Hi, I enabled SELinux for the first time and I got a lot of execstack denials when starting applications providing audio output (so far I got it with listen, rhythmbox, totem and gxine). I have new clean install from latest rawhide live (plus some additional applications). Are these worth filling bugs or are they false positives? I attach an output from this denial for listen music player. I didn't do any actions to fix these denials and the applications seem to work OK. I have SELinux policy set to enforcing. If you need more info, ask. Not sure whether this is for test or devel list so CC-ing devel. Thanks, Martin
Summary SELinux is preventing python from making the program stack executable. Detailed Description The python application attempted to make its stack executable. This is a potential security problem. This should never ever be necessary. Stack memory is not executable on most OSes these days and this will not change. Executable stack memory is one of the biggest security problems. An execstack error might in fact be most likely raised by malicious code. Applications are sometimes coded incorrectly and request this permission. The http://people.redhat.com/drepper/selinux-mem.html web page explains how to remove this requirement. If python does not work and you need it to work, you can configure SELinux temporarily to allow this access until the application is fixed. Please file a http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this package. Allowing Access Sometimes a library is accidentally marked with the execstack flag, if you find a library with this flag you can clear it with the execstack -c LIBRARY_PATH. Then retry your application. If the app continues to not work, you can turn the flag back on with execstack -s LIBRARY_PATH. Otherwise, if you trust python to run correctly, you can change the context of the executable to unconfined_execmem_exec_t. "chcon -t unconfined_execmem_exec_t python" You must also change the default file context files on the system in order to preserve them even on a full relabel. "semanage fcontext -a -t unconfined_execmem_exec_t python" The following command will allow this access: chcon -t unconfined_execmem_exec_t python Additional Information Source Context system_u:system_r:unconfined_t:s0 Target Context system_u:system_r:unconfined_t:s0 Target Objects None [ process ] Affected RPM Packages Policy RPM selinux-policy-3.0.8-13.fc8 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name plugins.allow_execstack Host Name localhost.localdomain Platform Linux localhost.localdomain 2.6.23-0.202.rc8.fc8 #1 SMP Mon Sep 24 22:09:05 EDT 2007 i686 i686 Alert Count 49 First Seen Thu 27 Sep 2007 11:53:37 PM CEST Last Seen Sat 29 Sep 2007 01:18:14 PM CEST Local ID aeae736e-4900-4bc7-bea4-c67c7b4f5edf Line Numbers Raw Audit Messages avc: denied { execstack } for comm=python egid=500 euid=500 exe=/usr/bin/python exit=-13 fsgid=500 fsuid=500 gid=500 items=0 pid=6478 scontext=system_u:system_r:unconfined_t:s0 sgid=500 subj=system_u:system_r:unconfined_t:s0 suid=500 tclass=process tcontext=system_u:system_r:unconfined_t:s0 tty=(none) uid=500
Attachment:
signature.asc
Description: This is a digitally signed message part
-- fedora-devel-list mailing list fedora-devel-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-devel-list