Re: selinux/setroubleshoot reports trouble with nspluginscan, NetworkManager_t

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



--- Daniel J Walsh <dwalsh@xxxxxxxxxx> wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Antonio Olivares wrote:
> > Dear all,
> > 
> > Upon applying todays updates rawhide report
> 20080205,
> > and the failed update/conflicts
> > \begin{QUOTE}
> > xorg-x11-xinit-1.0.7-3.fc9.i386 from development
> has
> > depsolving problems
> >   --> xorg-x11-xinit-1.0.7-3.fc9.i386
> (development)
> > conflicts with dbus < 1.1
> > .4-3.fc9
> > Error: xorg-x11-xinit-1.0.7-3.fc9.i386
> (development)
> > conflicts with dbus < 1.
> > 1.4-3.fc9
> > \end{QUOTE}
> > 
> > I get two denials from selinux
> > 
> > Summary:
> > 
> > SELinux is preventing nspluginscan from making the
> > program stack executable.
> > 
> > Detailed Description:
> > 
> > The nspluginscan application attempted to make its
> > stack executable. This is a
> > potential security problem. This should never ever
> be
> > necessary. Stack memory is
> > not executable on most OSes these days and this
> will
> > not change. Executable
> > stack memory is one of the biggest security
> problems.
> > An execstack error might
> > in fact be most likely raised by malicious code.
> > Applications are sometimes
> > coded incorrectly and request this permission. The
> > SELinux Memory Protection
> > Tests
> >
> (http://people.redhat.com/drepper/selinux-mem.html)
> > web page explains how
> > to remove this requirement. If nspluginscan does
> not
> > work and you need it to
> > work, you can configure SELinux temporarily to
> allow
> > this access until the
> > application is fixed. Please file a bug report
> >
> (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
> > against this package.
> > 
> > Allowing Access:
> > 
> > Sometimes a library is accidentally marked with
> the
> > execstack flag, if you find
> > a library with this flag you can clear it with the
> > execstack -c LIBRARY_PATH.
> > Then retry your application. If the app continues
> to
> > not work, you can turn the
> > flag back on with execstack -s LIBRARY_PATH.
> > Otherwise, if you trust
> > nspluginscan to run correctly, you can change the
> > context of the executable to
> > unconfined_execmem_exec_t. "chcon -t
> > unconfined_execmem_exec_t
> > '/usr/bin/nspluginscan'" You must also change the
> > default file context files on
> > the system in order to preserve them even on a
> full
> > relabel. "semanage fcontext
> > -a -t unconfined_execmem_exec_t
> > '/usr/bin/nspluginscan'"
> > 
> > The following command will allow this access:
> > 
> > chcon -t unconfined_execmem_exec_t
> > '/usr/bin/nspluginscan'
> > 
> > Additional Information:
> > 
> > Source Context               
> > unconfined_u:unconfined_r:unconfined_t:SystemLow-
> >                               SystemHigh
> > Target Context               
> > unconfined_u:unconfined_r:unconfined_t:SystemLow-
> >                               SystemHigh
> > Target Objects                None [ process ]
> > Source                        nspluginscan
> > Source Path                  
> /usr/bin/nspluginscan
> > Port                          <Unknown>
> > Host                         
> localhost.localdomain
> > Source RPM Packages           kdebase-4.0.1-3.fc9
> > Target RPM Packages           
> > Policy RPM                   
> > selinux-policy-3.2.6-5.fc9
> > Selinux Enabled               True
> > Policy Type                   targeted
> > MLS Enabled                   True
> > Enforcing Mode                Enforcing
> > Plugin Name                   allow_execstack
> > Host Name                    
> localhost.localdomain
> > Platform                      Linux
> > localhost.localdomain 2.6.24-17.fc9 #1 SMP
> >                               Mon Feb 4 19:02:27
> EST
> > 2008 i686 i686
> > Alert Count                   2
> > First Seen                    Tue 05 Feb 2008
> 07:13:02
> > AM CST
> > Last Seen                     Tue 05 Feb 2008
> 07:41:42
> > PM CST
> > Local ID                     
> > 7afb3a36-5b69-486c-a93b-02e714040250
> > Line Numbers                  
> > 
> > Raw Audit Messages            
> > 
> > host=localhost.localdomain type=AVC
> > msg=audit(1202262102.930:20): avc:  denied  {
> > execstack } for  pid=2866 comm="nspluginscan"
> >
>
scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
> >
>
tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
> > tclass=process
> > 
> > host=localhost.localdomain type=SYSCALL
> > msg=audit(1202262102.930:20): arch=40000003
> > syscall=125 success=no exit=-13 a0=bfce4000
> a1=1000
> > a2=1000007 a3=fffff000 items=0 ppid=2855 pid=2866
> > auid=500 uid=500 gid=500 euid=500 suid=500
> fsuid=500
> > egid=500 sgid=500 fsgid=500 tty=(none)
> > comm="nspluginscan" exe="/usr/bin/nspluginscan"
> >
>
subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
> > key=(null)
> > 
> > 
> > 
> > Summary:
> > 
> > SELinux is preventing the 00-netreport
> > (NetworkManager_t) from executing ./init.
> > 
> > Detailed Description:
> > 
> > SELinux has denied the 00-netreport from executing
> > ./init. If 00-netreport is
> > supposed to be able to execute ./init, this could
> be a
> > labeling problem. Most
> > confined domains are allowed to execute files
> labeled
> > bin_t. So you could change
> > the labeling on this file to bin_t and retry the
> > application. If this
> > 00-netreport is not supposed to execute ./init,
> this
> > could signal a intrusion
> > attempt.
> > 
> > Allowing Access:
> > 
> > If you want to allow 00-netreport to execute
> ./init:
> > chcon -t bin_t './init' If
> > this fix works, please update the file context on
> > disk, with the following
> > command: semanage fcontext -a -t bin_t './init'
> Please
> > specify the full path to
> > the executable, Please file a bug report
> >
> (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
> > against this selinux-policy
> > to make sure this becomes the default labeling.
> > 
> > Additional Information:
> > 
> > Source Context               
> > system_u:system_r:NetworkManager_t
> 
=== message truncated ===

Bug filed against nspluginwrapper since there is no
nspluginscan

https://bugzilla.redhat.com/show_bug.cgi?id=431708

Thanks,

Antonio 


      ____________________________________________________________________________________
Be a better friend, newshound, and 
know-it-all with Yahoo! Mobile.  Try it now.  http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ 

--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list

[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux