FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora SELinux Support

 
 
LinkBack Thread Tools
 
Old 02-06-2008, 12:51 AM
Antonio Olivares
 
Default selinux/setroubleshoot reports trouble with nspluginscan, NetworkManager_t

Dear all,

Upon applying todays updates rawhide report 20080205,
and the failed update/conflicts
egin{QUOTE}
xorg-x11-xinit-1.0.7-3.fc9.i386 from development has
depsolving problems
--> xorg-x11-xinit-1.0.7-3.fc9.i386 (development)
conflicts with dbus < 1.1
.4-3.fc9
Error: xorg-x11-xinit-1.0.7-3.fc9.i386 (development)
conflicts with dbus < 1.
1.4-3.fc9
end{QUOTE}

I get two denials from selinux

Summary:

SELinux is preventing nspluginscan from making the
program stack executable.

Detailed Description:

The nspluginscan application attempted to make its
stack executable. This is a
potential security problem. This should never ever be
necessary. Stack memory is
not executable on most OSes these days and this will
not change. Executable
stack memory is one of the biggest security problems.
An execstack error might
in fact be most likely raised by malicious code.
Applications are sometimes
coded incorrectly and request this permission. The
SELinux Memory Protection
Tests
(http://people.redhat.com/drepper/selinux-mem.html)
web page explains how
to remove this requirement. If nspluginscan does not
work and you need it to
work, you can configure SELinux temporarily to allow
this access until the
application is fixed. Please file a bug report
(http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Allowing Access:

Sometimes a library is accidentally marked with the
execstack flag, if you find
a library with this flag you can clear it with the
execstack -c LIBRARY_PATH.
Then retry your application. If the app continues to
not work, you can turn the
flag back on with execstack -s LIBRARY_PATH.
Otherwise, if you trust
nspluginscan to run correctly, you can change the
context of the executable to
unconfined_execmem_exec_t. "chcon -t
unconfined_execmem_exec_t
'/usr/bin/nspluginscan'" You must also change the
default file context files on
the system in order to preserve them even on a full
relabel. "semanage fcontext
-a -t unconfined_execmem_exec_t
'/usr/bin/nspluginscan'"

The following command will allow this access:

chcon -t unconfined_execmem_exec_t
'/usr/bin/nspluginscan'

Additional Information:

Source Context
unconfined_u:unconfined_r:unconfined_t:SystemLow-
SystemHigh
Target Context
unconfined_u:unconfined_r:unconfined_t:SystemLow-
SystemHigh
Target Objects None [ process ]
Source nspluginscan
Source Path /usr/bin/nspluginscan
Port <Unknown>
Host localhost.localdomain
Source RPM Packages kdebase-4.0.1-3.fc9
Target RPM Packages
Policy RPM
selinux-policy-3.2.6-5.fc9
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name allow_execstack
Host Name localhost.localdomain
Platform Linux
localhost.localdomain 2.6.24-17.fc9 #1 SMP
Mon Feb 4 19:02:27 EST
2008 i686 i686
Alert Count 2
First Seen Tue 05 Feb 2008 07:13:02
AM CST
Last Seen Tue 05 Feb 2008 07:41:42
PM CST
Local ID
7afb3a36-5b69-486c-a93b-02e714040250
Line Numbers

Raw Audit Messages

host=localhost.localdomain type=AVC
msg=audit(1202262102.930:20): avc: denied {
execstack } for pid=2866 comm="nspluginscan"
scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
tclass=process

host=localhost.localdomain type=SYSCALL
msg=audit(1202262102.930:20): arch=40000003
syscall=125 success=no exit=-13 a0=bfce4000 a1=1000
a2=1000007 a3=fffff000 items=0 ppid=2855 pid=2866
auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500
egid=500 sgid=500 fsgid=500 tty=(none)
comm="nspluginscan" exe="/usr/bin/nspluginscan"
subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
key=(null)



Summary:

SELinux is preventing the 00-netreport
(NetworkManager_t) from executing ./init.

Detailed Description:

SELinux has denied the 00-netreport from executing
./init. If 00-netreport is
supposed to be able to execute ./init, this could be a
labeling problem. Most
confined domains are allowed to execute files labeled
bin_t. So you could change
the labeling on this file to bin_t and retry the
application. If this
00-netreport is not supposed to execute ./init, this
could signal a intrusion
attempt.

Allowing Access:

If you want to allow 00-netreport to execute ./init:
chcon -t bin_t './init' If
this fix works, please update the file context on
disk, with the following
command: semanage fcontext -a -t bin_t './init' Please
specify the full path to
the executable, Please file a bug report
(http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this selinux-policy
to make sure this becomes the default labeling.

Additional Information:

Source Context
system_u:system_r:NetworkManager_t
Target Context system_ubject_r:etc_t
Target Objects ./init [ file ]
Source 00-netreport
Source Path /bin/bash
Port <Unknown>
Host localhost.localdomain
Source RPM Packages bash-3.2-20.fc9
Target RPM Packages
Policy RPM
selinux-policy-3.2.6-5.fc9
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name execute
Host Name localhost.localdomain
Platform Linux
localhost.localdomain 2.6.24-17.fc9 #1 SMP
Mon Feb 4 19:02:27 EST
2008 i686 i686
Alert Count 1
First Seen Tue 05 Feb 2008 07:42:33
PM CST
Last Seen Tue 05 Feb 2008 07:42:33
PM CST
Local ID
9a1f71bd-9256-450a-bc0c-a7ebb115cacb
Line Numbers

Raw Audit Messages

host=localhost.localdomain type=AVC
msg=audit(1202262153.640:107): avc: denied { execute
} for pid=3226 comm="00-netreport" name="init"
dev=dm-0 ino=360497
scontext=system_u:system_r:NetworkManager_t:s0
tcontext=system_ubject_r:etc_t:s0 tclass=file

host=localhost.localdomain type=SYSCALL
msg=audit(1202262153.640:107): arch=40000003
syscall=33 success=no exit=-13 a0=9f7a370 a1=1 a2=11
a3=9f7a370 items=0 ppid=2385 pid=3226 auid=4294967295
uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
fsgid=0 tty=(none) comm="00-netreport" exe="/bin/bash"
subj=system_u:system_r:NetworkManager_t:s0 key=(null)



Thanks,


Antonio


__________________________________________________ __________________________________
Never miss a thing. Make Yahoo your home page.
http://www.yahoo.com/r/hs

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 02-06-2008, 01:53 PM
Daniel J Walsh
 
Default selinux/setroubleshoot reports trouble with nspluginscan, NetworkManager_t

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Antonio Olivares wrote:
> Dear all,
>
> Upon applying todays updates rawhide report 20080205,
> and the failed update/conflicts
> egin{QUOTE}
> xorg-x11-xinit-1.0.7-3.fc9.i386 from development has
> depsolving problems
> --> xorg-x11-xinit-1.0.7-3.fc9.i386 (development)
> conflicts with dbus < 1.1
> .4-3.fc9
> Error: xorg-x11-xinit-1.0.7-3.fc9.i386 (development)
> conflicts with dbus < 1.
> 1.4-3.fc9
> end{QUOTE}
>
> I get two denials from selinux
>
> Summary:
>
> SELinux is preventing nspluginscan from making the
> program stack executable.
>
> Detailed Description:
>
> The nspluginscan application attempted to make its
> stack executable. This is a
> potential security problem. This should never ever be
> necessary. Stack memory is
> not executable on most OSes these days and this will
> not change. Executable
> stack memory is one of the biggest security problems.
> An execstack error might
> in fact be most likely raised by malicious code.
> Applications are sometimes
> coded incorrectly and request this permission. The
> SELinux Memory Protection
> Tests
> (http://people.redhat.com/drepper/selinux-mem.html)
> web page explains how
> to remove this requirement. If nspluginscan does not
> work and you need it to
> work, you can configure SELinux temporarily to allow
> this access until the
> application is fixed. Please file a bug report
> (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
> against this package.
>
> Allowing Access:
>
> Sometimes a library is accidentally marked with the
> execstack flag, if you find
> a library with this flag you can clear it with the
> execstack -c LIBRARY_PATH.
> Then retry your application. If the app continues to
> not work, you can turn the
> flag back on with execstack -s LIBRARY_PATH.
> Otherwise, if you trust
> nspluginscan to run correctly, you can change the
> context of the executable to
> unconfined_execmem_exec_t. "chcon -t
> unconfined_execmem_exec_t
> '/usr/bin/nspluginscan'" You must also change the
> default file context files on
> the system in order to preserve them even on a full
> relabel. "semanage fcontext
> -a -t unconfined_execmem_exec_t
> '/usr/bin/nspluginscan'"
>
> The following command will allow this access:
>
> chcon -t unconfined_execmem_exec_t
> '/usr/bin/nspluginscan'
>
> Additional Information:
>
> Source Context
> unconfined_u:unconfined_r:unconfined_t:SystemLow-
> SystemHigh
> Target Context
> unconfined_u:unconfined_r:unconfined_t:SystemLow-
> SystemHigh
> Target Objects None [ process ]
> Source nspluginscan
> Source Path /usr/bin/nspluginscan
> Port <Unknown>
> Host localhost.localdomain
> Source RPM Packages kdebase-4.0.1-3.fc9
> Target RPM Packages
> Policy RPM
> selinux-policy-3.2.6-5.fc9
> Selinux Enabled True
> Policy Type targeted
> MLS Enabled True
> Enforcing Mode Enforcing
> Plugin Name allow_execstack
> Host Name localhost.localdomain
> Platform Linux
> localhost.localdomain 2.6.24-17.fc9 #1 SMP
> Mon Feb 4 19:02:27 EST
> 2008 i686 i686
> Alert Count 2
> First Seen Tue 05 Feb 2008 07:13:02
> AM CST
> Last Seen Tue 05 Feb 2008 07:41:42
> PM CST
> Local ID
> 7afb3a36-5b69-486c-a93b-02e714040250
> Line Numbers
>
> Raw Audit Messages
>
> host=localhost.localdomain type=AVC
> msg=audit(1202262102.930:20): avc: denied {
> execstack } for pid=2866 comm="nspluginscan"
> scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
> tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
> tclass=process
>
> host=localhost.localdomain type=SYSCALL
> msg=audit(1202262102.930:20): arch=40000003
> syscall=125 success=no exit=-13 a0=bfce4000 a1=1000
> a2=1000007 a3=fffff000 items=0 ppid=2855 pid=2866
> auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500
> egid=500 sgid=500 fsgid=500 tty=(none)
> comm="nspluginscan" exe="/usr/bin/nspluginscan"
> subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
> key=(null)
>
>
>
> Summary:
>
> SELinux is preventing the 00-netreport
> (NetworkManager_t) from executing ./init.
>
> Detailed Description:
>
> SELinux has denied the 00-netreport from executing
> ./init. If 00-netreport is
> supposed to be able to execute ./init, this could be a
> labeling problem. Most
> confined domains are allowed to execute files labeled
> bin_t. So you could change
> the labeling on this file to bin_t and retry the
> application. If this
> 00-netreport is not supposed to execute ./init, this
> could signal a intrusion
> attempt.
>
> Allowing Access:
>
> If you want to allow 00-netreport to execute ./init:
> chcon -t bin_t './init' If
> this fix works, please update the file context on
> disk, with the following
> command: semanage fcontext -a -t bin_t './init' Please
> specify the full path to
> the executable, Please file a bug report
> (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
> against this selinux-policy
> to make sure this becomes the default labeling.
>
> Additional Information:
>
> Source Context
> system_u:system_r:NetworkManager_t
> Target Context system_ubject_r:etc_t
> Target Objects ./init [ file ]
> Source 00-netreport
> Source Path /bin/bash
> Port <Unknown>
> Host localhost.localdomain
> Source RPM Packages bash-3.2-20.fc9
> Target RPM Packages
> Policy RPM
> selinux-policy-3.2.6-5.fc9
> Selinux Enabled True
> Policy Type targeted
> MLS Enabled True
> Enforcing Mode Enforcing
> Plugin Name execute
> Host Name localhost.localdomain
> Platform Linux
> localhost.localdomain 2.6.24-17.fc9 #1 SMP
> Mon Feb 4 19:02:27 EST
> 2008 i686 i686
> Alert Count 1
> First Seen Tue 05 Feb 2008 07:42:33
> PM CST
> Last Seen Tue 05 Feb 2008 07:42:33
> PM CST
> Local ID
> 9a1f71bd-9256-450a-bc0c-a7ebb115cacb
> Line Numbers
>
> Raw Audit Messages
>
> host=localhost.localdomain type=AVC
> msg=audit(1202262153.640:107): avc: denied { execute
> } for pid=3226 comm="00-netreport" name="init"
> dev=dm-0 ino=360497
> scontext=system_u:system_r:NetworkManager_t:s0
> tcontext=system_ubject_r:etc_t:s0 tclass=file
>
> host=localhost.localdomain type=SYSCALL
> msg=audit(1202262153.640:107): arch=40000003
> syscall=33 success=no exit=-13 a0=9f7a370 a1=1 a2=11
> a3=9f7a370 items=0 ppid=2385 pid=3226 auid=4294967295
> uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
> fsgid=0 tty=(none) comm="00-netreport" exe="/bin/bash"
> subj=system_u:system_r:NetworkManager_t:s0 key=(null)
>
>
>
> Thanks,
>
>
> Antonio
>
>
> __________________________________________________ __________________________________
> Never miss a thing. Make Yahoo your home page.
> http://www.yahoo.com/r/hs
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
The 00-netreport should be fixed in todays update.

nspluginscan requiring execstack should be reported as a bug against
nsplugin
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkepyfMACgkQrlYvE4MpobNrJgCdFPgj+T5Yip VQc4AieQhUjd8R
cTkAn3GU5rVGH+DlT5Sgfjlysnajlx/R
=7p8L
-----END PGP SIGNATURE-----

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 02-06-2008, 03:36 PM
Antonio Olivares
 
Default selinux/setroubleshoot reports trouble with nspluginscan, NetworkManager_t

--- Daniel J Walsh <dwalsh@redhat.com> wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Antonio Olivares wrote:
> > Dear all,
> >
> > Upon applying todays updates rawhide report
> 20080205,
> > and the failed update/conflicts
> > egin{QUOTE}
> > xorg-x11-xinit-1.0.7-3.fc9.i386 from development
> has
> > depsolving problems
> > --> xorg-x11-xinit-1.0.7-3.fc9.i386
> (development)
> > conflicts with dbus < 1.1
> > .4-3.fc9
> > Error: xorg-x11-xinit-1.0.7-3.fc9.i386
> (development)
> > conflicts with dbus < 1.
> > 1.4-3.fc9
> > end{QUOTE}
> >
> > I get two denials from selinux
> >
> > Summary:
> >
> > SELinux is preventing nspluginscan from making the
> > program stack executable.
> >
> > Detailed Description:
> >
> > The nspluginscan application attempted to make its
> > stack executable. This is a
> > potential security problem. This should never ever
> be
> > necessary. Stack memory is
> > not executable on most OSes these days and this
> will
> > not change. Executable
> > stack memory is one of the biggest security
> problems.
> > An execstack error might
> > in fact be most likely raised by malicious code.
> > Applications are sometimes
> > coded incorrectly and request this permission. The
> > SELinux Memory Protection
> > Tests
> >
> (http://people.redhat.com/drepper/selinux-mem.html)
> > web page explains how
> > to remove this requirement. If nspluginscan does
> not
> > work and you need it to
> > work, you can configure SELinux temporarily to
> allow
> > this access until the
> > application is fixed. Please file a bug report
> >
> (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
> > against this package.
> >
> > Allowing Access:
> >
> > Sometimes a library is accidentally marked with
> the
> > execstack flag, if you find
> > a library with this flag you can clear it with the
> > execstack -c LIBRARY_PATH.
> > Then retry your application. If the app continues
> to
> > not work, you can turn the
> > flag back on with execstack -s LIBRARY_PATH.
> > Otherwise, if you trust
> > nspluginscan to run correctly, you can change the
> > context of the executable to
> > unconfined_execmem_exec_t. "chcon -t
> > unconfined_execmem_exec_t
> > '/usr/bin/nspluginscan'" You must also change the
> > default file context files on
> > the system in order to preserve them even on a
> full
> > relabel. "semanage fcontext
> > -a -t unconfined_execmem_exec_t
> > '/usr/bin/nspluginscan'"
> >
> > The following command will allow this access:
> >
> > chcon -t unconfined_execmem_exec_t
> > '/usr/bin/nspluginscan'
> >
> > Additional Information:
> >
> > Source Context
> > unconfined_u:unconfined_r:unconfined_t:SystemLow-
> > SystemHigh
> > Target Context
> > unconfined_u:unconfined_r:unconfined_t:SystemLow-
> > SystemHigh
> > Target Objects None [ process ]
> > Source nspluginscan
> > Source Path
> /usr/bin/nspluginscan
> > Port <Unknown>
> > Host
> localhost.localdomain
> > Source RPM Packages kdebase-4.0.1-3.fc9
> > Target RPM Packages
> > Policy RPM
> > selinux-policy-3.2.6-5.fc9
> > Selinux Enabled True
> > Policy Type targeted
> > MLS Enabled True
> > Enforcing Mode Enforcing
> > Plugin Name allow_execstack
> > Host Name
> localhost.localdomain
> > Platform Linux
> > localhost.localdomain 2.6.24-17.fc9 #1 SMP
> > Mon Feb 4 19:02:27
> EST
> > 2008 i686 i686
> > Alert Count 2
> > First Seen Tue 05 Feb 2008
> 07:13:02
> > AM CST
> > Last Seen Tue 05 Feb 2008
> 07:41:42
> > PM CST
> > Local ID
> > 7afb3a36-5b69-486c-a93b-02e714040250
> > Line Numbers
> >
> > Raw Audit Messages
> >
> > host=localhost.localdomain type=AVC
> > msg=audit(1202262102.930:20): avc: denied {
> > execstack } for pid=2866 comm="nspluginscan"
> >
>
scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
> >
>
tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
> > tclass=process
> >
> > host=localhost.localdomain type=SYSCALL
> > msg=audit(1202262102.930:20): arch=40000003
> > syscall=125 success=no exit=-13 a0=bfce4000
> a1=1000
> > a2=1000007 a3=fffff000 items=0 ppid=2855 pid=2866
> > auid=500 uid=500 gid=500 euid=500 suid=500
> fsuid=500
> > egid=500 sgid=500 fsgid=500 tty=(none)
> > comm="nspluginscan" exe="/usr/bin/nspluginscan"
> >
>
subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
> > key=(null)
> >
> >
> >
> > Summary:
> >
> > SELinux is preventing the 00-netreport
> > (NetworkManager_t) from executing ./init.
> >
> > Detailed Description:
> >
> > SELinux has denied the 00-netreport from executing
> > ./init. If 00-netreport is
> > supposed to be able to execute ./init, this could
> be a
> > labeling problem. Most
> > confined domains are allowed to execute files
> labeled
> > bin_t. So you could change
> > the labeling on this file to bin_t and retry the
> > application. If this
> > 00-netreport is not supposed to execute ./init,
> this
> > could signal a intrusion
> > attempt.
> >
> > Allowing Access:
> >
> > If you want to allow 00-netreport to execute
> ./init:
> > chcon -t bin_t './init' If
> > this fix works, please update the file context on
> > disk, with the following
> > command: semanage fcontext -a -t bin_t './init'
> Please
> > specify the full path to
> > the executable, Please file a bug report
> >
> (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
> > against this selinux-policy
> > to make sure this becomes the default labeling.
> >
> > Additional Information:
> >
> > Source Context
> > system_u:system_r:NetworkManager_t
>
=== message truncated ===

Bug filed against nspluginwrapper since there is no
nspluginscan

https://bugzilla.redhat.com/show_bug.cgi?id=431708

Thanks,

Antonio


__________________________________________________ __________________________________
Be a better friend, newshound, and
know-it-all with Yahoo! Mobile. Try it now. http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 

Thread Tools




All times are GMT. The time now is 10:31 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org