is this related to the ioquake3 vulns? ,please comment .
Setup some audit logs to see what was going on,see logs below .
Whilst playing files such as tcpdump ,firefox,& /etc/passwd are being accessed ,and denied ,but access request is via the urbanterror application appears to be piped through nvidiactl .
This occurs on some servers ,not all ,and there seems to be some chat in regards to these activities .
Thought this had been corrected ?,no guru but these files shouldnt be accessed by the UT executable,one slip on an unpatched system and Valla ,root access via the app,looks like smurfing was attempted.
2:47 AM (17 hours ago)
Include Evince & thumbnailer
type=AVC msg=audit(1326506857.797:109): apparmor="DENIED" operation="open" parent=1 profile="/home/user/Downloads/UrbanTerror/ioUrbanTerror.i386" name="/etc/passwd" pid=6333 comm="ioUrbanTerror.i" requested_mask="r" denied_mask="r" fsuid=1006 ouid=0
type=AVC msg=audit(1326544741.665:463): apparmor="DENIED" operation="open" parent=1 profile="/home/user/Downloads/UrbanTerror/ioUrbanTerror.i386" name="/etc/passwd" pid=10378 comm="ioUrbanTerror.i" requested_mask="r" denied_mask="r" fsuid=1006 ouid=0
type=AVC msg=audit(1326590224.799:58): apparmor="DENIED" operation="open" parent=1934 profile="/usr/lib/firefox-9.0.1/firefox{,*[^s][^h]}" name="/dev/nvidiactl" pid=1937 comm="firefox" requested_mask="rw" denied_mask="rw" fsuid=1000 ouid=0
type=AVC msg=audit(1326590767.580:59): apparmor="DENIED" operation="open" parent=2117 profile="/usr/lib/firefox-9.0.1/firefox{,*[^s][^h]}" name="/dev/nvidiactl" pid=2120 comm="firefox" requested_mask="rw" denied_mask="rw" fsuid=1000 ouid=0
type=AVC msg=audit(1327574589.468:58): apparmor="DENIED" operation="open" parent=2150 profile="/usr/lib/firefox-9.0.1/firefox{,*[^s][^h]}" name="/dev/nvidiactl" pid=2153 comm="firefox" requested_mask="rw" denied_mask="rw" fsuid=1000 ouid=0
#
looks like the old quake3 bug is still in the code .
http://www.derkeiler...5/msg00168.html
This post has been edited by whohah: 30 January 2012 - 04:26 AM