SELinux is preventing nspluginviewer ....

Daniel J Walsh dwalsh at redhat.com
Mon Aug 4 18:32:54 UTC 2008


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Antonio Olivares wrote:
>> Dear all,
>>
>> Now I know why playing Penalty_Fever caused a problem.  The
>> following is clear evidence :(
>>
>>
>> Summary:
>>
>> SELinux is preventing nspluginviewer from changing a
>> writable memory segment
>> executable.
>>
>> Detailed Description:
>>
>> The nspluginviewer application attempted to change the
>> access protection of
>> memory (e.g., allocated using malloc). This is a potential
>> security problem.
>> Applications should not be doing this. Applications are
>> sometimes coded
>> incorrectly and request this permission. The SELinux Memory
>> Protection Tests
>> (http://people.redhat.com/drepper/selinux-mem.html) web
>> page explains how to
>> remove this requirement. If nspluginviewer does not work
>> and you need it to
>> work, you can configure SELinux temporarily to allow this
>> access until the
>> application is fixed. Please file a bug report
>> (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against
>> this package.
>>
>> Allowing Access:
>>
>> If you trust nspluginviewer to run correctly, you can
>> change the context of the
>> executable to unconfined_execmem_exec_t. "chcon -t
>> unconfined_execmem_exec_t
>> '/usr/bin/nspluginviewer'". You must also
>> change the default file context files
>> on the system in order to preserve them even on a full
>> relabel. "semanage
>> fcontext -a -t unconfined_execmem_exec_t
>> '/usr/bin/nspluginviewer'"
>>
>> Fix Command:
>>
>> chcon -t unconfined_execmem_exec_t
>> '/usr/bin/nspluginviewer'
>>
>> Additional Information:
>>
>> Source Context               
>> unconfined_u:unconfined_r:unconfined_t:SystemLow-
>>                               SystemHigh
>> Target Context               
>> unconfined_u:unconfined_r:unconfined_t:SystemLow-
>>                               SystemHigh
>> Target Objects                None [ process ]
>> Source                        nspluginviewer
>> Source Path                   /usr/bin/nspluginviewer
>> Port                          <Unknown>
>> Host                          localhost.localdomain
>> Source RPM Packages           kdebase-4.1.0-1.fc10
>> Target RPM Packages           
>> Policy RPM                    selinux-policy-3.5.1-4.fc10
>> Selinux Enabled               True
>> Policy Type                   targeted
>> MLS Enabled                   True
>> Enforcing Mode                Enforcing
>> Plugin Name                   allow_execmem
>> Host Name                     localhost.localdomain
>> Platform                      Linux localhost.localdomain
>> 2.6.26.1 #1 SMP Sat
>>                               Aug 2 21:36:01 CDT 2008 i686
>> i686
>> Alert Count                   29
>> First Seen                    Sun 03 Aug 2008 12:55:21 PM
>> CDT
>> Last Seen                     Sun 03 Aug 2008 12:55:21 PM
>> CDT
>> Local ID                     
>> 865503d3-baab-4dcd-adc0-47f8fff6ade6
>> Line Numbers                  
>>
>> Raw Audit Messages            
>>
>> host=localhost.localdomain type=AVC
>> msg=audit(1217786121.365:53): avc:  denied  { execmem } for 
>> pid=3262 comm="nspluginviewer"
>> scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
>> tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
>> tclass=process
>>
>> host=localhost.localdomain type=SYSCALL
>> msg=audit(1217786121.365:53): arch=40000003 syscall=125
>> success=no exit=-13 a0=b1aaa000 a1=1000 a2=5 a3=bfa32acc
>> items=0 ppid=3222 pid=3262 auid=500 uid=500 gid=500 euid=500
>> suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none)
>> ses=1 comm="nspluginviewer"
>> exe="/usr/bin/nspluginviewer"
>> subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
>> key=(null)
>>
>>
>> This was an old bug and it returns to bite back :(
>> Is anybody else also encountering this problem?
>>
>> Regards,
>>
>> Antonio 
>>
>>
>>       
>>
>> -- 
> 
> BTW,
> 
> the old bug with nspluginwrapper was here:
> 
> https://bugzilla.redhat.com/show_bug.cgi?id=431708
> 
> It was closed.  It looks a little bit different, now I am not sure if it is related?
> 
> Thanks,
> 
> Antonio 
> 
> 
>       
> 
Most likely caused by one of the plugins you are using.  You have
multiple choices to fix this, one you could turn on nsplugin confinement

# getsebool -a | grep nsplugin
allow_nsplugin_execmem --> on
allow_unconfined_nsplugin_transition --> on

You should relabel your homedir if you do.

restorecon -R -v ~

Then restart firefox.  This would allow a confined nsplugin to execmem
but not all apps run from unconfined_t.  I have been running like this
for a long time and have had few problems, although the more people who
run with this mode the better so we can figure out what firefox plugins
want to do.

You can not run the offending plugin.

You can ignore the error if it does not seem to cause the problem.

You can turn on allow_execmem boolean.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkiXS1YACgkQrlYvE4MpobPgsgCgtS04Z/kSzNfsa6MILORC1ZxU
QJEAn1v2xRLEMv3r5rmVQlE0xfpAnicO
=1PTR
-----END PGP SIGNATURE-----




More information about the fedora-test-list mailing list