selinux/setroubleshoot reports trouble with nspluginscan, NetworkManager_t

Antonio Olivares olivares14031 at yahoo.com
Wed Feb 6 01:51:07 UTC 2008 

Dear all,

Upon applying todays updates rawhide report 20080205,
and the failed update/conflicts
\begin{QUOTE}
xorg-x11-xinit-1.0.7-3.fc9.i386 from development has
depsolving problems
  --> xorg-x11-xinit-1.0.7-3.fc9.i386 (development)
conflicts with dbus < 1.1
.4-3.fc9
Error: xorg-x11-xinit-1.0.7-3.fc9.i386 (development)
conflicts with dbus < 1.
1.4-3.fc9
\end{QUOTE}

I get two denials from selinux

Summary:

SELinux is preventing nspluginscan from making the
program stack executable.

Detailed Description:

The nspluginscan application attempted to make its
stack executable. This is a
potential security problem. This should never ever be
necessary. Stack memory is
not executable on most OSes these days and this will
not change. Executable
stack memory is one of the biggest security problems.
An execstack error might
in fact be most likely raised by malicious code.
Applications are sometimes
coded incorrectly and request this permission. The
SELinux Memory Protection
Tests
(http://people.redhat.com/drepper/selinux-mem.html)
web page explains how
to remove this requirement. If nspluginscan does not
work and you need it to
work, you can configure SELinux temporarily to allow
this access until the
application is fixed. Please file a bug report
(http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Allowing Access:

Sometimes a library is accidentally marked with the
execstack flag, if you find
a library with this flag you can clear it with the
execstack -c LIBRARY_PATH.
Then retry your application. If the app continues to
not work, you can turn the
flag back on with execstack -s LIBRARY_PATH.
Otherwise, if you trust
nspluginscan to run correctly, you can change the
context of the executable to
unconfined_execmem_exec_t. "chcon -t
unconfined_execmem_exec_t
'/usr/bin/nspluginscan'" You must also change the
default file context files on
the system in order to preserve them even on a full
relabel. "semanage fcontext
-a -t unconfined_execmem_exec_t
'/usr/bin/nspluginscan'"

The following command will allow this access:

chcon -t unconfined_execmem_exec_t
'/usr/bin/nspluginscan'

Additional Information:

Source Context               
unconfined_u:unconfined_r:unconfined_t:SystemLow-
                              SystemHigh
Target Context               
unconfined_u:unconfined_r:unconfined_t:SystemLow-
                              SystemHigh
Target Objects                None [ process ]
Source                        nspluginscan
Source Path                   /usr/bin/nspluginscan
Port                          <Unknown>
Host                          localhost.localdomain
Source RPM Packages           kdebase-4.0.1-3.fc9
Target RPM Packages           
Policy RPM                   
selinux-policy-3.2.6-5.fc9
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   allow_execstack
Host Name                     localhost.localdomain
Platform                      Linux
localhost.localdomain 2.6.24-17.fc9 #1 SMP
                              Mon Feb 4 19:02:27 EST
2008 i686 i686
Alert Count                   2
First Seen                    Tue 05 Feb 2008 07:13:02
AM CST
Last Seen                     Tue 05 Feb 2008 07:41:42
PM CST
Local ID                     
7afb3a36-5b69-486c-a93b-02e714040250
Line Numbers                  

Raw Audit Messages            

host=localhost.localdomain type=AVC
msg=audit(1202262102.930:20): avc:  denied  {
execstack } for  pid=2866 comm="nspluginscan"
scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
tclass=process

host=localhost.localdomain type=SYSCALL
msg=audit(1202262102.930:20): arch=40000003
syscall=125 success=no exit=-13 a0=bfce4000 a1=1000
a2=1000007 a3=fffff000 items=0 ppid=2855 pid=2866
auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500
egid=500 sgid=500 fsgid=500 tty=(none)
comm="nspluginscan" exe="/usr/bin/nspluginscan"
subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
key=(null)



Summary:

SELinux is preventing the 00-netreport
(NetworkManager_t) from executing ./init.

Detailed Description:

SELinux has denied the 00-netreport from executing
./init. If 00-netreport is
supposed to be able to execute ./init, this could be a
labeling problem. Most
confined domains are allowed to execute files labeled
bin_t. So you could change
the labeling on this file to bin_t and retry the
application. If this
00-netreport is not supposed to execute ./init, this
could signal a intrusion
attempt.

Allowing Access:

If you want to allow 00-netreport to execute ./init:
chcon -t bin_t './init' If
this fix works, please update the file context on
disk, with the following
command: semanage fcontext -a -t bin_t './init' Please
specify the full path to
the executable, Please file a bug report
(http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this selinux-policy
to make sure this becomes the default labeling.

Additional Information:

Source Context               
system_u:system_r:NetworkManager_t
Target Context                system_u:object_r:etc_t
Target Objects                ./init [ file ]
Source                        00-netreport
Source Path                   /bin/bash
Port                          <Unknown>
Host                          localhost.localdomain
Source RPM Packages           bash-3.2-20.fc9
Target RPM Packages           
Policy RPM                   
selinux-policy-3.2.6-5.fc9
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   execute
Host Name                     localhost.localdomain
Platform                      Linux
localhost.localdomain 2.6.24-17.fc9 #1 SMP
                              Mon Feb 4 19:02:27 EST
2008 i686 i686
Alert Count                   1
First Seen                    Tue 05 Feb 2008 07:42:33
PM CST
Last Seen                     Tue 05 Feb 2008 07:42:33
PM CST
Local ID                     
9a1f71bd-9256-450a-bc0c-a7ebb115cacb
Line Numbers                  

Raw Audit Messages            

host=localhost.localdomain type=AVC
msg=audit(1202262153.640:107): avc:  denied  { execute
} for  pid=3226 comm="00-netreport" name="init"
dev=dm-0 ino=360497
scontext=system_u:system_r:NetworkManager_t:s0
tcontext=system_u:object_r:etc_t:s0 tclass=file

host=localhost.localdomain type=SYSCALL
msg=audit(1202262153.640:107): arch=40000003
syscall=33 success=no exit=-13 a0=9f7a370 a1=1 a2=11
a3=9f7a370 items=0 ppid=2385 pid=3226 auid=4294967295
uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
fsgid=0 tty=(none) comm="00-netreport" exe="/bin/bash"
subj=system_u:system_r:NetworkManager_t:s0 key=(null)



Thanks,


Antonio


      ____________________________________________________________________________________
Never miss a thing.  Make Yahoo your home page. 
http://www.yahoo.com/r/hs

More information about the fedora-test-list mailing list