FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora SELinux Support

 
 
LinkBack Thread Tools
 
Old 08-03-2008, 06:35 PM
Antonio Olivares
 
Default SELinux is preventing nspluginviewer ....

> Dear all,
>
> Now I know why playing Penalty_Fever caused a problem. The
> following is clear evidence
>
>
> Summary:
>
> SELinux is preventing nspluginviewer from changing a
> writable memory segment
> executable.
>
> Detailed Description:
>
> The nspluginviewer application attempted to change the
> access protection of
> memory (e.g., allocated using malloc). This is a potential
> security problem.
> Applications should not be doing this. Applications are
> sometimes coded
> incorrectly and request this permission. The SELinux Memory
> Protection Tests
> (http://people.redhat.com/drepper/selinux-mem.html) web
> page explains how to
> remove this requirement. If nspluginviewer does not work
> and you need it to
> work, you can configure SELinux temporarily to allow this
> access until the
> application is fixed. Please file a bug report
> (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against
> this package.
>
> Allowing Access:
>
> If you trust nspluginviewer to run correctly, you can
> change the context of the
> executable to unconfined_execmem_exec_t. "chcon -t
> unconfined_execmem_exec_t
> '/usr/bin/nspluginviewer'". You must also
> change the default file context files
> on the system in order to preserve them even on a full
> relabel. "semanage
> fcontext -a -t unconfined_execmem_exec_t
> '/usr/bin/nspluginviewer'"
>
> Fix Command:
>
> chcon -t unconfined_execmem_exec_t
> '/usr/bin/nspluginviewer'
>
> Additional Information:
>
> Source Context
> unconfined_u:unconfined_r:unconfined_t:SystemLow-
> SystemHigh
> Target Context
> unconfined_u:unconfined_r:unconfined_t:SystemLow-
> SystemHigh
> Target Objects None [ process ]
> Source nspluginviewer
> Source Path /usr/bin/nspluginviewer
> Port <Unknown>
> Host localhost.localdomain
> Source RPM Packages kdebase-4.1.0-1.fc10
> Target RPM Packages
> Policy RPM selinux-policy-3.5.1-4.fc10
> Selinux Enabled True
> Policy Type targeted
> MLS Enabled True
> Enforcing Mode Enforcing
> Plugin Name allow_execmem
> Host Name localhost.localdomain
> Platform Linux localhost.localdomain
> 2.6.26.1 #1 SMP Sat
> Aug 2 21:36:01 CDT 2008 i686
> i686
> Alert Count 29
> First Seen Sun 03 Aug 2008 12:55:21 PM
> CDT
> Last Seen Sun 03 Aug 2008 12:55:21 PM
> CDT
> Local ID
> 865503d3-baab-4dcd-adc0-47f8fff6ade6
> Line Numbers
>
> Raw Audit Messages
>
> host=localhost.localdomain type=AVC
> msg=audit(1217786121.365:53): avc: denied { execmem } for
> pid=3262 comm="nspluginviewer"
> scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
> tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
> tclass=process
>
> host=localhost.localdomain type=SYSCALL
> msg=audit(1217786121.365:53): arch=40000003 syscall=125
> success=no exit=-13 a0=b1aaa000 a1=1000 a2=5 a3=bfa32acc
> items=0 ppid=3222 pid=3262 auid=500 uid=500 gid=500 euid=500
> suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none)
> ses=1 comm="nspluginviewer"
> exe="/usr/bin/nspluginviewer"
> subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
> key=(null)
>
>
> This was an old bug and it returns to bite back
> Is anybody else also encountering this problem?
>
> Regards,
>
> Antonio
>
>
>
>
> --

BTW,

the old bug with nspluginwrapper was here:

https://bugzilla.redhat.com/show_bug.cgi?id=431708

It was closed. It looks a little bit different, now I am not sure if it is related?

Thanks,

Antonio




--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 08-04-2008, 06:32 PM
Daniel J Walsh
 
Default SELinux is preventing nspluginviewer ....

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Antonio Olivares wrote:
>> Dear all,
>>
>> Now I know why playing Penalty_Fever caused a problem. The
>> following is clear evidence
>>
>>
>> Summary:
>>
>> SELinux is preventing nspluginviewer from changing a
>> writable memory segment
>> executable.
>>
>> Detailed Description:
>>
>> The nspluginviewer application attempted to change the
>> access protection of
>> memory (e.g., allocated using malloc). This is a potential
>> security problem.
>> Applications should not be doing this. Applications are
>> sometimes coded
>> incorrectly and request this permission. The SELinux Memory
>> Protection Tests
>> (http://people.redhat.com/drepper/selinux-mem.html) web
>> page explains how to
>> remove this requirement. If nspluginviewer does not work
>> and you need it to
>> work, you can configure SELinux temporarily to allow this
>> access until the
>> application is fixed. Please file a bug report
>> (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against
>> this package.
>>
>> Allowing Access:
>>
>> If you trust nspluginviewer to run correctly, you can
>> change the context of the
>> executable to unconfined_execmem_exec_t. "chcon -t
>> unconfined_execmem_exec_t
>> '/usr/bin/nspluginviewer'". You must also
>> change the default file context files
>> on the system in order to preserve them even on a full
>> relabel. "semanage
>> fcontext -a -t unconfined_execmem_exec_t
>> '/usr/bin/nspluginviewer'"
>>
>> Fix Command:
>>
>> chcon -t unconfined_execmem_exec_t
>> '/usr/bin/nspluginviewer'
>>
>> Additional Information:
>>
>> Source Context
>> unconfined_u:unconfined_r:unconfined_t:SystemLow-
>> SystemHigh
>> Target Context
>> unconfined_u:unconfined_r:unconfined_t:SystemLow-
>> SystemHigh
>> Target Objects None [ process ]
>> Source nspluginviewer
>> Source Path /usr/bin/nspluginviewer
>> Port <Unknown>
>> Host localhost.localdomain
>> Source RPM Packages kdebase-4.1.0-1.fc10
>> Target RPM Packages
>> Policy RPM selinux-policy-3.5.1-4.fc10
>> Selinux Enabled True
>> Policy Type targeted
>> MLS Enabled True
>> Enforcing Mode Enforcing
>> Plugin Name allow_execmem
>> Host Name localhost.localdomain
>> Platform Linux localhost.localdomain
>> 2.6.26.1 #1 SMP Sat
>> Aug 2 21:36:01 CDT 2008 i686
>> i686
>> Alert Count 29
>> First Seen Sun 03 Aug 2008 12:55:21 PM
>> CDT
>> Last Seen Sun 03 Aug 2008 12:55:21 PM
>> CDT
>> Local ID
>> 865503d3-baab-4dcd-adc0-47f8fff6ade6
>> Line Numbers
>>
>> Raw Audit Messages
>>
>> host=localhost.localdomain type=AVC
>> msg=audit(1217786121.365:53): avc: denied { execmem } for
>> pid=3262 comm="nspluginviewer"
>> scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
>> tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
>> tclass=process
>>
>> host=localhost.localdomain type=SYSCALL
>> msg=audit(1217786121.365:53): arch=40000003 syscall=125
>> success=no exit=-13 a0=b1aaa000 a1=1000 a2=5 a3=bfa32acc
>> items=0 ppid=3222 pid=3262 auid=500 uid=500 gid=500 euid=500
>> suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none)
>> ses=1 comm="nspluginviewer"
>> exe="/usr/bin/nspluginviewer"
>> subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
>> key=(null)
>>
>>
>> This was an old bug and it returns to bite back
>> Is anybody else also encountering this problem?
>>
>> Regards,
>>
>> Antonio
>>
>>
>>
>>
>> --
>
> BTW,
>
> the old bug with nspluginwrapper was here:
>
> https://bugzilla.redhat.com/show_bug.cgi?id=431708
>
> It was closed. It looks a little bit different, now I am not sure if it is related?
>
> Thanks,
>
> Antonio
>
>
>
>
Most likely caused by one of the plugins you are using. You have
multiple choices to fix this, one you could turn on nsplugin confinement

# getsebool -a | grep nsplugin
allow_nsplugin_execmem --> on
allow_unconfined_nsplugin_transition --> on

You should relabel your homedir if you do.

restorecon -R -v ~

Then restart firefox. This would allow a confined nsplugin to execmem
but not all apps run from unconfined_t. I have been running like this
for a long time and have had few problems, although the more people who
run with this mode the better so we can figure out what firefox plugins
want to do.

You can not run the offending plugin.

You can ignore the error if it does not seem to cause the problem.

You can turn on allow_execmem boolean.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkiXS1YACgkQrlYvE4MpobPgsgCgtS04Z/kSzNfsa6MILORC1ZxU
QJEAn1v2xRLEMv3r5rmVQlE0xfpAnicO
=1PTR
-----END PGP SIGNATURE-----

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 08-04-2008, 06:39 PM
Antonio Olivares
 
Default SELinux is preventing nspluginviewer ....

> >> Dear all,
> >>
> >> Now I know why playing Penalty_Fever caused a
> problem. The
> >> following is clear evidence
> >>
> >>
> >> Summary:
> >>
> >> SELinux is preventing nspluginviewer from changing
> a
> >> writable memory segment
> >> executable.
> >>
> >> Detailed Description:
> >>
> >> The nspluginviewer application attempted to change
> the
> >> access protection of
> >> memory (e.g., allocated using malloc). This is a
> potential
> >> security problem.
> >> Applications should not be doing this.
> Applications are
> >> sometimes coded
> >> incorrectly and request this permission. The
> SELinux Memory
> >> Protection Tests
> >>
> (http://people.redhat.com/drepper/selinux-mem.html) web
> >> page explains how to
> >> remove this requirement. If nspluginviewer does
> not work
> >> and you need it to
> >> work, you can configure SELinux temporarily to
> allow this
> >> access until the
> >> application is fixed. Please file a bug report
> >>
> (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against
> >> this package.
> >>
> >> Allowing Access:
> >>
> >> If you trust nspluginviewer to run correctly, you
> can
> >> change the context of the
> >> executable to unconfined_execmem_exec_t.
> "chcon -t
> >> unconfined_execmem_exec_t
> >> '/usr/bin/nspluginviewer'". You must
> also
> >> change the default file context files
> >> on the system in order to preserve them even on a
> full
> >> relabel. "semanage
> >> fcontext -a -t unconfined_execmem_exec_t
> >> '/usr/bin/nspluginviewer'"
> >>
> >> Fix Command:
> >>
> >> chcon -t unconfined_execmem_exec_t
> >> '/usr/bin/nspluginviewer'
> >>
> >> Additional Information:
> >>
> >> Source Context
> >> unconfined_u:unconfined_r:unconfined_t:SystemLow-
> >> SystemHigh
> >> Target Context
> >> unconfined_u:unconfined_r:unconfined_t:SystemLow-
> >> SystemHigh
> >> Target Objects None [ process ]
> >> Source nspluginviewer
> >> Source Path
> /usr/bin/nspluginviewer
> >> Port <Unknown>
> >> Host
> localhost.localdomain
> >> Source RPM Packages kdebase-4.1.0-1.fc10
> >> Target RPM Packages
> >> Policy RPM
> selinux-policy-3.5.1-4.fc10
> >> Selinux Enabled True
> >> Policy Type targeted
> >> MLS Enabled True
> >> Enforcing Mode Enforcing
> >> Plugin Name allow_execmem
> >> Host Name
> localhost.localdomain
> >> Platform Linux
> localhost.localdomain
> >> 2.6.26.1 #1 SMP Sat
> >> Aug 2 21:36:01 CDT
> 2008 i686
> >> i686
> >> Alert Count 29
> >> First Seen Sun 03 Aug 2008
> 12:55:21 PM
> >> CDT
> >> Last Seen Sun 03 Aug 2008
> 12:55:21 PM
> >> CDT
> >> Local ID
> >> 865503d3-baab-4dcd-adc0-47f8fff6ade6
> >> Line Numbers
> >>
> >> Raw Audit Messages
> >>
> >> host=localhost.localdomain type=AVC
> >> msg=audit(1217786121.365:53): avc: denied {
> execmem } for
> >> pid=3262 comm="nspluginviewer"
> >>
> scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
> >>
> tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
> >> tclass=process
> >>
> >> host=localhost.localdomain type=SYSCALL
> >> msg=audit(1217786121.365:53): arch=40000003
> syscall=125
> >> success=no exit=-13 a0=b1aaa000 a1=1000 a2=5
> a3=bfa32acc
> >> items=0 ppid=3222 pid=3262 auid=500 uid=500
> gid=500 euid=500
> >> suid=500 fsuid=500 egid=500 sgid=500 fsgid=500
> tty=(none)
> >> ses=1 comm="nspluginviewer"
> >> exe="/usr/bin/nspluginviewer"
> >>
> subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
> >> key=(null)
> >>
> >>
> >> This was an old bug and it returns to bite back
> >> Is anybody else also encountering this problem?
> >>
> >> Regards,
> >>
> >> Antonio
> >>
> >>
> >>
> >>
> >> --
> >
> > BTW,
> >
> > the old bug with nspluginwrapper was here:
> >
> > https://bugzilla.redhat.com/show_bug.cgi?id=431708
> >
> > It was closed. It looks a little bit different, now I
> am not sure if it is related?
> >
> > Thanks,
> >
> > Antonio
> >
> >
> >
> >
> Most likely caused by one of the plugins you are using.
> You have
> multiple choices to fix this, one you could turn on
> nsplugin confinement
>
> # getsebool -a | grep nsplugin
> allow_nsplugin_execmem --> on
> allow_unconfined_nsplugin_transition --> on
>
> You should relabel your homedir if you do.
>
> restorecon -R -v ~
>
> Then restart firefox. This would allow a confined nsplugin
> to execmem
> but not all apps run from unconfined_t. I have been
> running like this
> for a long time and have had few problems, although the
> more people who
> run with this mode the better so we can figure out what
> firefox plugins
> want to do.
I am running konqueror on KDE 4.1 Rawhide. Firefox and Seamonkey are not reliable and I yum removed 'em. I was playing a flash game and it was working nicely, but then I got to the next level and CPU went up to 100% and crashed. I can try the suggestions, but I am not sure that konqueror behaves like firefox with the plugins.
>
> You can not run the offending plugin.
>
> You can ignore the error if it does not seem to cause the
> problem.
>
> You can turn on allow_execmem boolean.

I'll take a look into that.

Regards,

Antonio





--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 

Thread Tools




All times are GMT. The time now is 12:42 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org