Bug 532342 - Your system may be seriously compromised! /usr/sbin/rpc.rquotad attempted to mmap low kernel memory.
Summary: Your system may be seriously compromised! /usr/sbin/rpc.rquotad attempted to ...
Keywords:
Status: CLOSED DUPLICATE of bug 528581
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: rawhide
Hardware: x86_64
OS: Linux
low
medium
Target Milestone: ---
Assignee: Eric Paris
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2009-11-01 19:16 UTC by Neo Nerd
Modified: 2009-11-02 14:25 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2009-11-02 14:25:43 UTC
Type: ---
Embargoed:


Attachments (Terms of Use)

Description Neo Nerd 2009-11-01 19:16:48 UTC
Summary:

Your system may be seriously compromised! /usr/sbin/rpc.rquotad attempted to
mmap low kernel memory.

Detailed Description:

[rpc.rquotad has a permissive type (rpcd_t). This access was not denied.]

SELinux has denied the rpc.rquotad the ability to mmap low area of the kernel
address space. The ability to mmap a low area of the address space, as
configured by /proc/sys/kernel/mmap_min_addr. Preventing such mappings helps
protect against exploiting null deref bugs in the kernel. All applications that
need this access should have already had policy written for them. If a
compromised application tries modify the kernel this AVC would be generated.
This is a serious issue. Your system may very well be compromised.

Allowing Access:

Contact your security administrator and report this issue.

Additional Information:

Source Context                system_u:system_r:rpcd_t:s0
Target Context                system_u:system_r:rpcd_t:s0
Target Objects                None [ memprotect ]
Source                        rpc.rquotad
Source Path                   /usr/sbin/rpc.rquotad
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           quota-3.17-8.fc12
Target RPM Packages           
Policy RPM                    selinux-policy-3.6.32-35.fc12
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   mmap_zero
Host Name                     (removed)
Platform                      Linux (removed) 2.6.31.1-56.fc12.x86_64
                              #1 SMP Tue Sep 29 16:16:22 EDT 2009 x86_64 x86_64
Alert Count                   1
First Seen                    Thu 29 Oct 2009 10:16:26 PM EDT
Last Seen                     Thu 29 Oct 2009 10:16:26 PM EDT
Local ID                      64d16b14-780a-40e3-94f9-b4e07c85298b
Line Numbers                  

Raw Audit Messages            

node=(removed) type=AVC msg=audit(1256868986.454:22771): avc:  denied  { mmap_zero } for  pid=5464 comm="rpc.rquotad" scontext=system_u:system_r:rpcd_t:s0 tcontext=system_u:system_r:rpcd_t:s0 tclass=memprotect

node=(removed) type=SYSCALL msg=audit(1256868986.454:22771): arch=c000003e syscall=179 success=yes exit=0 a0=580500 a1=0 a2=0 a3=0 items=0 ppid=5463 pid=5464 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="rpc.rquotad" exe="/usr/sbin/rpc.rquotad" subj=system_u:system_r:rpcd_t:s0 key=(null)



Hash String generated from  selinux-policy-3.6.32-35.fc12,mmap_zero,rpc.rquotad,rpcd_t,rpcd_t,memprotect,mmap_zero
audit2allow suggests:

#============= rpcd_t ==============
allow rpcd_t self:memprotect mmap_zero;

Comment 1 Eric Paris 2009-11-02 14:25:43 UTC

*** This bug has been marked as a duplicate of bug 528581 ***


Note You need to log in before you can comment on or make changes to this bug.