Re: selinux/setroubleshoot reports trouble with nspluginscan, NetworkManager_t

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Antonio Olivares wrote:
> Dear all,
> 
> Upon applying todays updates rawhide report 20080205,
> and the failed update/conflicts
> \begin{QUOTE}
> xorg-x11-xinit-1.0.7-3.fc9.i386 from development has
> depsolving problems
>   --> xorg-x11-xinit-1.0.7-3.fc9.i386 (development)
> conflicts with dbus < 1.1
> .4-3.fc9
> Error: xorg-x11-xinit-1.0.7-3.fc9.i386 (development)
> conflicts with dbus < 1.
> 1.4-3.fc9
> \end{QUOTE}
> 
> I get two denials from selinux
> 
> Summary:
> 
> SELinux is preventing nspluginscan from making the
> program stack executable.
> 
> Detailed Description:
> 
> The nspluginscan application attempted to make its
> stack executable. This is a
> potential security problem. This should never ever be
> necessary. Stack memory is
> not executable on most OSes these days and this will
> not change. Executable
> stack memory is one of the biggest security problems.
> An execstack error might
> in fact be most likely raised by malicious code.
> Applications are sometimes
> coded incorrectly and request this permission. The
> SELinux Memory Protection
> Tests
> (http://people.redhat.com/drepper/selinux-mem.html)
> web page explains how
> to remove this requirement. If nspluginscan does not
> work and you need it to
> work, you can configure SELinux temporarily to allow
> this access until the
> application is fixed. Please file a bug report
> (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
> against this package.
> 
> Allowing Access:
> 
> Sometimes a library is accidentally marked with the
> execstack flag, if you find
> a library with this flag you can clear it with the
> execstack -c LIBRARY_PATH.
> Then retry your application. If the app continues to
> not work, you can turn the
> flag back on with execstack -s LIBRARY_PATH.
> Otherwise, if you trust
> nspluginscan to run correctly, you can change the
> context of the executable to
> unconfined_execmem_exec_t. "chcon -t
> unconfined_execmem_exec_t
> '/usr/bin/nspluginscan'" You must also change the
> default file context files on
> the system in order to preserve them even on a full
> relabel. "semanage fcontext
> -a -t unconfined_execmem_exec_t
> '/usr/bin/nspluginscan'"
> 
> The following command will allow this access:
> 
> chcon -t unconfined_execmem_exec_t
> '/usr/bin/nspluginscan'
> 
> Additional Information:
> 
> Source Context               
> unconfined_u:unconfined_r:unconfined_t:SystemLow-
>                               SystemHigh
> Target Context               
> unconfined_u:unconfined_r:unconfined_t:SystemLow-
>                               SystemHigh
> Target Objects                None [ process ]
> Source                        nspluginscan
> Source Path                   /usr/bin/nspluginscan
> Port                          <Unknown>
> Host                          localhost.localdomain
> Source RPM Packages           kdebase-4.0.1-3.fc9
> Target RPM Packages           
> Policy RPM                   
> selinux-policy-3.2.6-5.fc9
> Selinux Enabled               True
> Policy Type                   targeted
> MLS Enabled                   True
> Enforcing Mode                Enforcing
> Plugin Name                   allow_execstack
> Host Name                     localhost.localdomain
> Platform                      Linux
> localhost.localdomain 2.6.24-17.fc9 #1 SMP
>                               Mon Feb 4 19:02:27 EST
> 2008 i686 i686
> Alert Count                   2
> First Seen                    Tue 05 Feb 2008 07:13:02
> AM CST
> Last Seen                     Tue 05 Feb 2008 07:41:42
> PM CST
> Local ID                     
> 7afb3a36-5b69-486c-a93b-02e714040250
> Line Numbers                  
> 
> Raw Audit Messages            
> 
> host=localhost.localdomain type=AVC
> msg=audit(1202262102.930:20): avc:  denied  {
> execstack } for  pid=2866 comm="nspluginscan"
> scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
> tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
> tclass=process
> 
> host=localhost.localdomain type=SYSCALL
> msg=audit(1202262102.930:20): arch=40000003
> syscall=125 success=no exit=-13 a0=bfce4000 a1=1000
> a2=1000007 a3=fffff000 items=0 ppid=2855 pid=2866
> auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500
> egid=500 sgid=500 fsgid=500 tty=(none)
> comm="nspluginscan" exe="/usr/bin/nspluginscan"
> subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
> key=(null)
> 
> 
> 
> Summary:
> 
> SELinux is preventing the 00-netreport
> (NetworkManager_t) from executing ./init.
> 
> Detailed Description:
> 
> SELinux has denied the 00-netreport from executing
> ./init. If 00-netreport is
> supposed to be able to execute ./init, this could be a
> labeling problem. Most
> confined domains are allowed to execute files labeled
> bin_t. So you could change
> the labeling on this file to bin_t and retry the
> application. If this
> 00-netreport is not supposed to execute ./init, this
> could signal a intrusion
> attempt.
> 
> Allowing Access:
> 
> If you want to allow 00-netreport to execute ./init:
> chcon -t bin_t './init' If
> this fix works, please update the file context on
> disk, with the following
> command: semanage fcontext -a -t bin_t './init' Please
> specify the full path to
> the executable, Please file a bug report
> (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
> against this selinux-policy
> to make sure this becomes the default labeling.
> 
> Additional Information:
> 
> Source Context               
> system_u:system_r:NetworkManager_t
> Target Context                system_u:object_r:etc_t
> Target Objects                ./init [ file ]
> Source                        00-netreport
> Source Path                   /bin/bash
> Port                          <Unknown>
> Host                          localhost.localdomain
> Source RPM Packages           bash-3.2-20.fc9
> Target RPM Packages           
> Policy RPM                   
> selinux-policy-3.2.6-5.fc9
> Selinux Enabled               True
> Policy Type                   targeted
> MLS Enabled                   True
> Enforcing Mode                Enforcing
> Plugin Name                   execute
> Host Name                     localhost.localdomain
> Platform                      Linux
> localhost.localdomain 2.6.24-17.fc9 #1 SMP
>                               Mon Feb 4 19:02:27 EST
> 2008 i686 i686
> Alert Count                   1
> First Seen                    Tue 05 Feb 2008 07:42:33
> PM CST
> Last Seen                     Tue 05 Feb 2008 07:42:33
> PM CST
> Local ID                     
> 9a1f71bd-9256-450a-bc0c-a7ebb115cacb
> Line Numbers                  
> 
> Raw Audit Messages            
> 
> host=localhost.localdomain type=AVC
> msg=audit(1202262153.640:107): avc:  denied  { execute
> } for  pid=3226 comm="00-netreport" name="init"
> dev=dm-0 ino=360497
> scontext=system_u:system_r:NetworkManager_t:s0
> tcontext=system_u:object_r:etc_t:s0 tclass=file
> 
> host=localhost.localdomain type=SYSCALL
> msg=audit(1202262153.640:107): arch=40000003
> syscall=33 success=no exit=-13 a0=9f7a370 a1=1 a2=11
> a3=9f7a370 items=0 ppid=2385 pid=3226 auid=4294967295
> uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
> fsgid=0 tty=(none) comm="00-netreport" exe="/bin/bash"
> subj=system_u:system_r:NetworkManager_t:s0 key=(null)
> 
> 
> 
> Thanks,
> 
> 
> Antonio
> 
> 
>       ____________________________________________________________________________________
> Never miss a thing.  Make Yahoo your home page. 
> http://www.yahoo.com/r/hs
> 
> --
> fedora-selinux-list mailing list
> fedora-selinux-list@xxxxxxxxxx
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
The 00-netreport should be fixed in todays update.

nspluginscan requiring execstack should be reported as a bug against
nsplugin
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkepyfMACgkQrlYvE4MpobNrJgCdFPgj+T5YipVQc4AieQhUjd8R
cTkAn3GU5rVGH+DlT5Sgfjlysnajlx/R
=7p8L
-----END PGP SIGNATURE-----

--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list

[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux