selinux now causing trouble with seamonkey

Daniel J Walsh dwalsh at redhat.com
Thu Feb 14 13:31:18 UTC 2008


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Antonio Olivares wrote:
> --- Jim Cornette <fct-cornette at insight.rr.com> wrote:
> 
>> Daniel J Walsh wrote:
>>> Well going to this page with nsplugin installed
>> causes nsplugin_t to
>>> generate an execmem.
>>>
>>> - ----
>>> time->Wed Feb 13 08:00:55 2008
>>> type=SYSCALL msg=audit(1202907655.715:1515):
>> arch=40000003 syscall=125
>>> per=8 success=no exit=-13 a0=f2129000 a1=1000 a2=5
>> a3=ffbff4bc items=0
>>> ppid=4897 pid=4917 auid=3267 uid=3267 gid=3267
>> euid=3267 suid=3267
>>> fsuid=3267 egid=3267 sgid=3267 fsgid=3267
>> tty=(none) comm="npviewer.bin"
>>> exe="/usr/lib/nspluginwrapper/npviewer.bin"
>>> subj=staff_u:staff_r:nsplugin_t:s0 key=(null)
>>> type=AVC msg=audit(1202907655.715:1515): avc: 
>> denied  { execmem } for
>>> pid=4917 comm="npviewer.bin"
>> scontext=staff_u:staff_r:nsplugin_t:s0
>>> tcontext=staff_u:staff_r:nsplugin_t:s0
>> tclass=process
>>>
>>> nsplugin seems to survive though.  So this is
>> definitely a plugin
>>> causing the problem.  I would bet it is
>> flashplugin.
>>
>> After installing nspluginwrapper, firefox only logs
>> two instances and 
>> does not crash. A bit better than without it.
>>
>> Raw Audit Messages :host=HP-JCF7 type=AVC
>> msg=audit(1202946445.511:77): 
>> avc: denied { execstack } for pid=3749
>> comm="npviewer.bin" 
>> scontext=unconfined_u:unconfined_r:unconfined_t:s0 
>> tcontext=unconfined_u:unconfined_r:unconfined_t:s0
>> tclass=process 
>> host=HP-JCF7 type=SYSCALL
>> msg=audit(1202946445.511:77): arch=40000003 
>> syscall=125 success=no exit=-13 a0=bfc8c000 a1=1000
>> a2=1000007 
>> a3=fffff000 items=0 ppid=3719 pid=3749 auid=500
>> uid=500 gid=500 euid=500 
>> suid=500 fsuid=500 egid=500 sgid=500 fsgid=500
>> tty=(none) 
>> comm="npviewer.bin"
>> exe="/usr/lib/nspluginwrapper/npviewer.bin" 
>> subj=unconfined_u:unconfined_r:unconfined_t:s0
>> key=(null)
>>
>>
>> Thanks!
>> Jim
>>
>> -- 
>> fedora-test-list mailing list
>> fedora-test-list at redhat.com
>> To unsubscribe: 
>>
> https://www.redhat.com/mailman/listinfo/fedora-test-list
> 
> Following this thread, I installed nspluginwrapper
> 
> [root at localhost Downloads]# yum install
> nspluginwrapper
> Loaded plugins: refresh-updatesd
> Setting up Install Process
> Parsing package install arguments
> Resolving Dependencies
> --> Running transaction check
> ---> Package nspluginwrapper.i386 0:0.9.91.5-21.fc9
> set to be updated
> --> Finished Dependency Resolution
> 
> Dependencies Resolved
> 
> =============================================================================
>  Package                 Arch       Version         
> Repository        Size 
> =============================================================================
> Installing:
>  nspluginwrapper         i386       0.9.91.5-21.fc9 
> development       130 k
> 
> Transaction Summary
> =============================================================================
> Install      1 Package(s)         
> Update       0 Package(s)         
> Remove       0 Package(s)         
> 
> Total download size: 130 k
> Is this ok [y/N]: y
> Downloading Packages:
> (1/1): nspluginwrapper-0. 100%
> |=========================| 130 kB    00:00     
> Running rpm_check_debug
> Running Transaction Test
> /etc/selinux/targeted/contexts/files/file_contexts:
> Multiple same specifications for /usr/bin/sbcl.
> Finished Transaction Test
> Transaction Test Succeeded
> Running Transaction
> /etc/selinux/targeted/contexts/files/file_contexts:
> Multiple same specifications for /usr/bin/sbcl.
>   Installing: nspluginwrapper             
> ######################### [1/1] 
> 
> Installed: nspluginwrapper.i386 0:0.9.91.5-21.fc9
> Complete!
> [root at localhost Downloads]# 
> 
> It was not installed :(  Now I get a setroubleshoot
> message after a little while 
> 
> 
> Summary:
> 
> SELinux is preventing plugin-config from making the
> program stack executable.
> 
> Detailed Description:
> 
> The plugin-config application attempted to make its
> stack executable. This is a
> potential security problem. This should never ever be
> necessary. Stack memory is
> not executable on most OSes these days and this will
> not change. Executable
> stack memory is one of the biggest security problems.
> An execstack error might
> in fact be most likely raised by malicious code.
> Applications are sometimes
> coded incorrectly and request this permission. The
> SELinux Memory Protection
> Tests
> (http://people.redhat.com/drepper/selinux-mem.html)
> web page explains how
> to remove this requirement. If plugin-config does not
> work and you need it to
> work, you can configure SELinux temporarily to allow
> this access until the
> application is fixed. Please file a bug report
> (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
> against this package.
> 
> Allowing Access:
> 
> Sometimes a library is accidentally marked with the
> execstack flag, if you find
> a library with this flag you can clear it with the
> execstack -c LIBRARY_PATH.
> Then retry your application. If the app continues to
> not work, you can turn the
> flag back on with execstack -s LIBRARY_PATH.
> Otherwise, if you trust
> plugin-config to run correctly, you can change the
> context of the executable to
> unconfined_execmem_exec_t. "chcon -t
> unconfined_execmem_exec_t
> '/usr/lib/nspluginwrapper/plugin-config'" You must
> also change the default file
> context files on the system in order to preserve them
> even on a full relabel.
> "semanage fcontext -a -t unconfined_execmem_exec_t
> '/usr/lib/nspluginwrapper/plugin-config'"
> 
> The following command will allow this access:
> 
> chcon -t unconfined_execmem_exec_t
> '/usr/lib/nspluginwrapper/plugin-config'
> 
> Additional Information:
> 
> Source Context               
> unconfined_u:unconfined_r:unconfined_t:SystemLow-
>                               SystemHigh
> Target Context               
> unconfined_u:unconfined_r:unconfined_t:SystemLow-
>                               SystemHigh
> Target Objects                None [ process ]
> Source                        firefox
> Source Path                  
> /usr/lib/firefox-3.0b3pre/firefox
> Port                          <Unknown>
> Host                          localhost
> Source RPM Packages          
> nspluginwrapper-0.9.91.5-21.fc9
> Target RPM Packages           
> Policy RPM                   
> selinux-policy-3.2.7-4.fc9
> Selinux Enabled               True
> Policy Type                   targeted
> MLS Enabled                   True
> Enforcing Mode                Enforcing
> Plugin Name                   allow_execstack
> Host Name                     localhost
> Platform                      Linux localhost
> 2.6.25-0.35.rc1.fc9 #1 SMP Tue Feb
>                               12 13:24:07 EST 2008
> i686 athlon
> Alert Count                   70
> First Seen                    Fri 01 Feb 2008 05:08:54
> PM CST
> Last Seen                     Thu 14 Feb 2008 06:56:41
> AM CST
> Local ID                     
> c4806f30-a6dc-43b0-8901-5531075795f7
> Line Numbers                  
> 
> Raw Audit Messages            
> 
> host=localhost type=AVC msg=audit(1202993801.990:96):
> avc:  denied  { execstack } for  pid=17995
> comm="plugin-config"
> scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
> tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
> tclass=process
> 
> host=localhost type=SYSCALL
> msg=audit(1202993801.990:96): arch=40000003
> syscall=125 success=no exit=-13 a0=bfbc9000 a1=1000
> a2=1000007 a3=fffff000 items=0 ppid=17993 pid=17995
> auid=500 uid=500 gid=500 euid=0 suid=0 fsuid=0
> egid=500 sgid=500 fsgid=500 tty=(none) ses=2
> comm="plugin-config"
> exe="/usr/lib/nspluginwrapper/plugin-config"
> subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
> key=(null)
> 
> This happens with firefox.  If I try seamonkey, I get
> the following alert:
> 
> 
> Summary:
> 
> SELinux is preventing seamonkey-bin from making the
> program stack executable.
> 
> Detailed Description:
> 
> The seamonkey-bin application attempted to make its
> stack executable. This is a
> potential security problem. This should never ever be
> necessary. Stack memory is
> not executable on most OSes these days and this will
> not change. Executable
> stack memory is one of the biggest security problems.
> An execstack error might
> in fact be most likely raised by malicious code.
> Applications are sometimes
> coded incorrectly and request this permission. The
> SELinux Memory Protection
> Tests
> (http://people.redhat.com/drepper/selinux-mem.html)
> web page explains how
> to remove this requirement. If seamonkey-bin does not
> work and you need it to
> work, you can configure SELinux temporarily to allow
> this access until the
> application is fixed. Please file a bug report
> (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
> against this package.
> 
> Allowing Access:
> 
> Sometimes a library is accidentally marked with the
> execstack flag, if you find
> a library with this flag you can clear it with the
> execstack -c LIBRARY_PATH.
> Then retry your application. If the app continues to
> not work, you can turn the
> flag back on with execstack -s LIBRARY_PATH.
> Otherwise, if you trust
> seamonkey-bin to run correctly, you can change the
> context of the executable to
> unconfined_execmem_exec_t. "chcon -t
> unconfined_execmem_exec_t
> '/usr/lib/seamonkey-1.1.8/seamonkey-bin'" You must
> also change the default file
> context files on the system in order to preserve them
> even on a full relabel.
> "semanage fcontext -a -t unconfined_execmem_exec_t
> '/usr/lib/seamonkey-1.1.8/seamonkey-bin'"
> 
> The following command will allow this access:
> 
> chcon -t unconfined_execmem_exec_t
> '/usr/lib/seamonkey-1.1.8/seamonkey-bin'
> 
> Additional Information:
> 
> Source Context               
> unconfined_u:unconfined_r:unconfined_t:SystemLow-
>                               SystemHigh
> Target Context               
> unconfined_u:unconfined_r:unconfined_t:SystemLow-
>                               SystemHigh
> Target Objects                None [ process ]
> Source                        firefox
> Source Path                  
> /usr/lib/firefox-3.0b3pre/firefox
> Port                          <Unknown>
> Host                          localhost
> Source RPM Packages           seamonkey-1.1.8-3.fc9
> Target RPM Packages           
> Policy RPM                   
> selinux-policy-3.2.7-4.fc9
> Selinux Enabled               True
> Policy Type                   targeted
> MLS Enabled                   True
> Enforcing Mode                Enforcing
> Plugin Name                   allow_execstack
> Host Name                     localhost
> Platform                      Linux localhost
> 2.6.25-0.35.rc1.fc9 #1 SMP Tue Feb
>                               12 13:24:07 EST 2008
> i686 athlon
> Alert Count                   72
> First Seen                    Fri 01 Feb 2008 05:08:54
> PM CST
> Last Seen                     Thu 14 Feb 2008 07:11:03
> AM CST
> Local ID                     
> c4806f30-a6dc-43b0-8901-5531075795f7
> Line Numbers                  
> 
> Raw Audit Messages            
> 
> host=localhost type=AVC msg=audit(1202994663.15:108):
> avc:  denied  { execstack } for  pid=18545
> comm="seamonkey-bin"
> scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
> tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
> tclass=process
> 
> host=localhost type=SYSCALL
> msg=audit(1202994663.15:108): arch=40000003
> syscall=125 success=no exit=-13 a0=bfa8e000 a1=1000
> a2=1000007 a3=fffff000 items=0 ppid=1 pid=18545
> auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500
> egid=500 sgid=500 fsgid=500 tty=(none) ses=2
> comm="seamonkey-bin"
> exe="/usr/lib/seamonkey-1.1.8/seamonkey-bin"
> subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
> key=(null)
> 
> 
> Both alerts are somewhat related since they have a
> source path 
> 
> Source Path                  
> /usr/lib/firefox-3.0b3pre/firefox
> 
> firefox connected.  I wonder if I did the exec chcon
> stuff for firefox and it is no longer bothering me,
> should I do the same for seamonkey.  Or is there a way
> to undo what I did for firefox
> 
> This is what I did before 
> [root at localhost ~]# chcon -t unconfined_execmem_exec_t
> /usr/lib/firefox-3.0b4pre/firefox
> [root at localhost ~]# semanage fcontext -a -t
> unconfined_execmem_exec_t
> /usr/lib/firefox-3.0b4pre/firefox 
> [root at localhost ~]# restorecon
> /usr/lib/firefox-3.0b4pre/firefox
> /etc/selinux/targeted/contexts/files/file_contexts:
> Multiple same specifications for /usr/bin/sbcl.
> [root at localhost ~]# 
> 
> 
> How can I undo that now that I have nspluginwrapper?
> 
> Thanks,
> 
> Antonio 
> 
> 
>       ____________________________________________________________________________________
> Never miss a thing.  Make Yahoo your home page. 
> http://www.yahoo.com/r/hs
> 
semanage fcontext -d /usr/lib/firefox-3.0b4pre/firefox
restorecon /usr/lib/firefox-3.0b4pre/firefox
Should remove the fxontext

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAke0QqUACgkQrlYvE4MpobOSOgCdHApj01dh0Sr1WJylgfyz16bW
yzMAoI/KNnamop0H5Md1XzQzdnoTrtFu
=F07V
-----END PGP SIGNATURE-----




More information about the fedora-test-list mailing list