Rawhide F12 and Skype AVC
Dominick Grift
domg472 at gmail.com
Fri Jul 24 16:55:43 UTC 2009
On Fri, 2009-07-24 at 17:48 +0100, Frank Murphy wrote:
> Following is AVC
> Do I replace '<unknown>' with skype?
>
>
> > Summary:
> >
> > SELinux is preventing skype from changing a writable memory segment executable.
> >
> > Detailed Description:
> >
> > The skype application attempted to change the access protection of memory (e.g.,
> > allocated using malloc). This is a potential security problem. Applications
> > should not be doing this. Applications are sometimes coded incorrectly and
> > request this permission. The SELinux Memory Protection Tests
> > (http://people.redhat.com/drepper/selinux-mem.html) web page explains how to
> > remove this requirement. If skype does not work and you need it to work, you can
> > configure SELinux temporarily to allow this access until the application is
> > fixed. Please file a bug report
> > (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package.
> >
> > Allowing Access:
> >
> > If you trust skype to run correctly, you can change the context of the
> > executable to execmem_exec_t. "chcon -t execmem_exec_t '<Unknown>'". You must
> > also change the default file context files on the system in order to preserve
> > them even on a full relabel. "semanage fcontext -a -t execmem_exec_t '<Unknown>'"
> >
> > Fix Command:
> >
> > chcon -t execmem_exec_t '<Unknown>'
> >
> > Additional Information:
> >
> > Source Context unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1
> > 023
> > Target Context unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1
> > 023
> > Target Objects None [ process ]
> > Source skype
> > Source Path <Unknown>
> > Port <Unknown>
> > Host (removed)
> > Source RPM Packages
> > Target RPM Packages
> > Policy RPM selinux-policy-3.6.22-2.fc12
> > Selinux Enabled True
> > Policy Type targeted
> > MLS Enabled True
> > Enforcing Mode Enforcing
> > Plugin Name allow_execmem
> > Host Name (removed)
> > Platform Linux internet01.frankly3d.local
> > 2.6.31-0.86.rc3.git5.fc12.x86_64 #1 SMP Wed Jul 22
> > 15:31:34 EDT 2009 x86_64 x86_64
> > Alert Count 1
> > First Seen Fri 24 Jul 2009 17:38:51 IST
> > Last Seen Fri 24 Jul 2009 17:38:51 IST
> > Local ID 6c5beb61-0671-4497-b86d-cd1bf0944901
> > Line Numbers
> >
> > Raw Audit Messages
> >
> > node=internet01.frankly3d.local type=AVC msg=audit(1248453531.351:24900): avc: denied { execmem } for pid=2079 comm="skype" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process
> >
> > node=internet01.frankly3d.local type=SYSCALL msg=audit(1248453531.351:24900): arch=c000003e syscall=59 per=400000 success=no exit=-13 a0=1dae08f a1=1c0bcd0 a2=7fff70be3b38 a3=7fff70be2410 items=0 ppid=2078 pid=2079 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm="skype" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
> >
> >
Yes:
semanage fcontext -a -t execmem_exec_t /path/to/skype
restorecon -v /path/to/skype
where "/path/to/skype" is the path to the skype executable file.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 197 bytes
Desc: This is a digitally signed message part
URL: <http://listman.redhat.com/archives/fedora-selinux-list/attachments/20090724/8a78edd1/attachment.sig>
More information about the fedora-selinux-list
mailing list