***
I have ipv6 disabled on f12/2.6.32.14-127/PPC, and am seeing this avc for multiple comms: "canberra-gtk-pl" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:system_r:kernel_t:s0 tclass=system "rndc" scontext=system_u:system_r:ndc_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=system "sendmail" scontext=system_u:system_r:sendmail_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=system "spamd" scontext=system_u:system_r:spamd_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=system "spamd" scontext=unconfined_u:system_r:spamd_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=system "sshd" scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:kernel_t:s0 tclass=system Not thrilled about setting domain_kernel_load_modules, but if it will keep my syslog from getting spammed with this message every few minutes...
This code is in F13 and we have a big switch tunable_policy(`domain_kernel_load_modules',` kernel_request_load_module(domain) ') setroubleshoot checks in F13 also.