Summary:
SELinux is preventing skype from changing a writable memory segment executable.
Detailed Description:
The skype application attempted to change the access protection of memory (e.g.,
allocated using malloc). This is a potential security problem. Applications
should not be doing this. Applications are sometimes coded incorrectly and
request this permission. The SELinux Memory Protection Tests
(
http://people.redhat.com/drepper/selinux-mem.html) web page explains how to
remove this requirement. If skype does not work and you need it to work, you can
configure SELinux temporarily to allow this access until the application is
fixed. Please file a bug report
(
http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package.
Allowing Access:
If you trust skype to run correctly, you can change the context of the
executable to execmem_exec_t. "chcon -t execmem_exec_t
'<Unknown>'". You must
also change the default file context files on the system in order to preserve
them even on a full relabel. "semanage fcontext -a -t execmem_exec_t
'<Unknown>'"
Fix Command:
chcon -t execmem_exec_t '<Unknown>'
Additional Information:
Source Context unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1
023
Target Context unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1
023
Target Objects None [ process ]
Source skype
Source Path <Unknown>
Port <Unknown>
Host (removed)
Source RPM Packages
Target RPM Packages
Policy RPM selinux-policy-3.6.22-2.fc12
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name allow_execmem
Host Name (removed)
Platform Linux internet01.frankly3d.local
2.6.31-0.86.rc3.git5.fc12.x86_64 #1 SMP Wed Jul 22
15:31:34 EDT 2009 x86_64 x86_64
Alert Count 1
First Seen Fri 24 Jul 2009 17:38:51 IST
Last Seen Fri 24 Jul 2009 17:38:51 IST
Local ID 6c5beb61-0671-4497-b86d-cd1bf0944901
Line Numbers
Raw Audit Messages
node=internet01.frankly3d.local type=AVC msg=audit(1248453531.351:24900): avc: denied {
execmem } for pid=2079 comm="skype"
scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process
node=internet01.frankly3d.local type=SYSCALL msg=audit(1248453531.351:24900):
arch=c000003e syscall=59 per=400000 success=no exit=-13 a0=1dae08f a1=1c0bcd0
a2=7fff70be3b38 a3=7fff70be2410 items=0 ppid=2078 pid=2079 auid=500 uid=500 gid=500
euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1
comm="skype" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
key=(null)