SELinux is preventing nspluginviewer ....

Antonio Olivares olivares14031 at yahoo.com
Mon Aug 4 18:39:02 UTC 2008 

> >> Dear all,
> >>
> >> Now I know why playing Penalty_Fever caused a
> problem.  The
> >> following is clear evidence :(
> >>
> >>
> >> Summary:
> >>
> >> SELinux is preventing nspluginviewer from changing
> a
> >> writable memory segment
> >> executable.
> >>
> >> Detailed Description:
> >>
> >> The nspluginviewer application attempted to change
> the
> >> access protection of
> >> memory (e.g., allocated using malloc). This is a
> potential
> >> security problem.
> >> Applications should not be doing this.
> Applications are
> >> sometimes coded
> >> incorrectly and request this permission. The
> SELinux Memory
> >> Protection Tests
> >>
> (http://people.redhat.com/drepper/selinux-mem.html) web
> >> page explains how to
> >> remove this requirement. If nspluginviewer does
> not work
> >> and you need it to
> >> work, you can configure SELinux temporarily to
> allow this
> >> access until the
> >> application is fixed. Please file a bug report
> >>
> (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against
> >> this package.
> >>
> >> Allowing Access:
> >>
> >> If you trust nspluginviewer to run correctly, you
> can
> >> change the context of the
> >> executable to unconfined_execmem_exec_t.
> "chcon -t
> >> unconfined_execmem_exec_t
> >> '/usr/bin/nspluginviewer'". You must
> also
> >> change the default file context files
> >> on the system in order to preserve them even on a
> full
> >> relabel. "semanage
> >> fcontext -a -t unconfined_execmem_exec_t
> >> '/usr/bin/nspluginviewer'"
> >>
> >> Fix Command:
> >>
> >> chcon -t unconfined_execmem_exec_t
> >> '/usr/bin/nspluginviewer'
> >>
> >> Additional Information:
> >>
> >> Source Context               
> >> unconfined_u:unconfined_r:unconfined_t:SystemLow-
> >>                               SystemHigh
> >> Target Context               
> >> unconfined_u:unconfined_r:unconfined_t:SystemLow-
> >>                               SystemHigh
> >> Target Objects                None [ process ]
> >> Source                        nspluginviewer
> >> Source Path                  
> /usr/bin/nspluginviewer
> >> Port                          <Unknown>
> >> Host                         
> localhost.localdomain
> >> Source RPM Packages           kdebase-4.1.0-1.fc10
> >> Target RPM Packages           
> >> Policy RPM                   
> selinux-policy-3.5.1-4.fc10
> >> Selinux Enabled               True
> >> Policy Type                   targeted
> >> MLS Enabled                   True
> >> Enforcing Mode                Enforcing
> >> Plugin Name                   allow_execmem
> >> Host Name                    
> localhost.localdomain
> >> Platform                      Linux
> localhost.localdomain
> >> 2.6.26.1 #1 SMP Sat
> >>                               Aug 2 21:36:01 CDT
> 2008 i686
> >> i686
> >> Alert Count                   29
> >> First Seen                    Sun 03 Aug 2008
> 12:55:21 PM
> >> CDT
> >> Last Seen                     Sun 03 Aug 2008
> 12:55:21 PM
> >> CDT
> >> Local ID                     
> >> 865503d3-baab-4dcd-adc0-47f8fff6ade6
> >> Line Numbers                  
> >>
> >> Raw Audit Messages            
> >>
> >> host=localhost.localdomain type=AVC
> >> msg=audit(1217786121.365:53): avc:  denied  {
> execmem } for 
> >> pid=3262 comm="nspluginviewer"
> >>
> scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
> >>
> tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
> >> tclass=process
> >>
> >> host=localhost.localdomain type=SYSCALL
> >> msg=audit(1217786121.365:53): arch=40000003
> syscall=125
> >> success=no exit=-13 a0=b1aaa000 a1=1000 a2=5
> a3=bfa32acc
> >> items=0 ppid=3222 pid=3262 auid=500 uid=500
> gid=500 euid=500
> >> suid=500 fsuid=500 egid=500 sgid=500 fsgid=500
> tty=(none)
> >> ses=1 comm="nspluginviewer"
> >> exe="/usr/bin/nspluginviewer"
> >>
> subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
> >> key=(null)
> >>
> >>
> >> This was an old bug and it returns to bite back :(
> >> Is anybody else also encountering this problem?
> >>
> >> Regards,
> >>
> >> Antonio 
> >>
> >>
> >>       
> >>
> >> -- 
> > 
> > BTW,
> > 
> > the old bug with nspluginwrapper was here:
> > 
> > https://bugzilla.redhat.com/show_bug.cgi?id=431708
> > 
> > It was closed.  It looks a little bit different, now I
> am not sure if it is related?
> > 
> > Thanks,
> > 
> > Antonio 
> > 
> > 
> >       
> > 
> Most likely caused by one of the plugins you are using. 
> You have
> multiple choices to fix this, one you could turn on
> nsplugin confinement
> 
> # getsebool -a | grep nsplugin
> allow_nsplugin_execmem --> on
> allow_unconfined_nsplugin_transition --> on
> 
> You should relabel your homedir if you do.
> 
> restorecon -R -v ~
> 
> Then restart firefox.  This would allow a confined nsplugin
> to execmem
> but not all apps run from unconfined_t.  I have been
> running like this
> for a long time and have had few problems, although the
> more people who
> run with this mode the better so we can figure out what
> firefox plugins
> want to do.
I am running konqueror on KDE 4.1 Rawhide.  Firefox and Seamonkey are not reliable and I yum removed 'em.  I was playing a flash game and it was working nicely, but then I got to the next level and CPU went up to 100% and crashed.  I can try the suggestions, but I am not sure that konqueror behaves like firefox with the plugins.  
> 
> You can not run the offending plugin.
> 
> You can ignore the error if it does not seem to cause the
> problem.
> 
> You can turn on allow_execmem boolean.

I'll take a look into that.  

Regards,

Antonio

More information about the fedora-test-list mailing list