selinux now causing trouble with seamonkey
Antonio Olivares
olivares14031 at yahoo.com
Thu Feb 14 13:14:20 UTC 2008
--- Jim Cornette <fct-cornette at insight.rr.com> wrote:
> Daniel J Walsh wrote:
> >>
> > Well going to this page with nsplugin installed
> causes nsplugin_t to
> > generate an execmem.
> >
> > - ----
> > time->Wed Feb 13 08:00:55 2008
> > type=SYSCALL msg=audit(1202907655.715:1515):
> arch=40000003 syscall=125
> > per=8 success=no exit=-13 a0=f2129000 a1=1000 a2=5
> a3=ffbff4bc items=0
> > ppid=4897 pid=4917 auid=3267 uid=3267 gid=3267
> euid=3267 suid=3267
> > fsuid=3267 egid=3267 sgid=3267 fsgid=3267
> tty=(none) comm="npviewer.bin"
> > exe="/usr/lib/nspluginwrapper/npviewer.bin"
> > subj=staff_u:staff_r:nsplugin_t:s0 key=(null)
> > type=AVC msg=audit(1202907655.715:1515): avc:
> denied { execmem } for
> > pid=4917 comm="npviewer.bin"
> scontext=staff_u:staff_r:nsplugin_t:s0
> > tcontext=staff_u:staff_r:nsplugin_t:s0
> tclass=process
> >
> >
> > nsplugin seems to survive though. So this is
> definitely a plugin
> > causing the problem. I would bet it is
> flashplugin.
>
> After installing nspluginwrapper, firefox only logs
> two instances and
> does not crash. A bit better than without it.
>
> Raw Audit Messages :host=HP-JCF7 type=AVC
> msg=audit(1202946445.511:77):
> avc: denied { execstack } for pid=3749
> comm="npviewer.bin"
> scontext=unconfined_u:unconfined_r:unconfined_t:s0
> tcontext=unconfined_u:unconfined_r:unconfined_t:s0
> tclass=process
> host=HP-JCF7 type=SYSCALL
> msg=audit(1202946445.511:77): arch=40000003
> syscall=125 success=no exit=-13 a0=bfc8c000 a1=1000
> a2=1000007
> a3=fffff000 items=0 ppid=3719 pid=3749 auid=500
> uid=500 gid=500 euid=500
> suid=500 fsuid=500 egid=500 sgid=500 fsgid=500
> tty=(none)
> comm="npviewer.bin"
> exe="/usr/lib/nspluginwrapper/npviewer.bin"
> subj=unconfined_u:unconfined_r:unconfined_t:s0
> key=(null)
>
>
> Thanks!
> Jim
>
> --
> fedora-test-list mailing list
> fedora-test-list at redhat.com
> To unsubscribe:
>
https://www.redhat.com/mailman/listinfo/fedora-test-list
>
Following this thread, I installed nspluginwrapper
[root at localhost Downloads]# yum install
nspluginwrapper
Loaded plugins: refresh-updatesd
Setting up Install Process
Parsing package install arguments
Resolving Dependencies
--> Running transaction check
---> Package nspluginwrapper.i386 0:0.9.91.5-21.fc9
set to be updated
--> Finished Dependency Resolution
Dependencies Resolved
=============================================================================
Package Arch Version
Repository Size
=============================================================================
Installing:
nspluginwrapper i386 0.9.91.5-21.fc9
development 130 k
Transaction Summary
=============================================================================
Install 1 Package(s)
Update 0 Package(s)
Remove 0 Package(s)
Total download size: 130 k
Is this ok [y/N]: y
Downloading Packages:
(1/1): nspluginwrapper-0. 100%
|=========================| 130 kB 00:00
Running rpm_check_debug
Running Transaction Test
/etc/selinux/targeted/contexts/files/file_contexts:
Multiple same specifications for /usr/bin/sbcl.
Finished Transaction Test
Transaction Test Succeeded
Running Transaction
/etc/selinux/targeted/contexts/files/file_contexts:
Multiple same specifications for /usr/bin/sbcl.
Installing: nspluginwrapper
######################### [1/1]
Installed: nspluginwrapper.i386 0:0.9.91.5-21.fc9
Complete!
[root at localhost Downloads]#
It was not installed :( Now I get a setroubleshoot
message after a little while
Summary:
SELinux is preventing plugin-config from making the
program stack executable.
Detailed Description:
The plugin-config application attempted to make its
stack executable. This is a
potential security problem. This should never ever be
necessary. Stack memory is
not executable on most OSes these days and this will
not change. Executable
stack memory is one of the biggest security problems.
An execstack error might
in fact be most likely raised by malicious code.
Applications are sometimes
coded incorrectly and request this permission. The
SELinux Memory Protection
Tests
(http://people.redhat.com/drepper/selinux-mem.html)
web page explains how
to remove this requirement. If plugin-config does not
work and you need it to
work, you can configure SELinux temporarily to allow
this access until the
application is fixed. Please file a bug report
(http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.
Allowing Access:
Sometimes a library is accidentally marked with the
execstack flag, if you find
a library with this flag you can clear it with the
execstack -c LIBRARY_PATH.
Then retry your application. If the app continues to
not work, you can turn the
flag back on with execstack -s LIBRARY_PATH.
Otherwise, if you trust
plugin-config to run correctly, you can change the
context of the executable to
unconfined_execmem_exec_t. "chcon -t
unconfined_execmem_exec_t
'/usr/lib/nspluginwrapper/plugin-config'" You must
also change the default file
context files on the system in order to preserve them
even on a full relabel.
"semanage fcontext -a -t unconfined_execmem_exec_t
'/usr/lib/nspluginwrapper/plugin-config'"
The following command will allow this access:
chcon -t unconfined_execmem_exec_t
'/usr/lib/nspluginwrapper/plugin-config'
Additional Information:
Source Context
unconfined_u:unconfined_r:unconfined_t:SystemLow-
SystemHigh
Target Context
unconfined_u:unconfined_r:unconfined_t:SystemLow-
SystemHigh
Target Objects None [ process ]
Source firefox
Source Path
/usr/lib/firefox-3.0b3pre/firefox
Port <Unknown>
Host localhost
Source RPM Packages
nspluginwrapper-0.9.91.5-21.fc9
Target RPM Packages
Policy RPM
selinux-policy-3.2.7-4.fc9
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name allow_execstack
Host Name localhost
Platform Linux localhost
2.6.25-0.35.rc1.fc9 #1 SMP Tue Feb
12 13:24:07 EST 2008
i686 athlon
Alert Count 70
First Seen Fri 01 Feb 2008 05:08:54
PM CST
Last Seen Thu 14 Feb 2008 06:56:41
AM CST
Local ID
c4806f30-a6dc-43b0-8901-5531075795f7
Line Numbers
Raw Audit Messages
host=localhost type=AVC msg=audit(1202993801.990:96):
avc: denied { execstack } for pid=17995
comm="plugin-config"
scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
tclass=process
host=localhost type=SYSCALL
msg=audit(1202993801.990:96): arch=40000003
syscall=125 success=no exit=-13 a0=bfbc9000 a1=1000
a2=1000007 a3=fffff000 items=0 ppid=17993 pid=17995
auid=500 uid=500 gid=500 euid=0 suid=0 fsuid=0
egid=500 sgid=500 fsgid=500 tty=(none) ses=2
comm="plugin-config"
exe="/usr/lib/nspluginwrapper/plugin-config"
subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
key=(null)
This happens with firefox. If I try seamonkey, I get
the following alert:
Summary:
SELinux is preventing seamonkey-bin from making the
program stack executable.
Detailed Description:
The seamonkey-bin application attempted to make its
stack executable. This is a
potential security problem. This should never ever be
necessary. Stack memory is
not executable on most OSes these days and this will
not change. Executable
stack memory is one of the biggest security problems.
An execstack error might
in fact be most likely raised by malicious code.
Applications are sometimes
coded incorrectly and request this permission. The
SELinux Memory Protection
Tests
(http://people.redhat.com/drepper/selinux-mem.html)
web page explains how
to remove this requirement. If seamonkey-bin does not
work and you need it to
work, you can configure SELinux temporarily to allow
this access until the
application is fixed. Please file a bug report
(http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.
Allowing Access:
Sometimes a library is accidentally marked with the
execstack flag, if you find
a library with this flag you can clear it with the
execstack -c LIBRARY_PATH.
Then retry your application. If the app continues to
not work, you can turn the
flag back on with execstack -s LIBRARY_PATH.
Otherwise, if you trust
seamonkey-bin to run correctly, you can change the
context of the executable to
unconfined_execmem_exec_t. "chcon -t
unconfined_execmem_exec_t
'/usr/lib/seamonkey-1.1.8/seamonkey-bin'" You must
also change the default file
context files on the system in order to preserve them
even on a full relabel.
"semanage fcontext -a -t unconfined_execmem_exec_t
'/usr/lib/seamonkey-1.1.8/seamonkey-bin'"
The following command will allow this access:
chcon -t unconfined_execmem_exec_t
'/usr/lib/seamonkey-1.1.8/seamonkey-bin'
Additional Information:
Source Context
unconfined_u:unconfined_r:unconfined_t:SystemLow-
SystemHigh
Target Context
unconfined_u:unconfined_r:unconfined_t:SystemLow-
SystemHigh
Target Objects None [ process ]
Source firefox
Source Path
/usr/lib/firefox-3.0b3pre/firefox
Port <Unknown>
Host localhost
Source RPM Packages seamonkey-1.1.8-3.fc9
Target RPM Packages
Policy RPM
selinux-policy-3.2.7-4.fc9
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name allow_execstack
Host Name localhost
Platform Linux localhost
2.6.25-0.35.rc1.fc9 #1 SMP Tue Feb
12 13:24:07 EST 2008
i686 athlon
Alert Count 72
First Seen Fri 01 Feb 2008 05:08:54
PM CST
Last Seen Thu 14 Feb 2008 07:11:03
AM CST
Local ID
c4806f30-a6dc-43b0-8901-5531075795f7
Line Numbers
Raw Audit Messages
host=localhost type=AVC msg=audit(1202994663.15:108):
avc: denied { execstack } for pid=18545
comm="seamonkey-bin"
scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
tclass=process
host=localhost type=SYSCALL
msg=audit(1202994663.15:108): arch=40000003
syscall=125 success=no exit=-13 a0=bfa8e000 a1=1000
a2=1000007 a3=fffff000 items=0 ppid=1 pid=18545
auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500
egid=500 sgid=500 fsgid=500 tty=(none) ses=2
comm="seamonkey-bin"
exe="/usr/lib/seamonkey-1.1.8/seamonkey-bin"
subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
key=(null)
Both alerts are somewhat related since they have a
source path
Source Path
/usr/lib/firefox-3.0b3pre/firefox
firefox connected. I wonder if I did the exec chcon
stuff for firefox and it is no longer bothering me,
should I do the same for seamonkey. Or is there a way
to undo what I did for firefox
This is what I did before
[root at localhost ~]# chcon -t unconfined_execmem_exec_t
/usr/lib/firefox-3.0b4pre/firefox
[root at localhost ~]# semanage fcontext -a -t
unconfined_execmem_exec_t
/usr/lib/firefox-3.0b4pre/firefox
[root at localhost ~]# restorecon
/usr/lib/firefox-3.0b4pre/firefox
/etc/selinux/targeted/contexts/files/file_contexts:
Multiple same specifications for /usr/bin/sbcl.
[root at localhost ~]#
How can I undo that now that I have nspluginwrapper?
Thanks,
Antonio
____________________________________________________________________________________
Never miss a thing. Make Yahoo your home page.
http://www.yahoo.com/r/hs
More information about the fedora-test-list
mailing list