Rawhide F12 and Skype AVC

Frank Murphy frankly3d at gmail.com
Fri Jul 24 16:48:16 UTC 2009 

Following is AVC
Do I replace '<unknown>' with skype?


> Summary:
> 
> SELinux is preventing skype from changing a writable memory segment executable.
> 
> Detailed Description:
> 
> The skype application attempted to change the access protection of memory (e.g.,
> allocated using malloc). This is a potential security problem. Applications
> should not be doing this. Applications are sometimes coded incorrectly and
> request this permission. The SELinux Memory Protection Tests
> (http://people.redhat.com/drepper/selinux-mem.html) web page explains how to
> remove this requirement. If skype does not work and you need it to work, you can
> configure SELinux temporarily to allow this access until the application is
> fixed. Please file a bug report
> (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package.
> 
> Allowing Access:
> 
> If you trust skype to run correctly, you can change the context of the
> executable to execmem_exec_t. "chcon -t execmem_exec_t '<Unknown>'". You must
> also change the default file context files on the system in order to preserve
> them even on a full relabel. "semanage fcontext -a -t execmem_exec_t '<Unknown>'"
> 
> Fix Command:
> 
> chcon -t execmem_exec_t '<Unknown>'
> 
> Additional Information:
> 
> Source Context                unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1
>                               023
> Target Context                unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1
>                               023
> Target Objects                None [ process ]
> Source                        skype
> Source Path                   <Unknown>
> Port                          <Unknown>
> Host                          (removed)
> Source RPM Packages           
> Target RPM Packages           
> Policy RPM                    selinux-policy-3.6.22-2.fc12
> Selinux Enabled               True
> Policy Type                   targeted
> MLS Enabled                   True
> Enforcing Mode                Enforcing
> Plugin Name                   allow_execmem
> Host Name                     (removed)
> Platform                      Linux internet01.frankly3d.local
>                               2.6.31-0.86.rc3.git5.fc12.x86_64 #1 SMP Wed Jul 22
>                               15:31:34 EDT 2009 x86_64 x86_64
> Alert Count                   1
> First Seen                    Fri 24 Jul 2009 17:38:51 IST
> Last Seen                     Fri 24 Jul 2009 17:38:51 IST
> Local ID                      6c5beb61-0671-4497-b86d-cd1bf0944901
> Line Numbers                  
> 
> Raw Audit Messages            
> 
> node=internet01.frankly3d.local type=AVC msg=audit(1248453531.351:24900): avc:  denied  { execmem } for  pid=2079 comm="skype" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process
> 
> node=internet01.frankly3d.local type=SYSCALL msg=audit(1248453531.351:24900): arch=c000003e syscall=59 per=400000 success=no exit=-13 a0=1dae08f a1=1c0bcd0 a2=7fff70be3b38 a3=7fff70be2410 items=0 ppid=2078 pid=2079 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm="skype" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
> 
> 

-- 
Regards, Frank

jabber | msn | skype: frankly3d
http://www.frankly3d.com

More information about the fedora-selinux-list mailing list