Résumé: SELinux empêche l'accès en "search" à /usr/libexec/polkit-1/polkit-agent-helper-1 on /var/lib/a Description détaillée: SELinux a refusé l'accès demandé par polkit-agent-he. Il n'est pas prévu que cet accès soit requis par polkit-agent-he et cet accès peut signaler une tentative d'intrusion. Il est également possible que cette version ou cette configuration spécifique de l'application provoque cette demande d'accès supplémenta Autoriser l'accès: Vous pouvez créer un module de stratégie locale pour autoriser cet accès - lisez la FAQ (http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Merci de remplir un rapport de bogue. Informations complémentaires: Contexte source unconfined_u:unconfined_r:policykit_auth_t:s0-s0:c 0.c1023 Contexte cible system_u:object_r:var_auth_t:s0 Objets du contexte /var/lib/abl [ dir ] source polkit-agent-he Chemin de la source /usr/libexec/polkit-1/polkit-agent-helper-1 Port <Inconnu> Hôte (supprimé) Paquetages RPM source polkit-0.96-1.fc13 Paquetages RPM cible pam_abl-0.2.3-8.fc12 Politique RPM selinux-policy-3.8.8-10.fc14 Selinux activé True Type de politique targeted Mode strict Enforcing Nom du plugin catchall Nom de l'hôte (supprimé) Plateforme Linux (supprimé) 2.6.35-2.fc14.x86_64 #1 SMP Wed Aug 4 19:15:25 UTC 2010 x86_64 x86_64 Compteur d'alertes 1 Première alerte ven. 06 août 2010 19:57:59 CEST Dernière alerte ven. 06 août 2010 19:57:59 CEST ID local 580f6385-1140-49eb-9a21-e0106686cf99 Numéros des lignes Messages d'audit bruts node=(supprimé) type=AVC msg=audit(1281117479.56:27): avc: denied { search } for pid=2628 comm="polkit-agent-he" name="abl" dev=dm-1 ino=122447 scontext=unconfined_u:unconfined_r:policykit_auth_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_auth_t:s0 tclass=dir node=(supprimé) type=SYSCALL msg=audit(1281117479.56:27): arch=c000003e syscall=4 success=no exit=-13 a0=1005f10 a1=7fffd72a1030 a2=7fffd72a1030 a3=180 items=0 ppid=2342 pid=2628 auid=500 uid=500 gid=500 euid=0 suid=0 fsuid=0 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm="polkit-agent-he" exe="/usr/libexec/polkit-1/polkit-agent-helper-1" subj=unconfined_u:unconfined_r:policykit_auth_t:s0-s0:c0.c1023 key=(null) Hash String generated from catchall,polkit-agent-he,policykit_auth_t,var_auth_t,dir,search audit2allow suggests: #============= policykit_auth_t ============== allow policykit_auth_t var_auth_t:dir search;
Did you add pam_abl to /etc/pam.d/system-auth?
I did it when I first installed pam_abl on the system years ago. I haven't checked lately if the various system upgrades since have preserved this (but I guess if they hadn't there would be no selinux alert today)
Created attachment 437949 [details] /etc/pam.d/system-auth Local /etc/pam.d/system-auth with typical pam_abl configuration
Summary : A Pluggable Authentication Module (PAM) for auto blacklisting Description : Provides auto blacklisting of hosts and users responsible for repeated failed authentication attempts. Generally configured so that blacklisted users still see normal login prompts but are guaranteed to fail to authenticate. A command line tool allows to query or purge the databases used by the pam_abl module.
I know what it is, but I am not sure it belongs in that file, since this is read by cron and policykit. You can add these rules for now using # grep avc /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Fixed in selinux-policy-3.8.8-12.fc14
(In reply to comment #5) > I know what it is, but I am not sure it belongs in that file, since this is > read by cron and policykit. The way I understand it, the main value of pam_abl (as opposed to a protocol-specific wrapper such as deny host) is to protect against any brute-force password cracking attempt at the pam database, regardless of how many layers of software indirections are used before hitting pam. But them I am not a professional security expert like you, so I would welcome your thoughts on where pam_abl should better plug. I realise that the main drawback of this approach is the possibility of DOS. On my system a DOS is preferable to an intrusion.
Ok I guess you are right. I see it more useful for network facing login programs like sshd, but I guess if you are worried about someone trying to brute force policykit.
selinux-policy-3.8.8-14.fc14 has been submitted as an update for Fedora 14. http://admin.fedoraproject.org/updates/selinux-policy-3.8.8-14.fc14
Still there with selinux-policy-3.8.8-16.fc14
Oops your right, I added the access to policykit_t instead of policykit_auth_t. Fixed in selinux-policy-3.8.8-18.fc14
selinux-policy-3.8.8-14.fc14 has been pushed to the Fedora 14 stable repository. If problems still persist, please make note of it in this bug report.