SELinux is preventing seamonkey-bin from making the program stack executable.

Daniel J Walsh dwalsh at redhat.com
Wed Feb 27 19:42:06 UTC 2008


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Antonio Olivares wrote:
> Dear all,
> 
> After applying the fix suggested by Mr. Walsh,
> [root at localhost ~]# setsebool -P
> allow_unconfined_nsplugin_transition=1
> allow_nsplugin_execmem=1
> [root at localhost ~]# getsebool -a | grep nsp
> allow_nsplugin_execmem --> on
> allow_unconfined_nsplugin_transition --> on
> 
> Seamonkey is asking permission for the stack.  I do
> not want to allow access if it is not correct for
> seamonkey to allow stack execution.  Please help me
> nail this one as well and crossing my fingers that
> firefox/minefield does not ask as well.  
> 
> 
> Summary:
> 
> SELinux is preventing seamonkey-bin from making the
> program stack executable.
> 
> Detailed Description:
> 
> The seamonkey-bin application attempted to make its
> stack executable. This is a
> potential security problem. This should never ever be
> necessary. Stack memory is
> not executable on most OSes these days and this will
> not change. Executable
> stack memory is one of the biggest security problems.
> An execstack error might
> in fact be most likely raised by malicious code.
> Applications are sometimes
> coded incorrectly and request this permission. The
> SELinux Memory Protection
> Tests
> (http://people.redhat.com/drepper/selinux-mem.html)
> web page explains how
> to remove this requirement. If seamonkey-bin does not
> work and you need it to
> work, you can configure SELinux temporarily to allow
> this access until the
> application is fixed. Please file a bug report
> (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
> against this package.
> 
> Allowing Access:
> 
> Sometimes a library is accidentally marked with the
> execstack flag, if you find
> a library with this flag you can clear it with the
> execstack -c LIBRARY_PATH.
> Then retry your application. If the app continues to
> not work, you can turn the
> flag back on with execstack -s LIBRARY_PATH.
> Otherwise, if you trust
> seamonkey-bin to run correctly, you can change the
> context of the executable to
> unconfined_execmem_exec_t. "chcon -t
> unconfined_execmem_exec_t
> '/usr/lib/seamonkey-1.1.8/seamonkey-bin'" You must
> also change the default file
> context files on the system in order to preserve them
> even on a full relabel.
> "semanage fcontext -a -t unconfined_execmem_exec_t
> '/usr/lib/seamonkey-1.1.8/seamonkey-bin'"
> 
> Fix Command:
> 
> chcon -t unconfined_execmem_exec_t
> '/usr/lib/seamonkey-1.1.8/seamonkey-bin'
> 
> Additional Information:
> 
> Source Context               
> unconfined_u:unconfined_r:unconfined_t:SystemLow-
>                               SystemHigh
> Target Context               
> unconfined_u:unconfined_r:unconfined_t:SystemLow-
>                               SystemHigh
> Target Objects                None [ process ]
> Source                        firefox
> Source Path                  
> /usr/lib/firefox-3.0b3pre/firefox
> Port                          <Unknown>
> Host                          localhost
> Source RPM Packages           seamonkey-1.1.8-4.fc9
> Target RPM Packages           
> Policy RPM                   
> selinux-policy-3.3.0-1.fc9
> Selinux Enabled               True
> Policy Type                   targeted
> MLS Enabled                   True
> Enforcing Mode                Enforcing
> Plugin Name                   allow_execstack
> Host Name                     localhost
> Platform                      Linux localhost
> 2.6.25-0.65.rc2.git7.fc9 #1 SMP
>                               Sat Feb 23 23:06:09 EST
> 2008 i686 athlon
> Alert Count                   140
> First Seen                    Fri 01 Feb 2008 05:08:54
> PM CST
> Last Seen                     Tue 26 Feb 2008 03:17:04
> PM CST
> Local ID                     
> c4806f30-a6dc-43b0-8901-5531075795f7
> Line Numbers                  
> 
> Raw Audit Messages            
> 
> host=localhost type=AVC msg=audit(1204060624.602:108):
> avc:  denied  { execstack } for  pid=20290
> comm="seamonkey-bin"
> scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
> tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
> tclass=process
> 
> host=localhost type=SYSCALL
> msg=audit(1204060624.602:108): arch=40000003
> syscall=125 success=no exit=-13 a0=bfc72000 a1=1000
> a2=1000007 a3=fffff000 items=0 ppid=1 pid=20290
> auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500
> egid=500 sgid=500 fsgid=500 tty=(none) ses=1
> comm="seamonkey-bin"
> exe="/usr/lib/seamonkey-1.1.8/seamonkey-bin"
> subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
> key=(null)
> 
> 
> 
> 
> 
>       ____________________________________________________________________________________
> Looking for last minute shopping deals?  
> Find them fast with Yahoo! Search.  http://tools.search.yahoo.com/newsearch/category.php?category=shopping
> 
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
Looks like seamonkey does not use nsplugin.  So in order to use this
plugin you will need to turn on the allow_execstack boolean.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkfFvQ4ACgkQrlYvE4MpobMSpgCfa7gDlSPJtNzzCJIf60idt70T
cRYAn2GPuZWZPWTQSNOBjeOuB1sbCVP2
=8sCk
-----END PGP SIGNATURE-----




More information about the fedora-test-list mailing list