Dear all,
Upon applying todays updates rawhide report 20080205,
and the failed update/conflicts
\begin{QUOTE}
xorg-x11-xinit-1.0.7-3.fc9.i386 from development has
depsolving problems
--> xorg-x11-xinit-1.0.7-3.fc9.i386 (development)
conflicts with dbus < 1.1
.4-3.fc9
Error: xorg-x11-xinit-1.0.7-3.fc9.i386 (development)
conflicts with dbus < 1.
1.4-3.fc9
\end{QUOTE}
I get two denials from selinux
Summary:
SELinux is preventing nspluginscan from making the
program stack executable.
Detailed Description:
The nspluginscan application attempted to make its
stack executable. This is a
potential security problem. This should never ever be
necessary. Stack memory is
not executable on most OSes these days and this will
not change. Executable
stack memory is one of the biggest security problems.
An execstack error might
in fact be most likely raised by malicious code.
Applications are sometimes
coded incorrectly and request this permission. The
SELinux Memory Protection
Tests
(http://people.redhat.com/drepper/selinux-mem.html)
web page explains how
to remove this requirement. If nspluginscan does not
work and you need it to
work, you can configure SELinux temporarily to allow
this access until the
application is fixed. Please file a bug report
(http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.
Allowing Access:
Sometimes a library is accidentally marked with the
execstack flag, if you find
a library with this flag you can clear it with the
execstack -c LIBRARY_PATH.
Then retry your application. If the app continues to
not work, you can turn the
flag back on with execstack -s LIBRARY_PATH.
Otherwise, if you trust
nspluginscan to run correctly, you can change the
context of the executable to
unconfined_execmem_exec_t. "chcon -t
unconfined_execmem_exec_t
'/usr/bin/nspluginscan'" You must also change the
default file context files on
the system in order to preserve them even on a full
relabel. "semanage fcontext
-a -t unconfined_execmem_exec_t
'/usr/bin/nspluginscan'"
The following command will allow this access:
chcon -t unconfined_execmem_exec_t
'/usr/bin/nspluginscan'
Additional Information:
Source Context
unconfined_u:unconfined_r:unconfined_t:SystemLow-
SystemHigh
Target Context
unconfined_u:unconfined_r:unconfined_t:SystemLow-
SystemHigh
Target Objects None [ process ]
Source nspluginscan
Source Path /usr/bin/nspluginscan
Port <Unknown>
Host localhost.localdomain
Source RPM Packages kdebase-4.0.1-3.fc9
Target RPM Packages
Policy RPM
selinux-policy-3.2.6-5.fc9
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name allow_execstack
Host Name localhost.localdomain
Platform Linux
localhost.localdomain 2.6.24-17.fc9 #1 SMP
Mon Feb 4 19:02:27 EST
2008 i686 i686
Alert Count 2
First Seen Tue 05 Feb 2008 07:13:02
AM CST
Last Seen Tue 05 Feb 2008 07:41:42
PM CST
Local ID
7afb3a36-5b69-486c-a93b-02e714040250
Line Numbers
Raw Audit Messages
host=localhost.localdomain type=AVC
msg=audit(1202262102.930:20): avc: denied {
execstack } for pid=2866 comm="nspluginscan"
scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
tclass=process
host=localhost.localdomain type=SYSCALL
msg=audit(1202262102.930:20): arch=40000003
syscall=125 success=no exit=-13 a0=bfce4000 a1=1000
a2=1000007 a3=fffff000 items=0 ppid=2855 pid=2866
auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500
egid=500 sgid=500 fsgid=500 tty=(none)
comm="nspluginscan" exe="/usr/bin/nspluginscan"
subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
key=(null)
Summary:
SELinux is preventing the 00-netreport
(NetworkManager_t) from executing ./init.
Detailed Description:
SELinux has denied the 00-netreport from executing
./init. If 00-netreport is
supposed to be able to execute ./init, this could be a
labeling problem. Most
confined domains are allowed to execute files labeled
bin_t. So you could change
the labeling on this file to bin_t and retry the
application. If this
00-netreport is not supposed to execute ./init, this
could signal a intrusion
attempt.
Allowing Access:
If you want to allow 00-netreport to execute ./init:
chcon -t bin_t './init' If
this fix works, please update the file context on
disk, with the following
command: semanage fcontext -a -t bin_t './init' Please
specify the full path to
the executable, Please file a bug report
(http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this selinux-policy
to make sure this becomes the default labeling.
Additional Information:
Source Context
system_u:system_r:NetworkManager_t
Target Context system_u:object_r:etc_t
Target Objects ./init [ file ]
Source 00-netreport
Source Path /bin/bash
Port <Unknown>
Host localhost.localdomain
Source RPM Packages bash-3.2-20.fc9
Target RPM Packages
Policy RPM
selinux-policy-3.2.6-5.fc9
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name execute
Host Name localhost.localdomain
Platform Linux
localhost.localdomain 2.6.24-17.fc9 #1 SMP
Mon Feb 4 19:02:27 EST
2008 i686 i686
Alert Count 1
First Seen Tue 05 Feb 2008 07:42:33
PM CST
Last Seen Tue 05 Feb 2008 07:42:33
PM CST
Local ID
9a1f71bd-9256-450a-bc0c-a7ebb115cacb
Line Numbers
Raw Audit Messages
host=localhost.localdomain type=AVC
msg=audit(1202262153.640:107): avc: denied { execute
} for pid=3226 comm="00-netreport" name="init"
dev=dm-0 ino=360497
scontext=system_u:system_r:NetworkManager_t:s0
tcontext=system_u:object_r:etc_t:s0 tclass=file
host=localhost.localdomain type=SYSCALL
msg=audit(1202262153.640:107): arch=40000003
syscall=33 success=no exit=-13 a0=9f7a370 a1=1 a2=11
a3=9f7a370 items=0 ppid=2385 pid=3226 auid=4294967295
uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
fsgid=0 tty=(none) comm="00-netreport" exe="/bin/bash"
subj=system_u:system_r:NetworkManager_t:s0 key=(null)
Thanks,
Antonio
____________________________________________________________________________________
Never miss a thing. Make Yahoo your home page.
http://www.yahoo.com/r/hs
--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
