On Fri, 2009-07-24 at 17:48 +0100, Frank Murphy wrote:
> Following is AVC
> Do I replace '<unknown>' with skype?
>
>
>> Summary:
>>
>> SELinux is preventing skype from changing a writable memory segment executable.
>>
>> Detailed Description:
>>
>> The skype application attempted to change the access protection of memory (e.g.,
>> allocated using malloc). This is a potential security problem. Applications
>> should not be doing this. Applications are sometimes coded incorrectly and
>> request this permission. The SELinux Memory Protection Tests
>> (
http://people.redhat.com/drepper/selinux-mem.html) web page explains how to
>> remove this requirement. If skype does not work and you need it to work, you can
>> configure SELinux temporarily to allow this access until the application is
>> fixed. Please file a bug report
>> (
http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package.
>>
>> Allowing Access:
>>
>> If you trust skype to run correctly, you can change the context of the
>> executable to execmem_exec_t. "chcon -t execmem_exec_t
'<Unknown>'". You must
>> also change the default file context files on the system in order to preserve
>> them even on a full relabel. "semanage fcontext -a -t execmem_exec_t
'<Unknown>'"
>>
>> Fix Command:
>>
>> chcon -t execmem_exec_t '<Unknown>'
>>
>> Additional Information:
>>
>> Source Context unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1
>> 023
>> Target Context unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1
>> 023
>> Target Objects None [ process ]
>> Source skype
>> Source Path <Unknown>
>> Port <Unknown>
>> Host (removed)
>> Source RPM Packages
>> Target RPM Packages
>> Policy RPM selinux-policy-3.6.22-2.fc12
>> Selinux Enabled True
>> Policy Type targeted
>> MLS Enabled True
>> Enforcing Mode Enforcing
>> Plugin Name allow_execmem
>> Host Name (removed)
>> Platform Linux internet01.frankly3d.local
>> 2.6.31-0.86.rc3.git5.fc12.x86_64 #1 SMP Wed Jul 22
>> 15:31:34 EDT 2009 x86_64 x86_64
>> Alert Count 1
>> First Seen Fri 24 Jul 2009 17:38:51 IST
>> Last Seen Fri 24 Jul 2009 17:38:51 IST
>> Local ID 6c5beb61-0671-4497-b86d-cd1bf0944901
>> Line Numbers
>>
>> Raw Audit Messages
>>
>> node=internet01.frankly3d.local type=AVC msg=audit(1248453531.351:24900): avc:
denied { execmem } for pid=2079 comm="skype"
scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process
>>
>> node=internet01.frankly3d.local type=SYSCALL msg=audit(1248453531.351:24900):
arch=c000003e syscall=59 per=400000 success=no exit=-13 a0=1dae08f a1=1c0bcd0
a2=7fff70be3b38 a3=7fff70be2410 items=0 ppid=2078 pid=2079 auid=500 uid=500 gid=500
euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1
comm="skype" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
key=(null)
>>
>>
Yes:
semanage fcontext -a -t execmem_exec_t /path/to/skype
restorecon -v /path/to/skype
where "/path/to/skype" is the path to the skype executable file.
------------------------------------------------------------------------
--
fedora-selinux-list mailing list
fedora-selinux-list(a)redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list Please open a bugzilla
on skype saying that apps should not require execmem privs to run.
Attach the following link.