selinux now causing trouble with seamonkey
Daniel J Walsh
dwalsh at redhat.com
Thu Feb 14 13:31:18 UTC 2008
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Antonio Olivares wrote:
> --- Jim Cornette <fct-cornette at insight.rr.com> wrote:
>
>> Daniel J Walsh wrote:
>>> Well going to this page with nsplugin installed
>> causes nsplugin_t to
>>> generate an execmem.
>>>
>>> - ----
>>> time->Wed Feb 13 08:00:55 2008
>>> type=SYSCALL msg=audit(1202907655.715:1515):
>> arch=40000003 syscall=125
>>> per=8 success=no exit=-13 a0=f2129000 a1=1000 a2=5
>> a3=ffbff4bc items=0
>>> ppid=4897 pid=4917 auid=3267 uid=3267 gid=3267
>> euid=3267 suid=3267
>>> fsuid=3267 egid=3267 sgid=3267 fsgid=3267
>> tty=(none) comm="npviewer.bin"
>>> exe="/usr/lib/nspluginwrapper/npviewer.bin"
>>> subj=staff_u:staff_r:nsplugin_t:s0 key=(null)
>>> type=AVC msg=audit(1202907655.715:1515): avc:
>> denied { execmem } for
>>> pid=4917 comm="npviewer.bin"
>> scontext=staff_u:staff_r:nsplugin_t:s0
>>> tcontext=staff_u:staff_r:nsplugin_t:s0
>> tclass=process
>>>
>>> nsplugin seems to survive though. So this is
>> definitely a plugin
>>> causing the problem. I would bet it is
>> flashplugin.
>>
>> After installing nspluginwrapper, firefox only logs
>> two instances and
>> does not crash. A bit better than without it.
>>
>> Raw Audit Messages :host=HP-JCF7 type=AVC
>> msg=audit(1202946445.511:77):
>> avc: denied { execstack } for pid=3749
>> comm="npviewer.bin"
>> scontext=unconfined_u:unconfined_r:unconfined_t:s0
>> tcontext=unconfined_u:unconfined_r:unconfined_t:s0
>> tclass=process
>> host=HP-JCF7 type=SYSCALL
>> msg=audit(1202946445.511:77): arch=40000003
>> syscall=125 success=no exit=-13 a0=bfc8c000 a1=1000
>> a2=1000007
>> a3=fffff000 items=0 ppid=3719 pid=3749 auid=500
>> uid=500 gid=500 euid=500
>> suid=500 fsuid=500 egid=500 sgid=500 fsgid=500
>> tty=(none)
>> comm="npviewer.bin"
>> exe="/usr/lib/nspluginwrapper/npviewer.bin"
>> subj=unconfined_u:unconfined_r:unconfined_t:s0
>> key=(null)
>>
>>
>> Thanks!
>> Jim
>>
>> --
>> fedora-test-list mailing list
>> fedora-test-list at redhat.com
>> To unsubscribe:
>>
> https://www.redhat.com/mailman/listinfo/fedora-test-list
>
> Following this thread, I installed nspluginwrapper
>
> [root at localhost Downloads]# yum install
> nspluginwrapper
> Loaded plugins: refresh-updatesd
> Setting up Install Process
> Parsing package install arguments
> Resolving Dependencies
> --> Running transaction check
> ---> Package nspluginwrapper.i386 0:0.9.91.5-21.fc9
> set to be updated
> --> Finished Dependency Resolution
>
> Dependencies Resolved
>
> =============================================================================
> Package Arch Version
> Repository Size
> =============================================================================
> Installing:
> nspluginwrapper i386 0.9.91.5-21.fc9
> development 130 k
>
> Transaction Summary
> =============================================================================
> Install 1 Package(s)
> Update 0 Package(s)
> Remove 0 Package(s)
>
> Total download size: 130 k
> Is this ok [y/N]: y
> Downloading Packages:
> (1/1): nspluginwrapper-0. 100%
> |=========================| 130 kB 00:00
> Running rpm_check_debug
> Running Transaction Test
> /etc/selinux/targeted/contexts/files/file_contexts:
> Multiple same specifications for /usr/bin/sbcl.
> Finished Transaction Test
> Transaction Test Succeeded
> Running Transaction
> /etc/selinux/targeted/contexts/files/file_contexts:
> Multiple same specifications for /usr/bin/sbcl.
> Installing: nspluginwrapper
> ######################### [1/1]
>
> Installed: nspluginwrapper.i386 0:0.9.91.5-21.fc9
> Complete!
> [root at localhost Downloads]#
>
> It was not installed :( Now I get a setroubleshoot
> message after a little while
>
>
> Summary:
>
> SELinux is preventing plugin-config from making the
> program stack executable.
>
> Detailed Description:
>
> The plugin-config application attempted to make its
> stack executable. This is a
> potential security problem. This should never ever be
> necessary. Stack memory is
> not executable on most OSes these days and this will
> not change. Executable
> stack memory is one of the biggest security problems.
> An execstack error might
> in fact be most likely raised by malicious code.
> Applications are sometimes
> coded incorrectly and request this permission. The
> SELinux Memory Protection
> Tests
> (http://people.redhat.com/drepper/selinux-mem.html)
> web page explains how
> to remove this requirement. If plugin-config does not
> work and you need it to
> work, you can configure SELinux temporarily to allow
> this access until the
> application is fixed. Please file a bug report
> (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
> against this package.
>
> Allowing Access:
>
> Sometimes a library is accidentally marked with the
> execstack flag, if you find
> a library with this flag you can clear it with the
> execstack -c LIBRARY_PATH.
> Then retry your application. If the app continues to
> not work, you can turn the
> flag back on with execstack -s LIBRARY_PATH.
> Otherwise, if you trust
> plugin-config to run correctly, you can change the
> context of the executable to
> unconfined_execmem_exec_t. "chcon -t
> unconfined_execmem_exec_t
> '/usr/lib/nspluginwrapper/plugin-config'" You must
> also change the default file
> context files on the system in order to preserve them
> even on a full relabel.
> "semanage fcontext -a -t unconfined_execmem_exec_t
> '/usr/lib/nspluginwrapper/plugin-config'"
>
> The following command will allow this access:
>
> chcon -t unconfined_execmem_exec_t
> '/usr/lib/nspluginwrapper/plugin-config'
>
> Additional Information:
>
> Source Context
> unconfined_u:unconfined_r:unconfined_t:SystemLow-
> SystemHigh
> Target Context
> unconfined_u:unconfined_r:unconfined_t:SystemLow-
> SystemHigh
> Target Objects None [ process ]
> Source firefox
> Source Path
> /usr/lib/firefox-3.0b3pre/firefox
> Port <Unknown>
> Host localhost
> Source RPM Packages
> nspluginwrapper-0.9.91.5-21.fc9
> Target RPM Packages
> Policy RPM
> selinux-policy-3.2.7-4.fc9
> Selinux Enabled True
> Policy Type targeted
> MLS Enabled True
> Enforcing Mode Enforcing
> Plugin Name allow_execstack
> Host Name localhost
> Platform Linux localhost
> 2.6.25-0.35.rc1.fc9 #1 SMP Tue Feb
> 12 13:24:07 EST 2008
> i686 athlon
> Alert Count 70
> First Seen Fri 01 Feb 2008 05:08:54
> PM CST
> Last Seen Thu 14 Feb 2008 06:56:41
> AM CST
> Local ID
> c4806f30-a6dc-43b0-8901-5531075795f7
> Line Numbers
>
> Raw Audit Messages
>
> host=localhost type=AVC msg=audit(1202993801.990:96):
> avc: denied { execstack } for pid=17995
> comm="plugin-config"
> scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
> tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
> tclass=process
>
> host=localhost type=SYSCALL
> msg=audit(1202993801.990:96): arch=40000003
> syscall=125 success=no exit=-13 a0=bfbc9000 a1=1000
> a2=1000007 a3=fffff000 items=0 ppid=17993 pid=17995
> auid=500 uid=500 gid=500 euid=0 suid=0 fsuid=0
> egid=500 sgid=500 fsgid=500 tty=(none) ses=2
> comm="plugin-config"
> exe="/usr/lib/nspluginwrapper/plugin-config"
> subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
> key=(null)
>
> This happens with firefox. If I try seamonkey, I get
> the following alert:
>
>
> Summary:
>
> SELinux is preventing seamonkey-bin from making the
> program stack executable.
>
> Detailed Description:
>
> The seamonkey-bin application attempted to make its
> stack executable. This is a
> potential security problem. This should never ever be
> necessary. Stack memory is
> not executable on most OSes these days and this will
> not change. Executable
> stack memory is one of the biggest security problems.
> An execstack error might
> in fact be most likely raised by malicious code.
> Applications are sometimes
> coded incorrectly and request this permission. The
> SELinux Memory Protection
> Tests
> (http://people.redhat.com/drepper/selinux-mem.html)
> web page explains how
> to remove this requirement. If seamonkey-bin does not
> work and you need it to
> work, you can configure SELinux temporarily to allow
> this access until the
> application is fixed. Please file a bug report
> (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
> against this package.
>
> Allowing Access:
>
> Sometimes a library is accidentally marked with the
> execstack flag, if you find
> a library with this flag you can clear it with the
> execstack -c LIBRARY_PATH.
> Then retry your application. If the app continues to
> not work, you can turn the
> flag back on with execstack -s LIBRARY_PATH.
> Otherwise, if you trust
> seamonkey-bin to run correctly, you can change the
> context of the executable to
> unconfined_execmem_exec_t. "chcon -t
> unconfined_execmem_exec_t
> '/usr/lib/seamonkey-1.1.8/seamonkey-bin'" You must
> also change the default file
> context files on the system in order to preserve them
> even on a full relabel.
> "semanage fcontext -a -t unconfined_execmem_exec_t
> '/usr/lib/seamonkey-1.1.8/seamonkey-bin'"
>
> The following command will allow this access:
>
> chcon -t unconfined_execmem_exec_t
> '/usr/lib/seamonkey-1.1.8/seamonkey-bin'
>
> Additional Information:
>
> Source Context
> unconfined_u:unconfined_r:unconfined_t:SystemLow-
> SystemHigh
> Target Context
> unconfined_u:unconfined_r:unconfined_t:SystemLow-
> SystemHigh
> Target Objects None [ process ]
> Source firefox
> Source Path
> /usr/lib/firefox-3.0b3pre/firefox
> Port <Unknown>
> Host localhost
> Source RPM Packages seamonkey-1.1.8-3.fc9
> Target RPM Packages
> Policy RPM
> selinux-policy-3.2.7-4.fc9
> Selinux Enabled True
> Policy Type targeted
> MLS Enabled True
> Enforcing Mode Enforcing
> Plugin Name allow_execstack
> Host Name localhost
> Platform Linux localhost
> 2.6.25-0.35.rc1.fc9 #1 SMP Tue Feb
> 12 13:24:07 EST 2008
> i686 athlon
> Alert Count 72
> First Seen Fri 01 Feb 2008 05:08:54
> PM CST
> Last Seen Thu 14 Feb 2008 07:11:03
> AM CST
> Local ID
> c4806f30-a6dc-43b0-8901-5531075795f7
> Line Numbers
>
> Raw Audit Messages
>
> host=localhost type=AVC msg=audit(1202994663.15:108):
> avc: denied { execstack } for pid=18545
> comm="seamonkey-bin"
> scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
> tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
> tclass=process
>
> host=localhost type=SYSCALL
> msg=audit(1202994663.15:108): arch=40000003
> syscall=125 success=no exit=-13 a0=bfa8e000 a1=1000
> a2=1000007 a3=fffff000 items=0 ppid=1 pid=18545
> auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500
> egid=500 sgid=500 fsgid=500 tty=(none) ses=2
> comm="seamonkey-bin"
> exe="/usr/lib/seamonkey-1.1.8/seamonkey-bin"
> subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
> key=(null)
>
>
> Both alerts are somewhat related since they have a
> source path
>
> Source Path
> /usr/lib/firefox-3.0b3pre/firefox
>
> firefox connected. I wonder if I did the exec chcon
> stuff for firefox and it is no longer bothering me,
> should I do the same for seamonkey. Or is there a way
> to undo what I did for firefox
>
> This is what I did before
> [root at localhost ~]# chcon -t unconfined_execmem_exec_t
> /usr/lib/firefox-3.0b4pre/firefox
> [root at localhost ~]# semanage fcontext -a -t
> unconfined_execmem_exec_t
> /usr/lib/firefox-3.0b4pre/firefox
> [root at localhost ~]# restorecon
> /usr/lib/firefox-3.0b4pre/firefox
> /etc/selinux/targeted/contexts/files/file_contexts:
> Multiple same specifications for /usr/bin/sbcl.
> [root at localhost ~]#
>
>
> How can I undo that now that I have nspluginwrapper?
>
> Thanks,
>
> Antonio
>
>
> ____________________________________________________________________________________
> Never miss a thing. Make Yahoo your home page.
> http://www.yahoo.com/r/hs
>
semanage fcontext -d /usr/lib/firefox-3.0b4pre/firefox
restorecon /usr/lib/firefox-3.0b4pre/firefox
Should remove the fxontext
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
iEYEARECAAYFAke0QqUACgkQrlYvE4MpobOSOgCdHApj01dh0Sr1WJylgfyz16bW
yzMAoI/KNnamop0H5Md1XzQzdnoTrtFu
=F07V
-----END PGP SIGNATURE-----
More information about the test
mailing list