unconfined_execmem_t transitions to unconfined_t
Daniel J Walsh
dwalsh at redhat.com
Thu Nov 1 17:57:01 UTC 2007
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Tom London wrote:
> Running latest rawhide, targeted/enforcing.
>
> Are there any issues allowing transition from 'unconfined_execmem_t'
> to 'unconfined_t'?
>
> /usr/bin/valgrind is 'unconfined_execmem_exec_t', so running
> 'valgrind system-config-users' or
> 'PYTHONPATH=/usr/share/system-config-users valgrind /usr/bin/python
> /usr/share/system-config-users/system-config-users.py'
>
> produces:
>
> Summary
> SELinux is preventing userhelper (unconfined_execmem_t) "transition" to
> /usr/share/system-config-users/system-config-users (unconfined_t).
>
> Detailed Description
> SELinux denied access requested by userhelper. It is not expected that this
> access is required by userhelper and this access may signal an intrusion
> attempt. It is also possible that the specific version or configuration of
> the application is causing it to require additional access.
>
> Allowing Access
> You can generate a local policy module to allow this access - see
> http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385 Or you can disable
> SELinux protection altogether. Disabling SELinux protection is not
> recommended. Please file a http://bugzilla.redhat.com/bugzilla/enter_bug.cgi
> against this package.
>
> Additional Information
>
> Source Context system_u:system_r:unconfined_execmem_t
> Target Context system_u:system_r:unconfined_t
> Target Objects /usr/share/system-config-users/system-config-users
> [ process ]
> Affected RPM Packages system-config-users-1.2.72-1.fc8 [target]
> Policy RPM selinux-policy-3.0.8-40.fc8
> Selinux Enabled True
> Policy Type targeted
> MLS Enabled True
> Enforcing Mode Enforcing
> Plugin Name plugins.catchall
> Host Name localhost.localdomain
> Platform Linux localhost.localdomain 2.6.23.1-41.fc8 #1 SMP
> Mon Oct 29 18:29:15 EDT 2007 i686 i686
> Alert Count 2
> First Seen Tue 30 Oct 2007 07:08:40 AM PDT
> Last Seen Tue 30 Oct 2007 07:09:35 AM PDT
> Local ID c1b26ecd-2d55-4e55-85bd-46f718634fce
> Line Numbers
>
> Raw Audit Messages
>
> avc: denied { transition } for comm=userhelper dev=dm-0 path=/usr/share/system-
> config-users/system-config-users pid=5742
> scontext=system_u:system_r:unconfined_execmem_t:s0 tclass=process
> tcontext=system_u:system_r:unconfined_t:s0
>
>
>
No this should be allowed. selinux-policy-3.0.8-45.fc8.src.rpm
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
iD8DBQFHKhNsrlYvE4MpobMRAh2cAJ9ZMeqs9DJPbk8hMpvIdjS4EDXT1ACdF6u8
tF95gYy4qTzqoT8Kximgshw=
=2FGb
-----END PGP SIGNATURE-----
More information about the fedora-selinux-list
mailing list