Les Mikesell wrote:> A machine I set up to run OpenNMS stopped working last night - no
> hardware alarm lights, but keyboard/monitor/network unresponsive.
> After a reboot I see a large stack of messages like this in
> /var/log/messages:
>
> ----
> Aug 20 14:02:34 opennms-h-03 python: SELinux is preventing
> /usr/sbin/monitor-get-edid-using-vbe from mmap
> _zero access on the memprotect .
>
> ***** Plugin mmap_zero (53.1 confidence) suggests
> *************************
>
> If you do not think /usr/sbin/monitor-get-edid-using-vbe should need
> to mmap low memory in the kernel.
> Then you may be under attack by a hacker, this is a very dangerous access.
> Do
> contact your security administrator and report this issue.
>
> ***** Plugin catchall_boolean (42.6 confidence) suggests
> ******************
>
> If you want to allow mmap to low allowed
> Then you must tell SELinux about this by enabling the
> 'mmap_low_allowed' boolean.
> You can read 'None' man page for more details.
> Do
> setsebool -P mmap_low_allowed 1
>
> ***** Plugin catchall (5.76 confidence) suggests
> **************************
>
> If you believe that monitor-get-edid-using-vbe should be allowed
> mmap_zero access on the memprotect by d
> efault.
> Then you should report this as a bug.
> You can generate a local policy module to allow this access.
> Do
> allow this access for now by executing:
> # grep monitor-get-edi /var/log/audit/audit.log | audit2allow -M mypol
> # semodule -i mypol.pp
>
> ------
> and then this final message
>
> Aug 20 14:02:42 opennms-h-03 dbus-daemon: 'list' object has no
attribute
> 'split'
>
>
> Do either of those look fatal? And where else should I look for the
> underlying problem?
>
Looks like all selinux to me, esp. the wording. Is it in enforcing mode? I
wonder if it's possible that there's a bug in an selinux policy that
results in "IT'S NOT SAFE!!! SHUT IT DOWN!!!".
mark