SELinux is preventing nspluginviewer ....
Antonio Olivares
olivares14031 at yahoo.com
Mon Aug 4 18:39:02 UTC 2008
> >> Dear all,
> >>
> >> Now I know why playing Penalty_Fever caused a
> problem. The
> >> following is clear evidence :(
> >>
> >>
> >> Summary:
> >>
> >> SELinux is preventing nspluginviewer from changing
> a
> >> writable memory segment
> >> executable.
> >>
> >> Detailed Description:
> >>
> >> The nspluginviewer application attempted to change
> the
> >> access protection of
> >> memory (e.g., allocated using malloc). This is a
> potential
> >> security problem.
> >> Applications should not be doing this.
> Applications are
> >> sometimes coded
> >> incorrectly and request this permission. The
> SELinux Memory
> >> Protection Tests
> >>
> (http://people.redhat.com/drepper/selinux-mem.html) web
> >> page explains how to
> >> remove this requirement. If nspluginviewer does
> not work
> >> and you need it to
> >> work, you can configure SELinux temporarily to
> allow this
> >> access until the
> >> application is fixed. Please file a bug report
> >>
> (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against
> >> this package.
> >>
> >> Allowing Access:
> >>
> >> If you trust nspluginviewer to run correctly, you
> can
> >> change the context of the
> >> executable to unconfined_execmem_exec_t.
> "chcon -t
> >> unconfined_execmem_exec_t
> >> '/usr/bin/nspluginviewer'". You must
> also
> >> change the default file context files
> >> on the system in order to preserve them even on a
> full
> >> relabel. "semanage
> >> fcontext -a -t unconfined_execmem_exec_t
> >> '/usr/bin/nspluginviewer'"
> >>
> >> Fix Command:
> >>
> >> chcon -t unconfined_execmem_exec_t
> >> '/usr/bin/nspluginviewer'
> >>
> >> Additional Information:
> >>
> >> Source Context
> >> unconfined_u:unconfined_r:unconfined_t:SystemLow-
> >> SystemHigh
> >> Target Context
> >> unconfined_u:unconfined_r:unconfined_t:SystemLow-
> >> SystemHigh
> >> Target Objects None [ process ]
> >> Source nspluginviewer
> >> Source Path
> /usr/bin/nspluginviewer
> >> Port <Unknown>
> >> Host
> localhost.localdomain
> >> Source RPM Packages kdebase-4.1.0-1.fc10
> >> Target RPM Packages
> >> Policy RPM
> selinux-policy-3.5.1-4.fc10
> >> Selinux Enabled True
> >> Policy Type targeted
> >> MLS Enabled True
> >> Enforcing Mode Enforcing
> >> Plugin Name allow_execmem
> >> Host Name
> localhost.localdomain
> >> Platform Linux
> localhost.localdomain
> >> 2.6.26.1 #1 SMP Sat
> >> Aug 2 21:36:01 CDT
> 2008 i686
> >> i686
> >> Alert Count 29
> >> First Seen Sun 03 Aug 2008
> 12:55:21 PM
> >> CDT
> >> Last Seen Sun 03 Aug 2008
> 12:55:21 PM
> >> CDT
> >> Local ID
> >> 865503d3-baab-4dcd-adc0-47f8fff6ade6
> >> Line Numbers
> >>
> >> Raw Audit Messages
> >>
> >> host=localhost.localdomain type=AVC
> >> msg=audit(1217786121.365:53): avc: denied {
> execmem } for
> >> pid=3262 comm="nspluginviewer"
> >>
> scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
> >>
> tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
> >> tclass=process
> >>
> >> host=localhost.localdomain type=SYSCALL
> >> msg=audit(1217786121.365:53): arch=40000003
> syscall=125
> >> success=no exit=-13 a0=b1aaa000 a1=1000 a2=5
> a3=bfa32acc
> >> items=0 ppid=3222 pid=3262 auid=500 uid=500
> gid=500 euid=500
> >> suid=500 fsuid=500 egid=500 sgid=500 fsgid=500
> tty=(none)
> >> ses=1 comm="nspluginviewer"
> >> exe="/usr/bin/nspluginviewer"
> >>
> subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
> >> key=(null)
> >>
> >>
> >> This was an old bug and it returns to bite back :(
> >> Is anybody else also encountering this problem?
> >>
> >> Regards,
> >>
> >> Antonio
> >>
> >>
> >>
> >>
> >> --
> >
> > BTW,
> >
> > the old bug with nspluginwrapper was here:
> >
> > https://bugzilla.redhat.com/show_bug.cgi?id=431708
> >
> > It was closed. It looks a little bit different, now I
> am not sure if it is related?
> >
> > Thanks,
> >
> > Antonio
> >
> >
> >
> >
> Most likely caused by one of the plugins you are using.
> You have
> multiple choices to fix this, one you could turn on
> nsplugin confinement
>
> # getsebool -a | grep nsplugin
> allow_nsplugin_execmem --> on
> allow_unconfined_nsplugin_transition --> on
>
> You should relabel your homedir if you do.
>
> restorecon -R -v ~
>
> Then restart firefox. This would allow a confined nsplugin
> to execmem
> but not all apps run from unconfined_t. I have been
> running like this
> for a long time and have had few problems, although the
> more people who
> run with this mode the better so we can figure out what
> firefox plugins
> want to do.
I am running konqueror on KDE 4.1 Rawhide. Firefox and Seamonkey are not reliable and I yum removed 'em. I was playing a flash game and it was working nicely, but then I got to the next level and CPU went up to 100% and crashed. I can try the suggestions, but I am not sure that konqueror behaves like firefox with the plugins.
>
> You can not run the offending plugin.
>
> You can ignore the error if it does not seem to cause the
> problem.
>
> You can turn on allow_execmem boolean.
I'll take a look into that.
Regards,
Antonio
More information about the fedora-test-list
mailing list