[FC8] SElinux - AVC Denial Messages... what is it???
Tod Merley
todbot88 at gmail.com
Sat Dec 15 09:52:06 UTC 2007
On Dec 14, 2007 11:48 PM, Deepak Shrestha <d88pak at gmail.com> wrote:
> Hi
>
> I am getting the AVC Denial message from SELinux everytime I use any
> piece of program. These are some:
>
> ===================================
> Summary
> SELinux is preventing /usr/lib/openoffice.org/program/scalc.bin from
> changing the access protection of memory on the heap.
> ------------------------------
> Allowing Access
> If you want /usr/lib/openoffice.org/program/scalc.bin to continue, you
> must turn on the allow_execheap boolean. Note: This boolean will
> affect all applications on the system.The following command will allow
> this access:setsebool -P allow_execheap=1
> ===================================
> Summary
> SELinux is preventing /usr/lib/firefox-2.0.0.8/firefox-bin from
> loading /usr/lib/firefox-2.0.0.8/plugins/nppdf.so which requires text
> relocation.
> ---------------------------------
> Allowing Access
> If you trust /usr/lib/firefox-2.0.0.8/plugins/nppdf.so to run
> correctly, you can change the file context to textrel_shlib_t. "chcon
> -t textrel_shlib_t /usr/lib/firefox-2.0.0.8/plugins/nppdf.so" You must
> also change the default file context files on the system in order to
> preserve them even on a full relabel. "semanage fcontext -a -t
> textrel_shlib_t /usr/lib/firefox-2.0.0.8/plugins/nppdf.so"The
> following command will allow this access:chcon -t textrel_shlib_t
> /usr/lib/firefox-2.0.0.8/plugins/nppdf.so
> ===================================
> Summary
> SELinux is preventing /usr/bin/konqueror from changing the access
> protection of memory on the heap.
> --------------------------------
> Allowing Access
> If you want /usr/bin/konqueror to continue, you must turn on the
> allow_execheap boolean. Note: This boolean will affect all
> applications on the system.The following command will allow this
> access:setsebool -P allow_execheap=1
> ==================================
>
> So what are all these messages?? and should I allow this action as suggested???
>
> Thanks
>
> --
> fedora-list mailing list
> fedora-list at redhat.com
> To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
>
Hi Deepak Shrestha!
SELinux (selinux - NSA Security-Enhanced Linux - see: man selinux)
creates a more secure computing environment by making it harder to
mis-use the environment (use it as a hacker would).
I would ask myself some questions:
Am I able to do all of the things I want to with the program?
If so, I would recommend that you do nothing except consider
implementing any updates that may come along and hopefully make false
denials less common. I do see SELinux denials on my machine but they
are not preventing me from doing anything that I want to do so I would
rather have a bit extra protection than a flag free life. I also have
the "plugins/nppdf.so" denial which is apparently tied to Adobe
reader. The denial flag pops whenever I tell Firefox to read a PDF,
but, Adobe Reader comes up fine in Firefox anyway. So I am happy.
Do I know where the software comes from mentioned in the denial, and
what it is trying to do?
You may be catching a hacker in the act, hopefully preventing him from
controlling your machine or otherwise causing harm. Take part of the
denial (such as the "plugins/nppdf.so" I mentioned from above) and
Google it. Often you will find others dealing with the same issue and
be able to find out if what you have is a problem or simply an
inconvenience.
For myself I am happy to leave things as they are if they work, and
hope they will work better in the future.
Have Fun!
Tod
More information about the fedora-list
mailing list