Red Hat Bugzilla – Bug 904880
SELinux is preventing /usr/sbin/ifconfig from 'execute' accesses on the file /opt/metasploit/common/lib/libpcre.so.1.0.0.
Last modified: 2013-01-28 12:16:37 EST
Description of problem: SELinux is preventing /usr/sbin/ifconfig from 'execute' accesses on the file /opt/metasploit/common/lib/libpcre.so.1.0.0. ***** Plugin restorecon (94.8 confidence) suggests ************************* If você deseja reparar este rótulo. /opt/metasploit/common/lib/libpcre.so.1.0.0 rótulo padrão deve ser lib_t. Then você pode executar o restorecon. Do # /sbin/restorecon -v /opt/metasploit/common/lib/libpcre.so.1.0.0 ***** Plugin catchall_labels (5.21 confidence) suggests ******************** If you want to allow ifconfig to have execute access on the libpcre.so.1.0.0 file Then você precisará mudar o rótulo em /opt/metasploit/common/lib/libpcre.so.1.0.0 Do # semanage fcontext -a -t FILE_TYPE '/opt/metasploit/common/lib/libpcre.so.1.0.0' onde FILE_TYPE é um dos seguintes: abrt_helper_exec_t, ifconfig_exec_t, textrel_shlib_t, brctl_exec_t, insmod_exec_t, ld_so_t, lib_t, prelink_exec_t. Então execute: restorecon -v '/opt/metasploit/common/lib/libpcre.so.1.0.0' ***** Plugin catchall (1.44 confidence) suggests *************************** If você acredita que o ifconfig deva ser permitido acesso de execute em libpcre.so.1.0.0 file por default. Then você precisa reportar este como um erro. Você pode gerar um módulo de política local para permitir este acesso. Do permitir este acesso agora executando: # grep ifconfig /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:ifconfig_t:s0 Target Context unconfined_u:object_r:usr_t:s0 Target Objects /opt/metasploit/common/lib/libpcre.so.1.0.0 [ file ] Source ifconfig Source Path /usr/sbin/ifconfig Port <Unknown> Host (removed) Source RPM Packages net-tools-2.0-0.2.20121106git.fc18.x86_64 Target RPM Packages Policy RPM selinux-policy-3.11.1-73.fc18.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 3.7.2-204.fc18.x86_64 #1 SMP Wed Jan 16 16:22:52 UTC 2013 x86_64 x86_64 Alert Count 3 First Seen 2013-01-26 16:48:39 BRST Last Seen 2013-01-28 00:11:38 BRST Local ID d2d617b9-830b-4bf3-89ed-8405f78c1ca3 Raw Audit Messages type=AVC msg=audit(1359339098.190:347): avc: denied { execute } for pid=2153 comm="ifconfig" path="/opt/metasploit/common/lib/libpcre.so.1.0.0" dev="sda3" ino=1716852 scontext=system_u:system_r:ifconfig_t:s0 tcontext=unconfined_u:object_r:usr_t:s0 tclass=file type=SYSCALL msg=audit(1359339098.190:347): arch=x86_64 syscall=mmap success=no exit=EACCES a0=0 a1=225bf0 a2=5 a3=802 items=0 ppid=2151 pid=2153 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm=ifconfig exe=/usr/sbin/ifconfig subj=system_u:system_r:ifconfig_t:s0 key=(null) Hash: ifconfig,ifconfig_t,usr_t,file,execute audit2allow #============= ifconfig_t ============== #!!!! This avc is allowed in the current policy allow ifconfig_t usr_t:file execute; audit2allow -R #============= ifconfig_t ============== #!!!! This avc is allowed in the current policy allow ifconfig_t usr_t:file execute; Additional info: hashmarkername: setroubleshoot kernel: 3.7.2-204.fc18.x86_64 type: libreport
Looks like this is allowed, and the file is also mislabeled. restorecon -R -v /opt