FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora User

 
 
LinkBack Thread Tools
 
Old 12-15-2007, 06:48 AM
"Deepak Shrestha"
 
Default SElinux - AVC Denial Messages... what is it???

Hi

I am getting the AVC Denial message from SELinux everytime I use any
piece of program. These are some:

===================================
Summary
SELinux is preventing /usr/lib/openoffice.org/program/scalc.bin from
changing the access protection of memory on the heap.
------------------------------
Allowing Access
If you want /usr/lib/openoffice.org/program/scalc.bin to continue, you
must turn on the allow_execheap boolean. Note: This boolean will
affect all applications on the system.The following command will allow
this access:setsebool -P allow_execheap=1
===================================
Summary
SELinux is preventing /usr/lib/firefox-2.0.0.8/firefox-bin from
loading /usr/lib/firefox-2.0.0.8/plugins/nppdf.so which requires text
relocation.
---------------------------------
Allowing Access
If you trust /usr/lib/firefox-2.0.0.8/plugins/nppdf.so to run
correctly, you can change the file context to textrel_shlib_t. "chcon
-t textrel_shlib_t /usr/lib/firefox-2.0.0.8/plugins/nppdf.so" You must
also change the default file context files on the system in order to
preserve them even on a full relabel. "semanage fcontext -a -t
textrel_shlib_t /usr/lib/firefox-2.0.0.8/plugins/nppdf.so"The
following command will allow this access:chcon -t textrel_shlib_t
/usr/lib/firefox-2.0.0.8/plugins/nppdf.so
===================================
Summary
SELinux is preventing /usr/bin/konqueror from changing the access
protection of memory on the heap.
--------------------------------
Allowing Access
If you want /usr/bin/konqueror to continue, you must turn on the
allow_execheap boolean. Note: This boolean will affect all
applications on the system.The following command will allow this
access:setsebool -P allow_execheap=1
==================================

So what are all these messages?? and should I allow this action as suggested???

Thanks

--
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
 
Old 12-15-2007, 08:52 AM
"Tod Merley"
 
Default SElinux - AVC Denial Messages... what is it???

On Dec 14, 2007 11:48 PM, Deepak Shrestha <d88pak@gmail.com> wrote:
> Hi
>
> I am getting the AVC Denial message from SELinux everytime I use any
> piece of program. These are some:
>
> ===================================
> Summary
> SELinux is preventing /usr/lib/openoffice.org/program/scalc.bin from
> changing the access protection of memory on the heap.
> ------------------------------
> Allowing Access
> If you want /usr/lib/openoffice.org/program/scalc.bin to continue, you
> must turn on the allow_execheap boolean. Note: This boolean will
> affect all applications on the system.The following command will allow
> this access:setsebool -P allow_execheap=1
> ===================================
> Summary
> SELinux is preventing /usr/lib/firefox-2.0.0.8/firefox-bin from
> loading /usr/lib/firefox-2.0.0.8/plugins/nppdf.so which requires text
> relocation.
> ---------------------------------
> Allowing Access
> If you trust /usr/lib/firefox-2.0.0.8/plugins/nppdf.so to run
> correctly, you can change the file context to textrel_shlib_t. "chcon
> -t textrel_shlib_t /usr/lib/firefox-2.0.0.8/plugins/nppdf.so" You must
> also change the default file context files on the system in order to
> preserve them even on a full relabel. "semanage fcontext -a -t
> textrel_shlib_t /usr/lib/firefox-2.0.0.8/plugins/nppdf.so"The
> following command will allow this access:chcon -t textrel_shlib_t
> /usr/lib/firefox-2.0.0.8/plugins/nppdf.so
> ===================================
> Summary
> SELinux is preventing /usr/bin/konqueror from changing the access
> protection of memory on the heap.
> --------------------------------
> Allowing Access
> If you want /usr/bin/konqueror to continue, you must turn on the
> allow_execheap boolean. Note: This boolean will affect all
> applications on the system.The following command will allow this
> access:setsebool -P allow_execheap=1
> ==================================
>
> So what are all these messages?? and should I allow this action as suggested???
>
> Thanks
>
> --
> fedora-list mailing list
> fedora-list@redhat.com
> To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
>

Hi Deepak Shrestha!

SELinux (selinux - NSA Security-Enhanced Linux - see: man selinux)
creates a more secure computing environment by making it harder to
mis-use the environment (use it as a hacker would).

I would ask myself some questions:

Am I able to do all of the things I want to with the program?

If so, I would recommend that you do nothing except consider
implementing any updates that may come along and hopefully make false
denials less common. I do see SELinux denials on my machine but they
are not preventing me from doing anything that I want to do so I would
rather have a bit extra protection than a flag free life. I also have
the "plugins/nppdf.so" denial which is apparently tied to Adobe
reader. The denial flag pops whenever I tell Firefox to read a PDF,
but, Adobe Reader comes up fine in Firefox anyway. So I am happy.

Do I know where the software comes from mentioned in the denial, and
what it is trying to do?

You may be catching a hacker in the act, hopefully preventing him from
controlling your machine or otherwise causing harm. Take part of the
denial (such as the "plugins/nppdf.so" I mentioned from above) and
Google it. Often you will find others dealing with the same issue and
be able to find out if what you have is a problem or simply an
inconvenience.

For myself I am happy to leave things as they are if they work, and
hope they will work better in the future.

Have Fun!

Tod

--
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
 
Old 12-15-2007, 09:34 AM
"Deepak Shrestha"
 
Default SElinux - AVC Denial Messages... what is it???

> For myself I am happy to leave things as they are if they work, and
> hope they will work better in the future.
>

Thanks a lot! :-)

--
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
 

Thread Tools




All times are GMT. The time now is 09:33 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org