FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora SELinux Support

 
 
LinkBack Thread Tools
 
Old 04-11-2008, 03:15 PM
Chuck Anderson
 
Default AVC everytime I launch a tab in firefox from gnome-terminal

Every time I launch a tab from a URL in gnome-terminal, I get this
AVC:

Hmm why is this program set-uid root?

>ls -l /usr/lib/nspluginwrapper/plugin-config
-rwsr-xr-x 1 root root 60048 2008-03-11 10:02 /usr/lib/nspluginwrapper/plugin-config*


Summary:

SELinux is preventing plugin-config (nsplugin_config_t) "execstack" to <Unknown>
(nsplugin_config_t).

Detailed Description:

SELinux denied access requested by plugin-config. It is not expected that this
access is required by plugin-config and this access may signal an intrusion
attempt. It is also possible that the specific version or configuration of the
application is causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Additional Information:

Source Context unconfined_u:unconfined_r:nsplugin_config_t:s0-s0:
c0.c1023
Target Context unconfined_u:unconfined_r:nsplugin_config_t:s0-s0:
c0.c1023
Target Objects None [ process ]
Source plugin-config
Source Path /usr/lib/nspluginwrapper/plugin-config
Port <Unknown>
Host dustpuppy.wpi.edu
Source RPM Packages nspluginwrapper-0.9.91.5-26.fc9
Target RPM Packages
Policy RPM selinux-policy-3.3.1-31.fc9
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name catchall
Host Name dustpuppy.wpi.edu
Platform Linux dustpuppy.wpi.edu
2.6.25-0.204.rc8.git4.fc9.i686 #1 SMP Mon Apr 7
11:33:46 EDT 2008 i686 i686
Alert Count 14
First Seen Tue 08 Apr 2008 03:07:02 PM EDT
Last Seen Fri 11 Apr 2008 11:02:14 AM EDT
Local ID 3be91387-8d68-4700-868a-cc02880ae589
Line Numbers

Raw Audit Messages

host=dustpuppy.wpi.edu type=AVC msg=audit(1207926134.511:4168): avc: denied { execstack } for pid=30324 comm="plugin-config" scontext=unconfined_u:unconfined_r:nsplugin_config _t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:nsplugin_config _t:s0-s0:c0.c1023 tclass=process

host=dustpuppy.wpi.edu type=SYSCALL msg=audit(1207926134.511:4168): arch=40000003 syscall=125 success=no exit=-13 a0=bff95000 a1=1000 a2=1000007 a3=fffff000 items=0 ppid=30322 pid=30324 auid=10002 uid=10002 gid=10002 euid=0 suid=0 fsuid=0 egid=10002 sgid=10002 fsgid=10002 tty=(none) ses=1 comm="plugin-config" exe="/usr/lib/nspluginwrapper/plugin-config" subj=unconfined_u:unconfined_r:nsplugin_config_t:s 0-s0:c0.c1023 key=(null)

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 04-11-2008, 03:25 PM
Chuck Anderson
 
Default AVC everytime I launch a tab in firefox from gnome-terminal

On Fri, Apr 11, 2008 at 11:15:09AM -0400, Chuck Anderson wrote:
> Every time I launch a tab from a URL in gnome-terminal, I get this
> AVC:
>
> Hmm why is this program set-uid root?
>
> >ls -l /usr/lib/nspluginwrapper/plugin-config
> -rwsr-xr-x 1 root root 60048 2008-03-11 10:02 /usr/lib/nspluginwrapper/plugin-config*
>
> host=dustpuppy.wpi.edu type=AVC msg=audit(1207926134.511:4168): avc:
> denied { execstack } for pid=30324 comm="plugin-config"
> scontext=unconfined_u:unconfined_r:nsplugin_config _t:s0-s0:c0.c1023
> tcontext=unconfined_u:unconfined_r:nsplugin_config _t:s0-s0:c0.c1023
> tclass=process

I opened a bug on nspluginwrapper to get some questions answered:

https://bugzilla.redhat.com/show_bug.cgi?id=442065

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 04-14-2008, 07:37 PM
Daniel J Walsh
 
Default AVC everytime I launch a tab in firefox from gnome-terminal

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Chuck Anderson wrote:
> On Fri, Apr 11, 2008 at 11:15:09AM -0400, Chuck Anderson wrote:
>> Every time I launch a tab from a URL in gnome-terminal, I get this
>> AVC:
>>
>> Hmm why is this program set-uid root?
>>
>>> ls -l /usr/lib/nspluginwrapper/plugin-config
>> -rwsr-xr-x 1 root root 60048 2008-03-11 10:02 /usr/lib/nspluginwrapper/plugin-config*
>>
>> host=dustpuppy.wpi.edu type=AVC msg=audit(1207926134.511:4168): avc:
>> denied { execstack } for pid=30324 comm="plugin-config"
>> scontext=unconfined_u:unconfined_r:nsplugin_config _t:s0-s0:c0.c1023
>> tcontext=unconfined_u:unconfined_r:nsplugin_config _t:s0-s0:c0.c1023
>> tclass=process
>
> I opened a bug on nspluginwrapper to get some questions answered:
>
> https://bugzilla.redhat.com/show_bug.cgi?id=442065
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
This is probably caused by some evil/badly written plugin

If you turn on the allow_nsplugin_execmem boolean, the app should work.

setsebool -P allow_nsplugin_execmem=1
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkgDsmoACgkQrlYvE4MpobOT/wCfdOtXYbfDUROz1zr4o1xNy4YK
mwwAn1b872R1MyLoHeZyjrEA40+KBQ61
=0bi/
-----END PGP SIGNATURE-----

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 

Thread Tools




All times are GMT. The time now is 07:12 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org