Fedora Linux Support Community & Resources Center

Home Forums Posting Rules Linux Help Fedora Set-Up Guides Ask Fedora Fedora Project
Go Back   FedoraForum.org > Fedora 17/18 > Security and Privacy
Reload this Page AVC Denial that concerns me.
FedoraForum Search
Forgot Password? Join Us!
Register All Albums FAQ Search Today's Posts Mark Forums Read

Security and Privacy Sadly, malware, spyware, hackers and privacy threats abound in today's world. Let's be paranoid and secure our penguins, and slam the doors on privacy exploits.

Reply
 
Thread Tools Search this Thread Display Modes
  #1  
Old 5th August 2010, 02:39 AM
Gumby Offline
Registered User
  
Join Date: Aug 2010
Location: Oz
Posts: 2
windows_7firefox
AVC Denial that concerns me.
Hi all,

Normally AVC denials don’t concern me, but these ones do for the following reasons.
Log files pre 2nd Aug are gone, problem started 1st Aug post boot.
Sendmail was one of the first AVC denials, a service I don’t use, I have no log file for this as it was a issue on the 1st Aug.
I rarely use sshd.

Is there anything security wise to be concerned about in the following AVC logs? If not just a configuration issue/gremlin?

System had a full update on the 31st Jul.

Thanks for any advice in advance.


[Me@localhost ~]$ sealert -l 6b02309c-9d29-41f4-954c-5a0b7b1925b0

Summary:

SELinux is preventing /usr/sbin/sshd "module_request" access on <Unknown>.

Detailed Description:

SELinux denied access requested by sshd.

Additional Information:

Source Context system_u:system_r:sshd_t:s0-s0:c0.c1023
Target Context system_u:system_r:kernel_t:s0
Target Objects None [ system ]
Source sshd
Source Path /usr/sbin/sshd
Port <Unknown>
Host localhost.localdomain
Source RPM Packages openssh-server-5.4p1-3.fc13
Target RPM Packages
Policy RPM selinux-policy-3.7.19-39.fc13
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Plugin Name catchall_boolean
Host Name localhost.localdomain
Platform Linux localhost.localdomain
2.6.33.6-147.fc13.x86_64 #1 SMP Tue Jul 6 22:32:17
UTC 2010 x86_64 x86_64
Alert Count 8
First Seen Mon Aug 2 18:39:25 2010
Last Seen Tue Aug 3 18:24:28 2010
Local ID 6b02309c-9d29-41f4-954c-5a0b7b1925b0
Line Numbers

Raw Audit Messages

node=localhost.localdomain type=AVC msg=audit(1280823868.96:11): avc: denied { module_request } for pid=2162 comm="sshd" kmod="net-pf-10" scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:kernel_t:s0 tclass=system

node=localhost.localdomain type=SYSCALL msg=audit(1280823868.96:11): arch=c000003e syscall=41 success=no exit=-97 a0=a a1=1 a2=6 a3=fffffffffffffee8 items=0 ppid=1 pid=2162 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="sshd" exe="/usr/sbin/sshd" subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 key=(null)



[Me@localhost ~]$ sealert -l f8876a36-deaf-43e0-b2a2-e17056822734

Summary:

SELinux is preventing /sbin/rpc.statd "module_request" access on <Unknown>.

Detailed Description:

SELinux denied access requested by rpc.statd.

Fix Command:

# setsebool -P domain_kernel_load_modules 1

Additional Information:

Source Context system_u:system_r:rpcd_t:s0
Target Context system_u:system_r:kernel_t:s0
Target Objects None [ system ]
Source rpc.statd
Source Path /sbin/rpc.statd
Port <Unknown>
Host localhost.localdomain
Source RPM Packages nfs-utils-1.2.2-2.fc13
Target RPM Packages
Policy RPM selinux-policy-3.7.19-39.fc13
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Plugin Name catchall_boolean
Host Name localhost.localdomain
Platform Linux localhost.localdomain
2.6.33.6-147.fc13.x86_64 #1 SMP Tue Jul 6 22:32:17
UTC 2010 x86_64 x86_64
Alert Count 12
First Seen Mon Aug 2 18:39:24 2010
Last Seen Tue Aug 3 18:24:26 2010
Local ID f8876a36-deaf-43e0-b2a2-e17056822734
Line Numbers

Raw Audit Messages

node=localhost.localdomain type=AVC msg=audit(1280823866.225:9): avc: denied { module_request } for pid=1930 comm="rpc.statd" kmod="net-pf-10" scontext=system_u:system_r:rpcd_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=system

node=localhost.localdomain type=SYSCALL msg=audit(1280823866.225:9): arch=c000003e syscall=41 success=no exit=-97 a0=a a1=1 a2=6 a3=7fc9fabe2980 items=0 ppid=1929 pid=1930 auid=4294967295 uid=29 gid=496 euid=29 suid=29 fsuid=29 egid=496 sgid=496 fsgid=496 tty=(none) ses=4294967295 comm="rpc.statd" exe="/sbin/rpc.statd" subj=system_u:system_r:rpcd_t:s0 key=(null)
Reply With Quote
  #2  
Old 5th August 2010, 03:13 AM
CiaW's Avatar
CiaW Offline
Registered User
  
Join Date: May 2009
Location: eastern Washington (state) USA
Posts: 489
solarisfirefox
Re: AVC Denial that concerns me.
Do you use ssh and/or nfs ? You might want to check /var/log/messages and if you use ssh then see if there are any log entries that look suspicious? Also, check the security log (/var/log/secure I think...) I know it's there in the log file viewer if you have that installed. See if there's anything there about denied access attempts.

For some reason Fedora automatically enables SSH and opens the port (22) on the firewall. I don't use it and from what I've picked up on here, it's apparently a common way for unwanted entry attempts. Given that, I always disable the service and unselect it on the firewall settings. If or when I want to use it, I'll figure out the method of using a secure key.

It's not completely unusual for there to be wacky selinux denials, but those might bear further research. Is your system up-to-date with updates? That may or may not make a difference, too.
Reply With Quote
  #3  
Old 5th August 2010, 03:33 AM
RogerBacon Offline
Registered User
  
Join Date: Jun 2010
Posts: 16
linuxsafari
Re: AVC Denial that concerns me.
Do you have IPV6 disabled / blacklisted?

I think the module_request for IPV6 (and maybe all of them..) is part of the dontaudit rules now.

You should fill a bug report and see what Daniel think.
Reply With Quote
  #4  
Old 5th August 2010, 03:46 AM
Gumby Offline
Registered User
  
Join Date: Aug 2010
Location: Oz
Posts: 2
windows_7firefox
Re: AVC Denial that concerns me.
Quote:
Originally Posted by CiaW View Post
Do you use ssh and/or nfs ? You might want to check /var/log/messages and if you use ssh then see if there are any log entries that look suspicious? Also, check the security log (/var/log/secure I think...) I know it's there in the log file viewer if you have that installed. See if there's anything there about denied access attempts.

For some reason Fedora automatically enables SSH and opens the port (22) on the firewall. I don't use it and from what I've picked up on here, it's apparently a common way for unwanted entry attempts. Given that, I always disable the service and unselect it on the firewall settings. If or when I want to use it, I'll figure out the method of using a secure key.

It's not completely unusual for there to be wacky selinux denials, but those might bear further research. Is your system up-to-date with updates? That may or may not make a difference, too.

CiaW,
ssh p22 was / is disable and my gateway is a smoothwall, so I’m fairly confident I’m not being attacked as everything looks normal on my network. I.e. no unusual traffic in or out.

System is up to date, I don’t use NFS and there has been no denied external access attempts that I can see.

Cheers
Gumby

---------- Post added at 12:46 PM CDT ---------- Previous post was at 12:45 PM CDT ----------

Quote:
Originally Posted by RogerBacon View Post
Do you have IPV6 disabled / blacklisted?

I think the module_request for IPV6 (and maybe all of them..) is part of the dontaudit rules now.

You should fill a bug report and see what Daniel think.
Roger,

In response to the AVC denials I started to harden my system and disabled IPV6

Regards

Gumby
Reply With Quote
Reply

Tags
avc, concerns, denial

« Previous Thread | Next Thread »
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes
Linear Mode Linear Mode

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
F7=>F8 Upgrade concerns Hlingler Installation and Live Media 6 14th March 2008 02:18 AM
Port concerns code_astronomer Security and Privacy 23 4th March 2006 10:28 AM
usp port concerns ghostofra Security and Privacy 0 24th October 2005 12:14 AM


Current GMT-time: 16:05 (Wednesday, 19-06-2013)

TopSubscribe to XML RSS for all Threads in all ForumsFedoraForumDotOrg Archive
logo

All trademarks, and forum posts in this site are property of their respective owner(s).
FedoraForum.org is privately owned and is not directly sponsored by the Fedora Project or Red Hat, Inc.
Privacy Policy | Term of Use | Posting Guidelines | Archive | Contact Us | Founding Members

Powered by vBulletin® Copyright ©2000 - 2012, vBulletin Solutions, Inc.

 FedoraForum is Powered by RedHat