Re: SELinux alerts

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Colin Paul Adams wrote:
> I just installed (via yum) and started squid.
> 
> I then noticed I had some SELinux alert
> 
> Summary
>     SELinux is preventing /usr/sbin/squid (squid_t) "read write" to socket
>     (unconfined_t).
> 
> Detailed Description
>     SELinux denied access requested by /usr/sbin/squid. It is not expected that
>     this access is required by /usr/sbin/squid and this access may signal an
>     intrusion attempt. It is also possible that the specific version or
>     configuration of the application is causing it to require additional access.
> 
> Allowing Access
>     You can generate a local policy module to allow this access - see
>     http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385 Or you can disable
>     SELinux protection altogether. Disabling SELinux protection is not
>     recommended. Please file a http://bugzilla.redhat.com/bugzilla/enter_bug.cgi
>     against this package.
> 
> Additional Information        
> 
> Source Context                system_u:system_r:squid_t:s0
> Target Context                system_u:system_r:unconfined_t:s0
> Target Objects                socket [ unix_stream_socket ]
> Affected RPM Packages         squid-2.6.STABLE17-1.fc8 [application]
> Policy RPM                    selinux-policy-3.0.8-44.fc8
> Selinux Enabled               True
> Policy Type                   targeted
> MLS Enabled                   True
> Enforcing Mode                Enforcing
> Plugin Name                   plugins.catchall
> Host Name                     susannah.colina.demon.co.uk
> Platform                      Linux susannah.colina.demon.co.uk 2.6.23.1-42.fc8
>                               #1 SMP Tue Oct 30 13:18:33 EDT 2007 x86_64 x86_64
> Alert Count                   1
> First Seen                    Sat 26 Jan 2008 06:39:04 GMT
> Last Seen                     Sat 26 Jan 2008 06:39:04 GMT
> Local ID                      b8ea13f6-922f-4bb8-a448-09e80221eb2a
> Line Numbers                  
> 
> and additional similar alerts for sh (xdm), ntpd, and /usr/bin/gcin
> 
> Is it safe to ignore these?
Yes.  This is just the unix stream socket connected to the pup
application.  You should upgrade selinux-policy though to a newer policy.

pub opens a unix_stream_socket that yum-updated connects to and then
sets stdout/stderr/stdin too. When rpm restarts or starts the squid
service, the kernel checks if the squid domain can talk to the open file
descriptors.  It is not allowed so the kernel closes the file
descriptors and replaces them with ones connected to /dev/null.  These
are dontaudited in the latest policy I believe.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkeeSTEACgkQrlYvE4MpobMH7QCdE010G6EBQcGxpXfrjvgi42uU
7vAAoNponOTc3uFhxnrSljMRv2TbbHNy
=LnnZ
-----END PGP SIGNATURE-----
[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux