SELinux is preventing nspluginviewer ....
Antonio Olivares
olivares14031 at yahoo.com
Sun Aug 3 18:35:24 UTC 2008
> Dear all,
>
> Now I know why playing Penalty_Fever caused a problem. The
> following is clear evidence :(
>
>
> Summary:
>
> SELinux is preventing nspluginviewer from changing a
> writable memory segment
> executable.
>
> Detailed Description:
>
> The nspluginviewer application attempted to change the
> access protection of
> memory (e.g., allocated using malloc). This is a potential
> security problem.
> Applications should not be doing this. Applications are
> sometimes coded
> incorrectly and request this permission. The SELinux Memory
> Protection Tests
> (http://people.redhat.com/drepper/selinux-mem.html) web
> page explains how to
> remove this requirement. If nspluginviewer does not work
> and you need it to
> work, you can configure SELinux temporarily to allow this
> access until the
> application is fixed. Please file a bug report
> (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against
> this package.
>
> Allowing Access:
>
> If you trust nspluginviewer to run correctly, you can
> change the context of the
> executable to unconfined_execmem_exec_t. "chcon -t
> unconfined_execmem_exec_t
> '/usr/bin/nspluginviewer'". You must also
> change the default file context files
> on the system in order to preserve them even on a full
> relabel. "semanage
> fcontext -a -t unconfined_execmem_exec_t
> '/usr/bin/nspluginviewer'"
>
> Fix Command:
>
> chcon -t unconfined_execmem_exec_t
> '/usr/bin/nspluginviewer'
>
> Additional Information:
>
> Source Context
> unconfined_u:unconfined_r:unconfined_t:SystemLow-
> SystemHigh
> Target Context
> unconfined_u:unconfined_r:unconfined_t:SystemLow-
> SystemHigh
> Target Objects None [ process ]
> Source nspluginviewer
> Source Path /usr/bin/nspluginviewer
> Port <Unknown>
> Host localhost.localdomain
> Source RPM Packages kdebase-4.1.0-1.fc10
> Target RPM Packages
> Policy RPM selinux-policy-3.5.1-4.fc10
> Selinux Enabled True
> Policy Type targeted
> MLS Enabled True
> Enforcing Mode Enforcing
> Plugin Name allow_execmem
> Host Name localhost.localdomain
> Platform Linux localhost.localdomain
> 2.6.26.1 #1 SMP Sat
> Aug 2 21:36:01 CDT 2008 i686
> i686
> Alert Count 29
> First Seen Sun 03 Aug 2008 12:55:21 PM
> CDT
> Last Seen Sun 03 Aug 2008 12:55:21 PM
> CDT
> Local ID
> 865503d3-baab-4dcd-adc0-47f8fff6ade6
> Line Numbers
>
> Raw Audit Messages
>
> host=localhost.localdomain type=AVC
> msg=audit(1217786121.365:53): avc: denied { execmem } for
> pid=3262 comm="nspluginviewer"
> scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
> tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
> tclass=process
>
> host=localhost.localdomain type=SYSCALL
> msg=audit(1217786121.365:53): arch=40000003 syscall=125
> success=no exit=-13 a0=b1aaa000 a1=1000 a2=5 a3=bfa32acc
> items=0 ppid=3222 pid=3262 auid=500 uid=500 gid=500 euid=500
> suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none)
> ses=1 comm="nspluginviewer"
> exe="/usr/bin/nspluginviewer"
> subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
> key=(null)
>
>
> This was an old bug and it returns to bite back :(
> Is anybody else also encountering this problem?
>
> Regards,
>
> Antonio
>
>
>
>
> --
BTW,
the old bug with nspluginwrapper was here:
https://bugzilla.redhat.com/show_bug.cgi?id=431708
It was closed. It looks a little bit different, now I am not sure if it is related?
Thanks,
Antonio
More information about the fedora-test-list
mailing list