selinux now causing trouble with seamonkey

Daniel J Walsh dwalsh at redhat.com
Thu Feb 14 12:57:21 UTC 2008 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Jim Cornette wrote:
> Daniel J Walsh wrote:
>>>
>> Well going to this page with nsplugin installed causes nsplugin_t to
>> generate an execmem.
>>
>> - ----
>> time->Wed Feb 13 08:00:55 2008
>> type=SYSCALL msg=audit(1202907655.715:1515): arch=40000003 syscall=125
>> per=8 success=no exit=-13 a0=f2129000 a1=1000 a2=5 a3=ffbff4bc items=0
>> ppid=4897 pid=4917 auid=3267 uid=3267 gid=3267 euid=3267 suid=3267
>> fsuid=3267 egid=3267 sgid=3267 fsgid=3267 tty=(none) comm="npviewer.bin"
>> exe="/usr/lib/nspluginwrapper/npviewer.bin"
>> subj=staff_u:staff_r:nsplugin_t:s0 key=(null)
>> type=AVC msg=audit(1202907655.715:1515): avc:  denied  { execmem } for
>> pid=4917 comm="npviewer.bin" scontext=staff_u:staff_r:nsplugin_t:s0
>> tcontext=staff_u:staff_r:nsplugin_t:s0 tclass=process
>>
>>
>> nsplugin seems to survive though.  So this is definitely a plugin
>> causing the problem.  I would bet it is flashplugin.
> 
> After installing nspluginwrapper, firefox only logs two instances and
> does not crash. A bit better than without it.
> 
> Raw Audit Messages :host=HP-JCF7 type=AVC msg=audit(1202946445.511:77):
> avc: denied { execstack } for pid=3749 comm="npviewer.bin"
> scontext=unconfined_u:unconfined_r:unconfined_t:s0
> tcontext=unconfined_u:unconfined_r:unconfined_t:s0 tclass=process
> host=HP-JCF7 type=SYSCALL msg=audit(1202946445.511:77): arch=40000003
> syscall=125 success=no exit=-13 a0=bfc8c000 a1=1000 a2=1000007
> a3=fffff000 items=0 ppid=3719 pid=3749 auid=500 uid=500 gid=500 euid=500
> suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none)
> comm="npviewer.bin" exe="/usr/lib/nspluginwrapper/npviewer.bin"
> subj=unconfined_u:unconfined_r:unconfined_t:s0 key=(null)
> 
> 
> Thanks!
> Jim
> 
If you want to try further experimentation, you can set the  boolean
allow_unconfined_nsplugin_transition and run the plugins confined.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEUEARECAAYFAke0OrAACgkQrlYvE4MpobM5jACgxn4C1usz7ZsoPx0Tt/Qv/8HE
YfoAmKMEKvTsqN6f9welw6qf34Hvj88=
=Tlg/
-----END PGP SIGNATURE-----

More information about the fedora-test-list mailing list