SELinux and VLC player
by Rahul Sundaram
Hi
Summary:
SELinux is preventing vlc from making the program stack executable.
Detailed Description:
[SELinux is in permissive mode, the operation would have been denied but was
permitted due to permissive mode.]
The vlc application attempted to make its stack executable. This is a
potential
security problem. This should never ever be necessary. Stack memory is not
executable on most OSes these days and this will not change. Executable
stack
memory is one of the biggest security problems. An execstack error might
in fact
be most likely raised by malicious code. Applications are sometimes coded
incorrectly and request this permission. The SELinux Memory Protection Tests
(http://people.redhat.com/drepper/selinux-mem.html) web page explains how to
remove this requirement. If vlc does not work and you need it to work,
you can
configure SELinux temporarily to allow this access until the application is
fixed. Please file a bug report
(http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package.
Allowing Access:
Sometimes a library is accidentally marked with the execstack flag, if
you find
a library with this flag you can clear it with the execstack -c
LIBRARY_PATH.
Then retry your application. If the app continues to not work, you can
turn the
flag back on with execstack -s LIBRARY_PATH. Otherwise, if you trust vlc
to run
correctly, you can change the context of the executable to
unconfined_execmem_exec_t. "chcon -t unconfined_execmem_exec_t
'/usr/bin/vlc'"
You must also change the default file context files on the system in
order to
preserve them even on a full relabel. "semanage fcontext -a -t
unconfined_execmem_exec_t '/usr/bin/vlc'"
Fix Command:
chcon -t unconfined_execmem_exec_t '/usr/bin/vlc'
Additional Information:
Source Context
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1
023
Target Context
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1
023
Target Objects None [ process ]
Source vlc
Source Path /usr/bin/vlc
Port <Unknown>
Host sundaram
Source RPM Packages vlc-core-0.9.4-1.fc10
Target RPM Packages
Policy RPM selinux-policy-3.5.12-3.fc10
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Permissive
Plugin Name allow_execstack
Host Name sundaram
Platform Linux sundaram 2.6.27-13.fc10.i686
#1 SMP Wed Oct 15 02:06:26 EDT 2008 i686 i686
Alert Count 1
First Seen Sat 18 Oct 2008 08:18:06 AM IST
Last Seen Sat 18 Oct 2008 08:18:06 AM IST
Local ID 84968ddd-4d14-4680-8692-66835b0c5e43
Line Numbers
Raw Audit Messages
node=sundaram type=AVC msg=audit(1224298086.835:270): avc: denied {
execstack } for pid=25126 comm="vlc"
scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
tclass=process
node=sundaram type=SYSCALL msg=audit(1224298086.835:270): arch=40000003
syscall=125 success=yes exit=0 a0=bf8a4000 a1=1000 a2=1000007
a3=fffff000 items=0 ppid=1 pid=25126 auid=500 uid=500 gid=500 euid=500
suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1
comm="vlc" exe="/usr/bin/vlc"
subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
Rahul
14 years, 5 months
Mplayer Firefox plugin - SELinux policy issue
by Rahul Sundaram
Hi,
Summary:
SELinux is preventing firefox from changing a writable memory segment
executable.
Detailed Description:
[SELinux is in permissive mode, the operation would have been denied but was
permitted due to permissive mode.]
The firefox application attempted to change the access protection of memory
(e.g., allocated using malloc). This is a potential security problem.
Applications should not be doing this. Applications are sometimes coded
incorrectly and request this permission. The SELinux Memory Protection Tests
(http://people.redhat.com/drepper/selinux-mem.html) web page explains how to
remove this requirement. If firefox does not work and you need it to
work, you
can configure SELinux temporarily to allow this access until the
application is
fixed. Please file a bug report
(http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package.
Allowing Access:
If you trust firefox to run correctly, you can change the context of the
executable to unconfined_execmem_exec_t. "chcon -t unconfined_execmem_exec_t
'/usr/lib/firefox-3.0.2/firefox'". You must also change the default file
context
files on the system in order to preserve them even on a full relabel.
"semanage
fcontext -a -t unconfined_execmem_exec_t '/usr/lib/firefox-3.0.2/firefox'"
Fix Command:
chcon -t unconfined_execmem_exec_t '/usr/lib/firefox-3.0.2/firefox'
Additional Information:
Source Context
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1
023
Target Context
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1
023
Target Objects None [ process ]
Source mplayer
Source Path /usr/bin/mplayer
Port <Unknown>
Host sundaram
Source RPM Packages firefox-3.0.2-1.fc10
Target RPM Packages
Policy RPM selinux-policy-3.5.12-2.fc10
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Permissive
Plugin Name allow_execmem
Host Name sundaram
Platform Linux sundaram2.6.27-13.fc10.i686
#1 SMP Wed Oct 15 02:06:26 EDT 2008 i686 i686
Alert Count 2203
First Seen Thu 09 Oct 2008 01:27:29 PM IST
Last Seen Sat 18 Oct 2008 01:38:06 AM IST
Local ID 38a635ac-3f04-4c17-a077-0fc45f309767
Line Numbers
Raw Audit Messages
node=type=AVC msg=audit(1224274086.429:152): avc: denied { execmem }
for pid=30194 comm="firefox"
scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
tclass=process
node=sundaram type=SYSCALL msg=audit(1224274086.429:152): arch=40000003
syscall=125 success=yes exit=0 a0=b2ce4000 a1=1000 a2=5 a3=bfaf8f0c
items=0 ppid=30180 pid=30194 auid=500 uid=500 gid=500 euid=500 suid=500
fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm="firefox"
exe="/usr/lib/firefox-3.0.2/firefox"
subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
---
Rahul
14 years, 5 months
Qns on SELinux policy tool on fedora 7
by lionel ong
Hi! I am Lionel and I have just suscribed to the fedora-selinux-list . I have been working on fedora 7 recently and is currently testing out the policy management tool provided by SELinux. Does anyone knows how to use the tool to create a policy such that it makes Firefox work on any other TCP port other than its default port 80? Does the "file name" the tool requires me to enter really matters? or does it just require the correct executable to be selected? Any advice would be a great help! Thanks!
_________________________________________________________________
Easily publish your photos to your Spaces with Photo Gallery.
http://get.live.com/photogallery/overview
14 years, 5 months
selinux denies dmesg
by Antonio Olivares
Dear fellow selinux experts,
After recovering from a kernel panic to check up on the filesystem, I run dmesg and I encounter some avc's
[olivares@riohigh ~]$ dmesg | grep avc
type=1400 audit(1224195506.669:4): avc: denied { sys_resource } for pid=1534 comm="dmesg" capability=24 scontext=system_u:system_r:dmesg_t:s0 tcontext=system_u:system_r:dmesg_t:s0 tclass=capability
type=1400 audit(1224195506.669:5): avc: denied { sys_resource } for pid=1534 comm="dmesg" capability=24 scontext=system_u:system_r:dmesg_t:s0 tcontext=system_u:system_r:dmesg_t:s0 tclass=capability
type=1400 audit(1224195506.669:6): avc: denied { sys_resource } for pid=1534 comm="dmesg" capability=24 scontext=system_u:system_r:dmesg_t:s0 tcontext=system_u:system_r:dmesg_t:s0 tclass=capability
type=1400 audit(1224195506.669:7): avc: denied { sys_resource } for pid=1534 comm="dmesg" capability=24 scontext=system_u:system_r:dmesg_t:s0 tcontext=system_u:system_r:dmesg_t:s0 tclass=capability
type=1400 audit(1224195506.670:8): avc: denied { sys_resource } for pid=1534 comm="dmesg" capability=24 scontext=system_u:system_r:dmesg_t:s0 tcontext=system_u:system_r:dmesg_t:s0 tclass=capability
type=1400 audit(1224195506.670:9): avc: denied { sys_resource } for pid=1534 comm="dmesg" capability=24 scontext=system_u:system_r:dmesg_t:s0 tcontext=system_u:system_r:dmesg_t:s0 tclass=capability
type=1400 audit(1224195506.670:10): avc: denied { sys_resource } for pid=1534 comm="dmesg" capability=24 scontext=system_u:system_r:dmesg_t:s0 tcontext=system_u:system_r:dmesg_t:s0 tclass=capability
type=1400 audit(1224195506.670:11): avc: denied { sys_resource } for pid=1534 comm="dmesg" capability=24 scontext=system_u:system_r:dmesg_t:s0 tcontext=system_u:system_r:dmesg_t:s0 tclass=capability
type=1400 audit(1224195506.670:12): avc: denied { sys_resource } for pid=1534 comm="dmesg" capability=24 scontext=system_u:system_r:dmesg_t:s0 tcontext=system_u:system_r:dmesg_t:s0 tclass=capability
type=1400 audit(1224195506.670:13): avc: denied { sys_resource } for pid=1534 comm="dmesg" capability=24 scontext=system_u:system_r:dmesg_t:s0 tcontext=system_u:system_r:dmesg_t:s0 tclass=capability
I have just updated to a newer kernel 2.6.27-13 and new selinux policy updates :)
[olivares@riohigh ~]$ rpm -qa selinux*
selinux-policy-3.5.12-2.fc10.noarch
selinux-policy-targeted-3.5.12-2.fc10.noarch
[olivares@riohigh ~]$
What do I do?
Thanks,
Antonio
14 years, 5 months
Denied avcs
by Antonio Olivares
Dear fellow testers and selinux experts,
I have encountered several avcs. I want to ask you for advice before applying the suggested fixes.
Summary:
SELinux is preventing knotify4 from making the program stack executable.
Detailed Description:
The knotify4 application attempted to make its stack executable. This is a
potential security problem. This should never ever be necessary. Stack memory is
not executable on most OSes these days and this will not change. Executable
stack memory is one of the biggest security problems. An execstack error might
in fact be most likely raised by malicious code. Applications are sometimes
coded incorrectly and request this permission. The SELinux Memory Protection
Tests (http://people.redhat.com/drepper/selinux-mem.html) web page explains how
to remove this requirement. If knotify4 does not work and you need it to work,
you can configure SELinux temporarily to allow this access until the application
is fixed. Please file a bug report
(http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package.
Allowing Access:
Sometimes a library is accidentally marked with the execstack flag, if you find
a library with this flag you can clear it with the execstack -c LIBRARY_PATH.
Then retry your application. If the app continues to not work, you can turn the
flag back on with execstack -s LIBRARY_PATH. Otherwise, if you trust knotify4 to
run correctly, you can change the context of the executable to
unconfined_execmem_exec_t. "chcon -t unconfined_execmem_exec_t
'/usr/bin/knotify4'" You must also change the default file context files on the
system in order to preserve them even on a full relabel. "semanage fcontext -a
-t unconfined_execmem_exec_t '/usr/bin/knotify4'"
Fix Command:
chcon -t unconfined_execmem_exec_t '/usr/bin/knotify4'
Additional Information:
Source Context unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1
023
Target Context unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1
023
Target Objects None [ process ]
Source knotify4
Source Path /usr/bin/knotify4
Port <Unknown>
Host riohigh
Source RPM Packages kdebase-runtime-4.1.2-3.fc10
Target RPM Packages
Policy RPM selinux-policy-3.5.10-3.fc10
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name allow_execstack
Host Name riohigh
Platform Linux riohigh 2.6.27-3.fc10.i686 #1 SMP Fri Oct 10
01:26:26 EDT 2008 i686 athlon
Alert Count 2
First Seen Thu 16 Oct 2008 06:33:56 AM CDT
Last Seen Thu 16 Oct 2008 06:33:56 AM CDT
Local ID d2171be2-9d07-43e0-83bf-95f7f3e5e666
Line Numbers
Raw Audit Messages
node=riohigh type=AVC msg=audit(1224156836.173:93): avc: denied { execstack } for pid=2874 comm="knotify4" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process
node=riohigh type=SYSCALL msg=audit(1224156836.173:93): arch=40000003 syscall=125 success=no exit=-13 a0=bf9c9000 a1=1000 a2=1000007 a3=fffff000 items=0 ppid=1 pid=2874 auid=501 uid=501 gid=501 euid=501 suid=501 fsuid=501 egid=501 sgid=501 fsgid=501 tty=(none) ses=1 comm="knotify4" exe="/usr/bin/knotify4" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
Summary:
SELinux is preventing hal-acl-tool (hald_acl_t) "sys_resource" hald_acl_t.
Detailed Description:
SELinux denied access requested by hal-acl-tool. It is not expected that this
access is required by hal-acl-tool and this access may signal an intrusion
attempt. It is also possible that the specific version or configuration of the
application is causing it to require additional access.
Allowing Access:
You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.
Additional Information:
Source Context system_u:system_r:hald_acl_t:s0
Target Context system_u:system_r:hald_acl_t:s0
Target Objects None [ capability ]
Source hal-acl-tool
Source Path /usr/libexec/hal-acl-tool
Port <Unknown>
Host riohigh
Source RPM Packages hal-0.5.12-3.20081013git.fc10
Target RPM Packages
Policy RPM selinux-policy-3.5.10-3.fc10
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name catchall
Host Name riohigh
Platform Linux riohigh 2.6.27-3.fc10.i686 #1 SMP Fri Oct 10
01:26:26 EDT 2008 i686 athlon
Alert Count 73
First Seen Sat 04 Oct 2008 11:10:27 AM CDT
Last Seen Thu 16 Oct 2008 06:33:03 AM CDT
Local ID 16181f84-ddf2-4510-bd51-aef5ff647a63
Line Numbers
Raw Audit Messages
node=riohigh type=AVC msg=audit(1224156783.891:89): avc: denied { sys_resource } for pid=2568 comm="hal-acl-tool" capability=24 scontext=system_u:system_r:hald_acl_t:s0 tcontext=system_u:system_r:hald_acl_t:s0 tclass=capability
node=riohigh type=SYSCALL msg=audit(1224156783.891:89): arch=40000003 syscall=4 success=yes exit=2057 a0=5 a1=b7ff4000 a2=809 a3=809 items=0 ppid=1834 pid=2568 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="hal-acl-tool" exe="/usr/libexec/hal-acl-tool" subj=system_u:system_r:hald_acl_t:s0 key=(null)
Summary:
SELinux is preventing console-kit-dae (consolekit_t) "sys_resource"
consolekit_t.
Detailed Description:
SELinux denied access requested by console-kit-dae. It is not expected that this
access is required by console-kit-dae and this access may signal an intrusion
attempt. It is also possible that the specific version or configuration of the
application is causing it to require additional access.
Allowing Access:
You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.
Additional Information:
Source Context system_u:system_r:consolekit_t:s0-s0:c0.c1023
Target Context system_u:system_r:consolekit_t:s0-s0:c0.c1023
Target Objects None [ capability ]
Source console-kit-dae
Source Path /usr/sbin/console-kit-daemon
Port <Unknown>
Host riohigh
Source RPM Packages ConsoleKit-0.3.0-2.fc10
Target RPM Packages
Policy RPM selinux-policy-3.5.10-3.fc10
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name catchall
Host Name riohigh
Platform Linux riohigh 2.6.27-3.fc10.i686 #1 SMP Fri Oct 10
01:26:26 EDT 2008 i686 athlon
Alert Count 87
First Seen Fri 03 Oct 2008 06:14:33 PM CDT
Last Seen Thu 16 Oct 2008 06:33:02 AM CDT
Local ID 0c8f36ea-d6b2-4646-ba59-1cdf5e6a0ee0
Line Numbers
Raw Audit Messages
node=riohigh type=AVC msg=audit(1224156782.948:86): avc: denied { sys_resource } for pid=1770 comm="console-kit-dae" capability=24 scontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tcontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tclass=capability
node=riohigh type=SYSCALL msg=audit(1224156782.948:86): arch=40000003 syscall=4 success=yes exit=674 a0=1a a1=8c4b790 a2=2a2 a3=8c4b790 items=0 ppid=1 pid=1770 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="console-kit-dae" exe="/usr/sbin/console-kit-daemon" subj=system_u:system_r:consolekit_t:s0-s0:c0.c1023 key=(null)
I had not encountered these ones before. And before applying the fixes, I will ask if no one has encountered these ones before.
TIA,
Antonio
14 years, 5 months
writable memory segment: mplayer
by Rahul Sundaram
Hi
Since Fedora doesn't include this software, should a exception be added
to the SELinux policy?
"If you trust mplayer to run correctly, you can change the context of
the executable to unconfined_execmem_exec_t. "chcon -t
unconfined_execmem_exec_t '/usr/bin/mplayer'". You must also change the
default file context files on the system in order to preserve them even
on a full relabel. "semanage fcontext -a -t unconfined_execmem_exec_t
'/usr/bin/mplayer'"
Rahul
14 years, 5 months
SELinux is preventing nm-system-setti (NetworkManager_t)
by hicham
Hello
Everytime, I log on on fedora 8, I get the setroubleshoot browser
popup with this:
"Summary :
SELinux is preventing nm-system-setti (NetworkManager_t) "read" to
./PolicyKit (hald_var_lib_t).
Detailed Description :
SELinux denied access requested by nm-system-setti. It is not expected
that this access is required by nm-system-setti and this access may
signal an intrusion attempt. It is also possible that the specific
version or configuration of the application is causing it to require
additional access.
Allowing Access
Sometimes labeling problems can cause SELinux denials. You could try
to restore the default system file context for ./PolicyKit, restorecon
-v './PolicyKit' If this does not work, there is currently no
automatic way to allow this access. Instead, you can generate a local
policy module to allow this access - see FAQ Or you can disable
SELinux protection altogether. Disabling SELinux protection is not
recommended. Please file a bug report against this package. "
"this access may signal an intrusion attempt", is someone is trying to
get into my computer ?
how do I fix that ?
thanks
14 years, 5 months
running star archive through restorecon
by Murray McAllister
Hi,
This is probably user error, sorry :)
1. touch file{1,2}; ls -Z
-rw-rw-r-- murray murray unconfined_u:object_r:user_home_t:s0 file1
-rw-rw-r-- murray murray unconfined_u:object_r:user_home_t:s0 file2
2. chcon -l s0:c2 file{1,2}; ls -Z
-rw-rw-r-- murray murray unconfined_u:object_r:user_home_t:s0:c2 file1
-rw-rw-r-- murray murray unconfined_u:object_r:user_home_t:s0:c2 file2
2. star -xattr -H exustar -c -f test.star file{1,2}
star: 1 blocks + 0 bytes (total of 10240 bytes = 10.00k).
3. cd /var/www/html/
4. sudo star -x -f test.star | restorecon -f -
5. ls -Z
-rw-rw-r-- murray murray unconfined_u:object_r:user_home_t:s0:c2 file1
-rw-rw-r-- murray murray unconfined_u:object_r:user_home_t:s0:c2 file2
-rw-r--r-- root root unconfined_u:object_r:httpd_sys_content_t:s0 test.star
file1 and file2 are still s0:c2. When I perform the same steps with tar
(using tar --selinux), in step 5, file1 and file2 use s0.
Does anyone have any pointers as to where I've gone wrong? I don't get
any denials when running "sudo star -x -f test.star | restorecon -f -".
I am using:
Fedora release 9.92 (Rawhide)
star-1.5a84-6.fc10.i386
tar-1.20-3.fc10.i386
policycoreutils-2.0.57-1.fc10.i386
selinux-policy-targeted-3.5.10-3.fc10.noarch
selinux-policy-3.5.10-3.fc10.noarch
Cheers :)
14 years, 5 months
Selinux config to get gutenprint 5.2 beta working under Fedora 8
by Edward Kuns
I just bought a printer that only works well via the gutenprint 5.2 beta
4 from openprinting.org. The selinux configuration to allow gutenprint
to function is:
/opt/gutenprint/ppds/.* -- system_u:object_r:cupsd_rw_etc_t:s0
/opt/gutenprint/s?bin/.* -- system_u:object_r:lpr_exec_t:s0
/opt/gutenprint/cups/lib/filter/.* -- system_u:object_r:bin_t:s0
I have verified that this configuration works. I haven't verified that
it's the minimal configuration, but it's based on existing printer
configurations from selinux.
Eddie
14 years, 5 months
Yet another role question
by Joe Nall
It appears that per role template expansion is disabled in the modules
shipped with fedora selinux-policy 3.5.10 but enabled for modules
compiled with the resulting policy (which uses a different Makefile).
Why is there a difference?
joe
from the policy Makefile:
# perrole-expansion modulename,outputfile
define perrole-expansion
echo "No longer doing perrole-expansion"
# $(verbose) echo "ifdef(\`""$1""_per_role_template',\`" > $2
# $(call parse-rolemap,$1,$2)
# $(verbose) echo "')" >> $2
# $(verbose) echo "ifdef(\`""$1""_per_userdomain_template',\`"
>> $2
# $(verbose) echo "errprint(\`Warning: per_userdomain_templates
have been renamed to per_role_templates
(""$1""_per_userdomain_template)'__endline__)" >> $2
# $(call parse-rolemap-compat,$1,$2)
# $(verbose) echo "')" >> $2
endef
from /usr/share/selinux/devel/include/Makefile:
# peruser-expansion modulename,outputfile
define peruser-expansion
$(verbose) echo "ifdef(\`""$1""_per_role_template',\`" > $2
$(call parse-rolemap,$1,$2)
$(verbose) echo "')" >> $2
$(verbose) echo "ifdef(\`""$1""_per_userdomain_template',\`"
>> $2
$(verbose) echo "errprint(\`Warning: per_userdomain_templates
have been renamed to per_role_templates
(""$1""_per_userdomain_template)'__endline__)" >> $2
$(call parse-rolemap-compat,$1,$2)
$(verbose) echo "')" >> $2
endef
14 years, 5 months
