SELinux is preventing plugin-config (nsplugin_config_t) "execstack" to <Unknown> (nsplugin_config_t)
by Antonio Olivares
Ok Seamonkey and selinux, firefox, and nsplugin.
Here are the results. Thanks for your suggestions and
advice in advance.
Antonio
Summary:
SELinux is preventing plugin-config
(nsplugin_config_t) "execstack" to <Unknown>
(nsplugin_config_t).
Detailed Description:
SELinux denied access requested by plugin-config. It
is not expected that this
access is required by plugin-config and this access
may signal an intrusion
attempt. It is also possible that the specific version
or configuration of the
application is causing it to require additional
access.
Allowing Access:
You can generate a local policy module to allow this
access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385)
Or you can disable
SELinux protection altogether. Disabling SELinux
protection is not recommended.
Please file a bug report
(http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.
Additional Information:
Source Context
unconfined_u:unconfined_r:nsplugin_config_t
:SystemLow-SystemHigh
Target Context
unconfined_u:unconfined_r:nsplugin_config_t
:SystemLow-SystemHigh
Target Objects None [ process ]
Source plugin-config
Source Path
/usr/lib/nspluginwrapper/plugin-config
Port <Unknown>
Host localhost
Source RPM Packages
nspluginwrapper-0.9.91.5-22.fc9
Target RPM Packages
Policy RPM
selinux-policy-3.3.0-1.fc9
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name catchall
Host Name localhost
Platform Linux localhost
2.6.25-0.65.rc2.git7.fc9 #1 SMP
Sat Feb 23 23:06:09 EST
2008 i686 athlon
Alert Count 2
First Seen Tue 26 Feb 2008 03:17:23
PM CST
Last Seen Tue 26 Feb 2008 03:22:56
PM CST
Local ID
276820c9-9871-4632-8ec1-c8909c8d7c0b
Line Numbers
Raw Audit Messages
host=localhost type=AVC msg=audit(1204060976.98:110):
avc: denied { execstack } for pid=20500
comm="plugin-config"
scontext=unconfined_u:unconfined_r:nsplugin_config_t:s0-s0:c0.c1023
tcontext=unconfined_u:unconfined_r:nsplugin_config_t:s0-s0:c0.c1023
tclass=process
host=localhost type=SYSCALL
msg=audit(1204060976.98:110): arch=40000003
syscall=125 success=no exit=-13 a0=bf957000 a1=1000
a2=1000007 a3=fffff000 items=0 ppid=20498 pid=20500
auid=500 uid=500 gid=500 euid=0 suid=0 fsuid=0
egid=500 sgid=500 fsgid=500 tty=(none) ses=1
comm="plugin-config"
exe="/usr/lib/nspluginwrapper/plugin-config"
subj=unconfined_u:unconfined_r:nsplugin_config_t:s0-s0:c0.c1023
key=(null)
____________________________________________________________________________________
Be a better friend, newshound, and
know-it-all with Yahoo! Mobile. Try it now. http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ
16 years, 4 months
SELinux is preventing seamonkey-bin from making the program stack executable.
by Antonio Olivares
Dear all,
After applying the fix suggested by Mr. Walsh,
[root@localhost ~]# setsebool -P
allow_unconfined_nsplugin_transition=1
allow_nsplugin_execmem=1
[root@localhost ~]# getsebool -a | grep nsp
allow_nsplugin_execmem --> on
allow_unconfined_nsplugin_transition --> on
Seamonkey is asking permission for the stack. I do
not want to allow access if it is not correct for
seamonkey to allow stack execution. Please help me
nail this one as well and crossing my fingers that
firefox/minefield does not ask as well.
Summary:
SELinux is preventing seamonkey-bin from making the
program stack executable.
Detailed Description:
The seamonkey-bin application attempted to make its
stack executable. This is a
potential security problem. This should never ever be
necessary. Stack memory is
not executable on most OSes these days and this will
not change. Executable
stack memory is one of the biggest security problems.
An execstack error might
in fact be most likely raised by malicious code.
Applications are sometimes
coded incorrectly and request this permission. The
SELinux Memory Protection
Tests
(http://people.redhat.com/drepper/selinux-mem.html)
web page explains how
to remove this requirement. If seamonkey-bin does not
work and you need it to
work, you can configure SELinux temporarily to allow
this access until the
application is fixed. Please file a bug report
(http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.
Allowing Access:
Sometimes a library is accidentally marked with the
execstack flag, if you find
a library with this flag you can clear it with the
execstack -c LIBRARY_PATH.
Then retry your application. If the app continues to
not work, you can turn the
flag back on with execstack -s LIBRARY_PATH.
Otherwise, if you trust
seamonkey-bin to run correctly, you can change the
context of the executable to
unconfined_execmem_exec_t. "chcon -t
unconfined_execmem_exec_t
'/usr/lib/seamonkey-1.1.8/seamonkey-bin'" You must
also change the default file
context files on the system in order to preserve them
even on a full relabel.
"semanage fcontext -a -t unconfined_execmem_exec_t
'/usr/lib/seamonkey-1.1.8/seamonkey-bin'"
Fix Command:
chcon -t unconfined_execmem_exec_t
'/usr/lib/seamonkey-1.1.8/seamonkey-bin'
Additional Information:
Source Context
unconfined_u:unconfined_r:unconfined_t:SystemLow-
SystemHigh
Target Context
unconfined_u:unconfined_r:unconfined_t:SystemLow-
SystemHigh
Target Objects None [ process ]
Source firefox
Source Path
/usr/lib/firefox-3.0b3pre/firefox
Port <Unknown>
Host localhost
Source RPM Packages seamonkey-1.1.8-4.fc9
Target RPM Packages
Policy RPM
selinux-policy-3.3.0-1.fc9
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name allow_execstack
Host Name localhost
Platform Linux localhost
2.6.25-0.65.rc2.git7.fc9 #1 SMP
Sat Feb 23 23:06:09 EST
2008 i686 athlon
Alert Count 140
First Seen Fri 01 Feb 2008 05:08:54
PM CST
Last Seen Tue 26 Feb 2008 03:17:04
PM CST
Local ID
c4806f30-a6dc-43b0-8901-5531075795f7
Line Numbers
Raw Audit Messages
host=localhost type=AVC msg=audit(1204060624.602:108):
avc: denied { execstack } for pid=20290
comm="seamonkey-bin"
scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
tclass=process
host=localhost type=SYSCALL
msg=audit(1204060624.602:108): arch=40000003
syscall=125 success=no exit=-13 a0=bfc72000 a1=1000
a2=1000007 a3=fffff000 items=0 ppid=1 pid=20290
auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500
egid=500 sgid=500 fsgid=500 tty=(none) ses=1
comm="seamonkey-bin"
exe="/usr/lib/seamonkey-1.1.8/seamonkey-bin"
subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
key=(null)
____________________________________________________________________________________
Looking for last minute shopping deals?
Find them fast with Yahoo! Search. http://tools.search.yahoo.com/newsearch/category.php?category=shopping
16 years, 4 months
VOIP policy
by max
Do current SELinux policies support VoIP (internet telephony)?
Thanks,
Max
16 years, 4 months
SELinux is preventing npviewer.bin (nsplugin_t) "search" to ./pcm (alsa_etc_rw_t)
by Antonio Olivares
What is npviewr?
What does it do?
Setroubleshoot reports that it is causing trouble:
Summary:
SELinux is preventing npviewer.bin (nsplugin_t)
"search" to ./pcm
(alsa_etc_rw_t).
Detailed Description:
SELinux denied access requested by npviewer.bin. It is
not expected that this
access is required by npviewer.bin and this access may
signal an intrusion
attempt. It is also possible that the specific version
or configuration of the
application is causing it to require additional
access.
Allowing Access:
Sometimes labeling problems can cause SELinux denials.
You could try to restore
the default system file context for ./pcm,
restorecon -v './pcm'
If this does not work, there is currently no automatic
way to allow this access.
Instead, you can generate a local policy module to
allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385)
Or you can disable
SELinux protection altogether. Disabling SELinux
protection is not recommended.
Please file a bug report
(http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.
Additional Information:
Source Context
unconfined_u:unconfined_r:nsplugin_t:SystemLow-
SystemHigh
Target Context
system_u:object_r:alsa_etc_rw_t
Target Objects ./pcm [ dir ]
Source npviewer.bin
Source Path
/usr/lib/nspluginwrapper/npviewer.bin
Port <Unknown>
Host localhost
Source RPM Packages
nspluginwrapper-0.9.91.5-22.fc9
Target RPM Packages
Policy RPM
selinux-policy-3.3.0-1.fc9
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name catchall_file
Host Name localhost
Platform Linux localhost
2.6.25-0.65.rc2.git7.fc9 #1 SMP
Sat Feb 23 23:06:09 EST
2008 i686 athlon
Alert Count 1
First Seen Tue 26 Feb 2008 03:24:34
PM CST
Last Seen Tue 26 Feb 2008 03:24:34
PM CST
Local ID
21b2a4d1-ec93-4670-a34e-841d82827177
Line Numbers
Raw Audit Messages
host=localhost type=AVC msg=audit(1204061074.835:111):
avc: denied { search } for pid=20571
comm="npviewer.bin" name="pcm" dev=dm-0 ino=28344759
scontext=unconfined_u:unconfined_r:nsplugin_t:s0-s0:c0.c1023
tcontext=system_u:object_r:alsa_etc_rw_t:s0 tclass=dir
host=localhost type=SYSCALL
msg=audit(1204061074.835:111): arch=40000003 syscall=5
success=no exit=-13 a0=906d258 a1=0 a2=1b6 a3=0
items=0 ppid=20512 pid=20571 auid=500 uid=500 gid=500
euid=500 suid=500 fsuid=500 egid=500 sgid=500
fsgid=500 tty=(none) ses=1 comm="npviewer.bin"
exe="/usr/lib/nspluginwrapper/npviewer.bin"
subj=unconfined_u:unconfined_r:nsplugin_t:s0-s0:c0.c1023
key=(null)
Regards,
Antonio
____________________________________________________________________________________
Never miss a thing. Make Yahoo your home page.
http://www.yahoo.com/r/hs
16 years, 4 months
Polyinstantiation that allows group access
by Forrest Taylor
Is there any way to allow polyinstantiation to give the same view to a
number of users? For example, I want to give users in the adm group
access to the same shared /tmp (really /tmp-adm) directory, users in the
wheel group access to a different shared /tmp (really /tmp-wheel), and
all other users access to their own individual /tmp. Is this possible?
Of course, the more I think about this, the more I see reasons not to do
it such as conflicts--what if a user were in the adm and wheel groups?
For a single group, I can see excluding them from the polyinstantiated
directory entirely, but with several groups I cannot think of a way to
safely do this. Thoughts?
Thanks,
Forrest
16 years, 4 months
User web pages in the strict policy
by Forrest Taylor
I am using RHEL5.1 with selinux-policy-strict-2.4.6-106.el5_1.3.
Users in user_r or staff_r cannot see the public_html directory nor it's
content using the strict policy. The public_html directory gets
httpd_user_content_t or httpd_staff_content_t. I was expecting to be
able to view my own content, but I cannot. `ls -Z` shows that I cannot
view the permission or context. Is this expected behavior? If so, what
is the logic behind it?
Thanks,
Forrest
1.
16 years, 4 months
Changing policies, using enforcing=0 the first time
by Forrest Taylor
I am running into a strange occurrence running RHEL5.1 with an updated
policy (2.4.6-106.el5_1.3). By default, it runs the targeted policy. I
install the mls and the strict policy and touch /.autorelabel. The
first time that I boot to one of these other policies, I get a kernel
panic, and I have to use enforcing=0. The strange thing is that I can
then go back and forth between any policy without setting permissive
mode--that is, I only have to set enforcing=0 the first time that I make
a policy change, but subsequent times it is not required. Does fixfiles
change something the first time that allows the relabel to work
subsequent times in enforcing mode? Any thoughts?
Thanks,
Forrest
16 years, 4 months
excessively verbose policy
by Bill Nottingham
I was writing policy today, and I couldn't help notice a lot of
repetitiveness in our policy:
libs_use_ld_so(...)
libs_use_shared_libs(...)
These are needed by, well, everything. Can't they be assumed-unless-denied?
Similarly, 99% of confined apps need:
miscfiles_read_localization()
files_read_etc_files(.)
pipes & stream sockets
Is there a way to streamline policy so there is a lot less
repetition?
Bill
16 years, 4 months
SELinux is preventing plugin-config from making the program stack executable/seamonkey
by Antonio Olivares
Dear all,
I have changed the stack to allow firefox to use the
stack, then I reverted. I read Jim's exchange with
Mr. Dan Walsh and there it was mentioned about
nspluginwrapper. I installed it and I see the
following every time I start firefox/seamonkey.
I have avoided to do anything because I am not sure
what to do. One side of me tells me to do what
setroubleshoot tells me, the other tells me to ask for
advice as to which is the best way to proceed and fix
this issue(s) for good. I leave it in the hands of
the people that know best and follow your guidance
carefully.
TIA,
Antonio
Summary:
SELinux is preventing plugin-config from making the
program stack executable.
Detailed Description:
The plugin-config application attempted to make its
stack executable. This is a
potential security problem. This should never ever be
necessary. Stack memory is
not executable on most OSes these days and this will
not change. Executable
stack memory is one of the biggest security problems.
An execstack error might
in fact be most likely raised by malicious code.
Applications are sometimes
coded incorrectly and request this permission. The
SELinux Memory Protection
Tests
(http://people.redhat.com/drepper/selinux-mem.html)
web page explains how
to remove this requirement. If plugin-config does not
work and you need it to
work, you can configure SELinux temporarily to allow
this access until the
application is fixed. Please file a bug report
(http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.
Allowing Access:
Sometimes a library is accidentally marked with the
execstack flag, if you find
a library with this flag you can clear it with the
execstack -c LIBRARY_PATH.
Then retry your application. If the app continues to
not work, you can turn the
flag back on with execstack -s LIBRARY_PATH.
Otherwise, if you trust
plugin-config to run correctly, you can change the
context of the executable to
unconfined_execmem_exec_t. "chcon -t
unconfined_execmem_exec_t
'/usr/lib/nspluginwrapper/plugin-config'" You must
also change the default file
context files on the system in order to preserve them
even on a full relabel.
"semanage fcontext -a -t unconfined_execmem_exec_t
'/usr/lib/nspluginwrapper/plugin-config'"
Fix Command:
chcon -t unconfined_execmem_exec_t
'/usr/lib/nspluginwrapper/plugin-config'
Additional Information:
Source Context
unconfined_u:unconfined_r:unconfined_t:SystemLow-
SystemHigh
Target Context
unconfined_u:unconfined_r:unconfined_t:SystemLow-
SystemHigh
Target Objects None [ process ]
Source firefox
Source Path
/usr/lib/firefox-3.0b3pre/firefox
Port <Unknown>
Host localhost
Source RPM Packages
nspluginwrapper-0.9.91.5-22.fc9
Target RPM Packages
Policy RPM
selinux-policy-3.3.0-1.fc9
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name allow_execstack
Host Name localhost
Platform Linux localhost
2.6.25-0.65.rc2.git7.fc9 #1 SMP
Sat Feb 23 23:06:09 EST
2008 i686 athlon
Alert Count 133
First Seen Fri 01 Feb 2008 05:08:54
PM CST
Last Seen Tue 26 Feb 2008 06:55:45
AM CST
Local ID
c4806f30-a6dc-43b0-8901-5531075795f7
Line Numbers
Raw Audit Messages
host=localhost type=AVC msg=audit(1204030545.936:22):
avc: denied { execstack } for pid=2959
comm="plugin-config"
scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
tclass=process
host=localhost type=SYSCALL
msg=audit(1204030545.936:22): arch=40000003
syscall=125 success=no exit=-13 a0=bfbc9000 a1=1000
a2=1000007 a3=fffff000 items=0 ppid=2957 pid=2959
auid=500 uid=500 gid=500 euid=0 suid=0 fsuid=0
egid=500 sgid=500 fsgid=500 tty=(none) ses=1
comm="plugin-config"
exe="/usr/lib/nspluginwrapper/plugin-config"
subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
key=(null)
**** end of nspluginwrapper ******
**** start of seamonkey setroubleshoot message ***
Summary:
SELinux is preventing seamonkey-bin from making the
program stack executable.
Detailed Description:
The seamonkey-bin application attempted to make its
stack executable. This is a
potential security problem. This should never ever be
necessary. Stack memory is
not executable on most OSes these days and this will
not change. Executable
stack memory is one of the biggest security problems.
An execstack error might
in fact be most likely raised by malicious code.
Applications are sometimes
coded incorrectly and request this permission. The
SELinux Memory Protection
Tests
(http://people.redhat.com/drepper/selinux-mem.html)
web page explains how
to remove this requirement. If seamonkey-bin does not
work and you need it to
work, you can configure SELinux temporarily to allow
this access until the
application is fixed. Please file a bug report
(http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.
Allowing Access:
Sometimes a library is accidentally marked with the
execstack flag, if you find
a library with this flag you can clear it with the
execstack -c LIBRARY_PATH.
Then retry your application. If the app continues to
not work, you can turn the
flag back on with execstack -s LIBRARY_PATH.
Otherwise, if you trust
seamonkey-bin to run correctly, you can change the
context of the executable to
unconfined_execmem_exec_t. "chcon -t
unconfined_execmem_exec_t
'/usr/lib/seamonkey-1.1.8/seamonkey-bin'" You must
also change the default file
context files on the system in order to preserve them
even on a full relabel.
"semanage fcontext -a -t unconfined_execmem_exec_t
'/usr/lib/seamonkey-1.1.8/seamonkey-bin'"
Fix Command:
chcon -t unconfined_execmem_exec_t
'/usr/lib/seamonkey-1.1.8/seamonkey-bin'
Additional Information:
Source Context
unconfined_u:unconfined_r:unconfined_t:SystemLow-
SystemHigh
Target Context
unconfined_u:unconfined_r:unconfined_t:SystemLow-
SystemHigh
Target Objects None [ process ]
Source firefox
Source Path
/usr/lib/firefox-3.0b3pre/firefox
Port <Unknown>
Host localhost
Source RPM Packages seamonkey-1.1.8-4.fc9
Target RPM Packages
Policy RPM
selinux-policy-3.3.0-1.fc9
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name allow_execstack
Host Name localhost
Platform Linux localhost
2.6.25-0.65.rc2.git7.fc9 #1 SMP
Sat Feb 23 23:06:09 EST
2008 i686 athlon
Alert Count 135
First Seen Fri 01 Feb 2008 05:08:54
PM CST
Last Seen Tue 26 Feb 2008 07:24:52
AM CST
Local ID
c4806f30-a6dc-43b0-8901-5531075795f7
Line Numbers
Raw Audit Messages
host=localhost type=AVC msg=audit(1204032292.58:34):
avc: denied { execstack } for pid=4524
comm="seamonkey-bin"
scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
tclass=process
host=localhost type=SYSCALL
msg=audit(1204032292.58:34): arch=40000003 syscall=125
success=no exit=-13 a0=bfa5e000 a1=1000 a2=1000007
a3=fffff000 items=0 ppid=1 pid=4524 auid=500 uid=500
gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500
fsgid=500 tty=(none) ses=1 comm="seamonkey-bin"
exe="/usr/lib/seamonkey-1.1.8/seamonkey-bin"
subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
key=(null)
***** end of seamonkey *****
____________________________________________________________________________________
Never miss a thing. Make Yahoo your home page.
http://www.yahoo.com/r/hs
16 years, 4 months
SA problem, selinux seems to be killing spamassassin
by Gene Heskett
Greetings;
I get home tonight with the spam going wild, so I restart spamassassin, and
get another copy of this:
Summary:
SELinux is preventing spamd(/usr/bin/perl) (spamd_t) "kill" to <Unknown>
(spamd_t).
Detailed Description:
SELinux denied access requested by spamd(/usr/bin/perl). It is not expected
that
this access is required by spamd(/usr/bin/perl) and this access may signal an
intrusion attempt. It is also possible that the specific version or
configuration of the application is causing it to require additional access.
Allowing Access:
You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not
recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.
Additional Information:
Source Context system_u:system_r:spamd_t:s0
Target Context system_u:system_r:spamd_t:s0
Target Objects None [ capability ]
Source spamd(/usr/bin/perl)
Port <Unknown>
Host coyote.coyote.den
Source RPM Packages
Target RPM Packages
Policy RPM selinux-policy-3.0.8-84.fc8
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name catchall
Host Name coyote.coyote.den
Platform Linux coyote.coyote.den 2.6.24 #1 SMP PREEMPT
Sun
Feb 10 20:51:31 EST 2008 i686 athlon
Alert Count 10
First Seen Wed 20 Feb 2008 09:36:02 PM EST
Last Seen Mon 25 Feb 2008 10:51:32 PM EST
Local ID 6d119b1a-2693-43cf-b27b-f4c2d8339623
Line Numbers
Raw Audit Messages
host=coyote.coyote.den type=AVC msg=audit(1203997892.182:2127): avc: denied
{ kill } for pid=5699 comm="spamd" capability=5
scontext=system_u:system_r:spamd_t:s0 tcontext=system_u:system_r:spamd_t:s0
tclass=capability
host=coyote.coyote.den type=SYSCALL msg=audit(1203997892.182:2127):
arch=40000003 syscall=37 success=no exit=-1 a0=3f42 a1=2 a2=4af5f5cc
a3=80775a8 items=0 ppid=1 pid=5699 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0
egid=0 sgid=0 fsgid=0 tty=(none) comm="spamd" exe="/usr/bin/perl"
subj=system_u:system_r:spamd_t:s0 key=(null)
=====================
So there's the bug report. What can I do?
--
Cheers, Gene
"There are four boxes to be used in defense of liberty:
soap, ballot, jury, and ammo. Please use in that order."
-Ed Howdershelt (Author)
"Hi, I'm Professor Alan Ginsburg... But you can call me... Captain Toke."
-- John Lovitz, as ex-Supreme Court nominee Alan Ginsburg, on SNL
16 years, 4 months
