SELinux is preventing nspluginviewer ....

Antonio Olivares olivares14031 at yahoo.com
Sun Aug 3 18:35:24 UTC 2008


> Dear all,
> 
> Now I know why playing Penalty_Fever caused a problem.  The
> following is clear evidence :(
> 
> 
> Summary:
> 
> SELinux is preventing nspluginviewer from changing a
> writable memory segment
> executable.
> 
> Detailed Description:
> 
> The nspluginviewer application attempted to change the
> access protection of
> memory (e.g., allocated using malloc). This is a potential
> security problem.
> Applications should not be doing this. Applications are
> sometimes coded
> incorrectly and request this permission. The SELinux Memory
> Protection Tests
> (http://people.redhat.com/drepper/selinux-mem.html) web
> page explains how to
> remove this requirement. If nspluginviewer does not work
> and you need it to
> work, you can configure SELinux temporarily to allow this
> access until the
> application is fixed. Please file a bug report
> (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against
> this package.
> 
> Allowing Access:
> 
> If you trust nspluginviewer to run correctly, you can
> change the context of the
> executable to unconfined_execmem_exec_t. "chcon -t
> unconfined_execmem_exec_t
> '/usr/bin/nspluginviewer'". You must also
> change the default file context files
> on the system in order to preserve them even on a full
> relabel. "semanage
> fcontext -a -t unconfined_execmem_exec_t
> '/usr/bin/nspluginviewer'"
> 
> Fix Command:
> 
> chcon -t unconfined_execmem_exec_t
> '/usr/bin/nspluginviewer'
> 
> Additional Information:
> 
> Source Context               
> unconfined_u:unconfined_r:unconfined_t:SystemLow-
>                               SystemHigh
> Target Context               
> unconfined_u:unconfined_r:unconfined_t:SystemLow-
>                               SystemHigh
> Target Objects                None [ process ]
> Source                        nspluginviewer
> Source Path                   /usr/bin/nspluginviewer
> Port                          <Unknown>
> Host                          localhost.localdomain
> Source RPM Packages           kdebase-4.1.0-1.fc10
> Target RPM Packages           
> Policy RPM                    selinux-policy-3.5.1-4.fc10
> Selinux Enabled               True
> Policy Type                   targeted
> MLS Enabled                   True
> Enforcing Mode                Enforcing
> Plugin Name                   allow_execmem
> Host Name                     localhost.localdomain
> Platform                      Linux localhost.localdomain
> 2.6.26.1 #1 SMP Sat
>                               Aug 2 21:36:01 CDT 2008 i686
> i686
> Alert Count                   29
> First Seen                    Sun 03 Aug 2008 12:55:21 PM
> CDT
> Last Seen                     Sun 03 Aug 2008 12:55:21 PM
> CDT
> Local ID                     
> 865503d3-baab-4dcd-adc0-47f8fff6ade6
> Line Numbers                  
> 
> Raw Audit Messages            
> 
> host=localhost.localdomain type=AVC
> msg=audit(1217786121.365:53): avc:  denied  { execmem } for 
> pid=3262 comm="nspluginviewer"
> scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
> tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
> tclass=process
> 
> host=localhost.localdomain type=SYSCALL
> msg=audit(1217786121.365:53): arch=40000003 syscall=125
> success=no exit=-13 a0=b1aaa000 a1=1000 a2=5 a3=bfa32acc
> items=0 ppid=3222 pid=3262 auid=500 uid=500 gid=500 euid=500
> suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none)
> ses=1 comm="nspluginviewer"
> exe="/usr/bin/nspluginviewer"
> subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
> key=(null)
> 
> 
> This was an old bug and it returns to bite back :(
> Is anybody else also encountering this problem?
> 
> Regards,
> 
> Antonio 
> 
> 
>       
> 
> -- 

BTW,

the old bug with nspluginwrapper was here:

https://bugzilla.redhat.com/show_bug.cgi?id=431708

It was closed.  It looks a little bit different, now I am not sure if it is related?

Thanks,

Antonio 


      




More information about the fedora-test-list mailing list