SCIENTIFIC-LINUX-USERS Archives

December 2006

SCIENTIFIC-LINUX-USERS@LISTSERV.FNAL.GOV
Options: Use Monospaced Font
Show Text Part by Default
Show All Mail Headers

Message: [<< First] [< Prev] [Next >] [Last >>]
Topic: [<< First] [< Prev] [Next >] [Last >>]
Author: [<< First] [< Prev] [Next >] [Last >>]

Print Reply
Subject:
Re: selinux problem
From:
Jan Iven <[log in to unmask]>
Reply To:
Jan Iven <[log in to unmask]>
Date:
Thu, 14 Dec 2006 08:54:48 +0100
Content-Type:
text/plain
Parts/Attachments:
text/plain (37 lines) 
Stephen John Smoogen wrote:
> On 12/13/06, Eve V. E. Kovacs <[log in to unmask]> wrote:
>> Hi,
>> I have a problem with selinux. I have an SL4.3 x86_64 system
>> which will not boot unless I add the selinux=noenforce option
>> to the boot parameters.
>>
>> If I don't, the system spews out messages like:
>>
>> theory kernel: audit(1165745008.891:666254): avc:  denied  { search } for
>> pid=16856 comm="portmap" name="bin" dev=sda2 ino=535393
>> scontext=user_u:system_r:portmap_t tcontext=system_u:object_r:bin_t
>> tclass=dir
>>
>> and hangs.
>>
> 
> The last time I saw that was on a system that had been root'd and
> someone root kit was called 'portmap'.

I would second this assumption (a process called "portmap" with pid
16856 tries to list the contents of the bin directory - it has no reason
doing so..).
Suggest to disconnect this machine from the net and do some checks with
rkhunter and/or chkrootkit. Looking at /proc/16856 on a running machine
may give some hints on the location of the rootkit.
Please share your findings, especially if the infection vector isn't
clearly a stolen root password or if rkhunter/chekrootkit cannot find
anything.

http://sourceforge.net/projects/rkhunter/
(I've got an RPM under
http://linuxsoft/cern/slc4X/i386/yum/testing/repodata/repoview/rkhunter-0-1.2.9-1.cern.html
)

http://chkrootkit.org

ATOM RSS1 RSS2