execmem/execstack AVCs in recent updates
Daniel J Walsh
dwalsh at redhat.com
Mon Nov 13 20:51:42 UTC 2006
Tom London wrote:
> On 11/13/06, Daniel J Walsh <dwalsh at redhat.com> wrote:
>> Tom London wrote:
>> > Running latest rawhide, targeted/enforcing.
>> >
>> > I seem to be getting execmem/execstack AVCs that I don't recall
>> > getting before, e.g., from firefox, vmware, realplayer:
>> >
>> > Believe this is from starting vmware:
>> > type=AVC msg=audit(1163430106.494:54): avc: denied { execstack } for
>> > pid=3462 comm="ld-linux.so.2"
>> > scontext=user_u:system_r:unconfined_t:s0
>> > tcontext=user_u:system_r:unconfined_t:s0 tclass=process
>> > type=AVC msg=audit(1163430106.494:54): avc: denied { execmem } for
>> > pid=3462 comm="ld-linux.so.2" scontext=user_u:system_r:unconfined_t:s0
>> > tcontext=user_u:system_r:unconfined_t:s0 tclass=process
>> > type=SYSCALL msg=audit(1163430106.494:54): arch=40000003 syscall=125
>> > success=yes exit=0 a0=bfd55000 a1=1000 a2=1000007 a3=fffff000 items=0
>> > ppid=3460 pid=3462 auid=500 uid=500 gid=500 euid=500 suid=500
>> > fsuid=500 egid=500 sgid=500 fsgid=500 tty=pts1 comm="ld-linux.so.2"
>> > exe="/lib/ld-2.5.90.so" subj=user_u:system_r:unconfined_t:s0
>> > key=(null)
>> >
>> > Believe this is from starting realplayer:
>> > type=AVC msg=audit(1163429593.548:23): avc: denied { execmem } for
>> > pid=3291 comm="realplay.bin" scontext=user_u:system_r:unconfined_t:s0
>> > tcontext=user_u:system_r:unconfined_t:s0 tclass=process
>> > type=SYSCALL msg=audit(1163429593.548:23): arch=40000003 syscall=192
>> > per=400000 success=yes exit=16433152 a0=0 a1=a01000 a2=7 a3=22 items=0
>> > ppid=3286 pid=3291 auid=500 uid=500 gid=500 euid=500 suid=500
>> > fsuid=500 egid=500 sgid=500 fsgid=500 tty=pts1 comm="realplay.bin"
>> > exe="/usr/local/RealPlayer/realplay.bin"
>> > subj=user_u:system_r:unconfined_t:s0 key=(null)
>> >
>> > These from firefox:
>> > type=AVC msg=audit(1163429690.683:30): avc: denied { execstack } for
>> > pid=3327 comm="firefox-bin" scontext=user_u:system_r:unconfined_t:s0
>> > tcontext=user_u:system_r:unconfined_t:s0 tclass=process
>> > type=SYSCALL msg=audit(1163429690.683:30): arch=40000003 syscall=125
>> > success=no exit=-13 a0=bfb21000 a1=1000 a2=1000007 a3=fffff000 items=0
>> > ppid=1 pid=3327 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500
>> > egid=500 sgid=500 fsgid=500 tty=(none) comm="firefox-bin"
>> > exe="/usr/lib/firefox-2.0/firefox-bin"
>> > subj=user_u:system_r:unconfined_t:s0 key=(null)
>> > type=AVC msg=audit(1163429690.693:31): avc: denied { execstack } for
>> > pid=3327 comm="firefox-bin" scontext=user_u:system_r:unconfined_t:s0
>> > tcontext=user_u:system_r:unconfined_t:s0 tclass=process
>> > type=SYSCALL msg=audit(1163429690.693:31): arch=40000003 syscall=125
>> > success=no exit=-13 a0=bfb21000 a1=1000 a2=1000007 a3=fffff000 items=0
>> > ppid=1 pid=3327 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500
>> > egid=500 sgid=500 fsgid=500 tty=(none) comm="firefox-bin"
>> > exe="/usr/lib/firefox-2.0/firefox-bin"
>> > subj=user_u:system_r:unconfined_t:s0 key=(null)
>> >
>> > Did I clobber an update somehow?
>> >
>> > tom
>> No I just turned off allow_execstack boolean in Rawhide. Just to punish
>> you. :^)
>> The goal is to find these problems.
>>
>> chcon -t unconfined_execmem_t /usr/local/RealPlayer/realplay.bin
>>
>> Should fix.
>>
>> Is firefox-bin dieing? Do you think this is a plugin? Is it trying to
>> run realplayer?
>>
> Thanks! I needed that 'recharge' to my normal paranoia level ;)
>
> I 'fixed' RealPlayer and restarted firefox. Here is a bit more data:
> 1. Firefox does not die.
> 2. Seems to happen when I 'login' to my gmail account.
>
> Seem to get multiple
> type=AVC msg=audit(1163439760.769:49): avc: denied { execstack } for
> pid=3652 comm="firefox-bin" scontext=user_u:system_r:unconfined_t:s0
> tcontext=user_u:system_r:unconfined_t:s0 tclass=process
> type=SYSCALL msg=audit(1163439760.769:49): arch=40000003 syscall=125
> success=no exit=-13 a0=bfabe000 a1=1000 a2=1000007 a3=fffff000 items=0
> ppid=1 pid=3652 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500
> egid=500 sgid=500 fsgid=500 tty=(none) comm="firefox-bin"
> exe="/usr/lib/firefox-2.0/firefox-bin"
> subj=user_u:system_r:unconfined_t:s0 key=(null)
Could you open a bugzilla on this for firefox.
>
> Also, vmware is still unhappy :-(
What is it complaining about?
>
> tom
More information about the fedora-selinux-list
mailing list