Dear all,
I have changed the stack to allow firefox to use the
stack, then I reverted. I read Jim's exchange with
Mr. Dan Walsh and there it was mentioned about
nspluginwrapper. I installed it and I see the
following every time I start firefox/seamonkey.
I have avoided to do anything because I am not sure
what to do. One side of me tells me to do what
setroubleshoot tells me, the other tells me to ask for
advice as to which is the best way to proceed and fix
this issue(s) for good. I leave it in the hands of
the people that know best and follow your guidance
carefully.
TIA,
Antonio
Summary:
SELinux is preventing plugin-config from making the
program stack executable.
Detailed Description:
The plugin-config application attempted to make its
stack executable. This is a
potential security problem. This should never ever be
necessary. Stack memory is
not executable on most OSes these days and this will
not change. Executable
stack memory is one of the biggest security problems.
An execstack error might
in fact be most likely raised by malicious code.
Applications are sometimes
coded incorrectly and request this permission. The
SELinux Memory Protection
Tests
(
http://people.redhat.com/drepper/selinux-mem.html)
web page explains how
to remove this requirement. If plugin-config does not
work and you need it to
work, you can configure SELinux temporarily to allow
this access until the
application is fixed. Please file a bug report
(
http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.
Allowing Access:
Sometimes a library is accidentally marked with the
execstack flag, if you find
a library with this flag you can clear it with the
execstack -c LIBRARY_PATH.
Then retry your application. If the app continues to
not work, you can turn the
flag back on with execstack -s LIBRARY_PATH.
Otherwise, if you trust
plugin-config to run correctly, you can change the
context of the executable to
unconfined_execmem_exec_t. "chcon -t
unconfined_execmem_exec_t
'/usr/lib/nspluginwrapper/plugin-config'" You must
also change the default file
context files on the system in order to preserve them
even on a full relabel.
"semanage fcontext -a -t unconfined_execmem_exec_t
'/usr/lib/nspluginwrapper/plugin-config'"
Fix Command:
chcon -t unconfined_execmem_exec_t
'/usr/lib/nspluginwrapper/plugin-config'
Additional Information:
Source Context
unconfined_u:unconfined_r:unconfined_t:SystemLow-
SystemHigh
Target Context
unconfined_u:unconfined_r:unconfined_t:SystemLow-
SystemHigh
Target Objects None [ process ]
Source firefox
Source Path
/usr/lib/firefox-3.0b3pre/firefox
Port <Unknown>
Host localhost
Source RPM Packages
nspluginwrapper-0.9.91.5-22.fc9
Target RPM Packages
Policy RPM
selinux-policy-3.3.0-1.fc9
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name allow_execstack
Host Name localhost
Platform Linux localhost
2.6.25-0.65.rc2.git7.fc9 #1 SMP
Sat Feb 23 23:06:09 EST
2008 i686 athlon
Alert Count 133
First Seen Fri 01 Feb 2008 05:08:54
PM CST
Last Seen Tue 26 Feb 2008 06:55:45
AM CST
Local ID
c4806f30-a6dc-43b0-8901-5531075795f7
Line Numbers
Raw Audit Messages
host=localhost type=AVC msg=audit(1204030545.936:22):
avc: denied { execstack } for pid=2959
comm="plugin-config"
scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
tclass=process
host=localhost type=SYSCALL
msg=audit(1204030545.936:22): arch=40000003
syscall=125 success=no exit=-13 a0=bfbc9000 a1=1000
a2=1000007 a3=fffff000 items=0 ppid=2957 pid=2959
auid=500 uid=500 gid=500 euid=0 suid=0 fsuid=0
egid=500 sgid=500 fsgid=500 tty=(none) ses=1
comm="plugin-config"
exe="/usr/lib/nspluginwrapper/plugin-config"
subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
key=(null)
**** end of nspluginwrapper ******
**** start of seamonkey setroubleshoot message ***
Summary:
SELinux is preventing seamonkey-bin from making the
program stack executable.
Detailed Description:
The seamonkey-bin application attempted to make its
stack executable. This is a
potential security problem. This should never ever be
necessary. Stack memory is
not executable on most OSes these days and this will
not change. Executable
stack memory is one of the biggest security problems.
An execstack error might
in fact be most likely raised by malicious code.
Applications are sometimes
coded incorrectly and request this permission. The
SELinux Memory Protection
Tests
(
http://people.redhat.com/drepper/selinux-mem.html)
web page explains how
to remove this requirement. If seamonkey-bin does not
work and you need it to
work, you can configure SELinux temporarily to allow
this access until the
application is fixed. Please file a bug report
(
http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.
Allowing Access:
Sometimes a library is accidentally marked with the
execstack flag, if you find
a library with this flag you can clear it with the
execstack -c LIBRARY_PATH.
Then retry your application. If the app continues to
not work, you can turn the
flag back on with execstack -s LIBRARY_PATH.
Otherwise, if you trust
seamonkey-bin to run correctly, you can change the
context of the executable to
unconfined_execmem_exec_t. "chcon -t
unconfined_execmem_exec_t
'/usr/lib/seamonkey-1.1.8/seamonkey-bin'" You must
also change the default file
context files on the system in order to preserve them
even on a full relabel.
"semanage fcontext -a -t unconfined_execmem_exec_t
'/usr/lib/seamonkey-1.1.8/seamonkey-bin'"
Fix Command:
chcon -t unconfined_execmem_exec_t
'/usr/lib/seamonkey-1.1.8/seamonkey-bin'
Additional Information:
Source Context
unconfined_u:unconfined_r:unconfined_t:SystemLow-
SystemHigh
Target Context
unconfined_u:unconfined_r:unconfined_t:SystemLow-
SystemHigh
Target Objects None [ process ]
Source firefox
Source Path
/usr/lib/firefox-3.0b3pre/firefox
Port <Unknown>
Host localhost
Source RPM Packages seamonkey-1.1.8-4.fc9
Target RPM Packages
Policy RPM
selinux-policy-3.3.0-1.fc9
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name allow_execstack
Host Name localhost
Platform Linux localhost
2.6.25-0.65.rc2.git7.fc9 #1 SMP
Sat Feb 23 23:06:09 EST
2008 i686 athlon
Alert Count 135
First Seen Fri 01 Feb 2008 05:08:54
PM CST
Last Seen Tue 26 Feb 2008 07:24:52
AM CST
Local ID
c4806f30-a6dc-43b0-8901-5531075795f7
Line Numbers
Raw Audit Messages
host=localhost type=AVC msg=audit(1204032292.58:34):
avc: denied { execstack } for pid=4524
comm="seamonkey-bin"
scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
tclass=process
host=localhost type=SYSCALL
msg=audit(1204032292.58:34): arch=40000003 syscall=125
success=no exit=-13 a0=bfa5e000 a1=1000 a2=1000007
a3=fffff000 items=0 ppid=1 pid=4524 auid=500 uid=500
gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500
fsgid=500 tty=(none) ses=1 comm="seamonkey-bin"
exe="/usr/lib/seamonkey-1.1.8/seamonkey-bin"
subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
key=(null)
***** end of seamonkey *****
____________________________________________________________________________________
Never miss a thing. Make Yahoo your home page.
http://www.yahoo.com/r/hs