A lot of selinux execstack denials in rawhide when starting audio apps

Martin Sourada martin.sourada at seznam.cz
Sat Sep 29 11:29:37 UTC 2007


I enabled SELinux for the first time and I got a lot of execstack
denials when starting applications providing audio output (so far I got
it with listen, rhythmbox, totem and gxine). I have new clean install
from latest rawhide live (plus some additional applications). Are these
worth filling bugs or are they false positives? I attach an output from
this denial for listen music player. I didn't do any actions to fix
these denials and the applications seem to work OK. I have SELinux
policy set to enforcing. If you need more info, ask. Not sure whether
this is for test or devel list so CC-ing devel.

-------------- next part --------------
    SELinux is preventing python from making the program stack executable.

Detailed Description
    The python application attempted to make its stack executable.  This is a
    potential security problem.  This should never ever be necessary. Stack
    memory is not executable on most OSes these days and this will not change.
    Executable stack memory is one of the biggest security problems. An
    execstack error might in fact be most likely raised by malicious code.
    Applications are sometimes coded incorrectly and request this permission.
    The http://people.redhat.com/drepper/selinux-mem.html web page explains how
    to remove this requirement.  If python does not work and you need it to
    work, you can configure SELinux temporarily to allow this access until the
    application is fixed. Please file a
    http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this package.

Allowing Access
    Sometimes a library is accidentally marked with the execstack flag, if you
    find a library with this flag you can clear it with the execstack -c
    LIBRARY_PATH.  Then retry your application.  If the app continues to not
    work, you can turn the flag back on with execstack -s LIBRARY_PATH.
    Otherwise, if you trust python to run correctly, you can change the context
    of the executable to unconfined_execmem_exec_t. "chcon -t
    unconfined_execmem_exec_t python" You must also change the default file
    context files on the system in order to preserve them even on a full
    relabel.  "semanage fcontext -a -t unconfined_execmem_exec_t python"

    The following command will allow this access:
    chcon -t unconfined_execmem_exec_t python

Additional Information        

Source Context                system_u:system_r:unconfined_t:s0
Target Context                system_u:system_r:unconfined_t:s0
Target Objects                None [ process ]
Affected RPM Packages         
Policy RPM                    selinux-policy-3.0.8-13.fc8
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   plugins.allow_execstack
Host Name                     localhost.localdomain
Platform                      Linux localhost.localdomain 2.6.23-0.202.rc8.fc8
                              #1 SMP Mon Sep 24 22:09:05 EDT 2007 i686 i686
Alert Count                   49
First Seen                    Thu 27 Sep 2007 11:53:37 PM CEST
Last Seen                     Sat 29 Sep 2007 01:18:14 PM CEST
Local ID                      aeae736e-4900-4bc7-bea4-c67c7b4f5edf
Line Numbers                  

Raw Audit Messages            

avc: denied { execstack } for comm=python egid=500 euid=500 exe=/usr/bin/python
exit=-13 fsgid=500 fsuid=500 gid=500 items=0 pid=6478
scontext=system_u:system_r:unconfined_t:s0 sgid=500
subj=system_u:system_r:unconfined_t:s0 suid=500 tclass=process
tcontext=system_u:system_r:unconfined_t:s0 tty=(none) uid=500

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
URL: <http://listman.redhat.com/archives/fedora-devel-list/attachments/20070929/16e19940/attachment.sig>

More information about the fedora-devel-list mailing list