Antonio Olivares wrote: > Dear all, > > I got a setroubleshoot popop on the laptop. I am > attaching them here: > > Advice/suggestions/comments greatly appreciated. > > TIA, > > Antonio > > > Summary: > > SELinux is preventing nspluginscan from making the > program stack executable. > > Detailed Description: > > The nspluginscan application attempted to make its > stack executable. This is a > potential security problem. This should never ever be > necessary. Stack memory is > not executable on most OSes these days and this will > not change. Executable > stack memory is one of the biggest security problems. > An execstack error might > in fact be most likely raised by malicious code. > Applications are sometimes > coded incorrectly and request this permission. The > SELinux Memory Protection > Tests > (http://people.redhat.com/drepper/selinux-mem.html) > web page explains how > to remove this requirement. If nspluginscan does not > work and you need it to > work, you can configure SELinux temporarily to allow > this access until the > application is fixed. Please file a bug report > (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) > against this package. > > Allowing Access: > > Sometimes a library is accidentally marked with the > execstack flag, if you find > a library with this flag you can clear it with the > execstack -c LIBRARY_PATH. > Then retry your application. If the app continues to > not work, you can turn the > flag back on with execstack -s LIBRARY_PATH. > Otherwise, if you trust > nspluginscan to run correctly, you can change the > context of the executable to > unconfined_execmem_exec_t. "chcon -t > unconfined_execmem_exec_t > '/usr/bin/nspluginscan'" You must also change the > default file context files on > the system in order to preserve them even on a full > relabel. "semanage fcontext > -a -t unconfined_execmem_exec_t > '/usr/bin/nspluginscan'" > > Fix Command: > > chcon -t unconfined_execmem_exec_t > '/usr/bin/nspluginscan' > > Additional Information: > > Source Context > unconfined_u:unconfined_r:unconfined_t:SystemLow- > SystemHigh > Target Context > unconfined_u:unconfined_r:unconfined_t:SystemLow- > SystemHigh > Target Objects None [ process ] > Source nspluginscan > Source Path /usr/bin/nspluginscan > Port <Unknown> > Host localhost.localdomain > Source RPM Packages kdebase-4.0.3-9.fc9 > Target RPM Packages > Policy RPM > selinux-policy-3.3.1-45.fc10 > Selinux Enabled True > Policy Type targeted > MLS Enabled True > Enforcing Mode Enforcing > Plugin Name allow_execstack > Host Name localhost.localdomain > Platform Linux > localhost.localdomain > > 2.6.26-0.17.rc3.fc10.i686 #1 SMP Sun May 18 > 19:05:03 EDT 2008 i686 > i686 > Alert Count 11 > First Seen Tue 05 Feb 2008 07:13:02 > AM CST > Last Seen Wed 21 May 2008 08:23:12 > AM CDT > Local ID > 7afb3a36-5b69-486c-a93b-02e714040250 > Line Numbers > > Raw Audit Messages > > host=localhost.localdomain type=AVC > msg=audit(1211376192.783:89): avc: denied { > execstack } for pid=3177 comm="nspluginscan" > scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 > tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 > tclass=process > > host=localhost.localdomain type=SYSCALL > msg=audit(1211376192.783:89): arch=40000003 > syscall=125 success=no exit=-13 a0=bfeee000 a1=1000 > a2=1000007 a3=fffff000 items=0 ppid=3166 pid=3177 > auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 > egid=500 sgid=500 fsgid=500 tty=(none) ses=1 > comm="nspluginscan" exe="/usr/bin/nspluginscan" > subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 > key=(null) > > You choice here is to first report a bug to who ever supplies the plugin. Then you can either do as the setroubleshoot tells you and turn on the allow_execstack boolean or you can confine nsplugin using allow_unconfined_nsplugin_transition. If you turn on nsplugin confinement you probably need to relabel your homedir restorecon -R -v ~ > > Summary: > > SELinux is preventing nm-system-setti > (NetworkManager_t) "read" to > ./PolicyKit.reload (system_crond_var_lib_t). > > Detailed Description: > > SELinux denied access requested by nm-system-setti. It > is not expected that this > access is required by nm-system-setti and this access > may signal an intrusion > attempt. It is also possible that the specific version > or configuration of the > application is causing it to require additional > access. > > Allowing Access: > > Sometimes labeling problems can cause SELinux denials. > You could try to restore > the default system file context for > ./PolicyKit.reload, > > restorecon -v './PolicyKit.reload' > > If this does not work, there is currently no automatic > way to allow this access. > Instead, you can generate a local policy module to > allow this access - see FAQ > (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) > Or you can disable > SELinux protection altogether. Disabling SELinux > protection is not recommended. > Please file a bug report > (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) > against this package. > > Additional Information: > > Source Context > system_u:system_r:NetworkManager_t:SystemLow- > SystemHigh > Target Context > system_u:object_r:system_crond_var_lib_t > Target Objects ./PolicyKit.reload [ > file ] > Source nm-system-setti > Source Path > /usr/sbin/nm-system-settings > Port <Unknown> > Host localhost.localdomain > Source RPM Packages > NetworkManager-0.7.0-0.9.3.svn3675.fc10 > Target RPM Packages > Policy RPM > selinux-policy-3.3.1-45.fc10 > Selinux Enabled True > Policy Type targeted > MLS Enabled True > Enforcing Mode Enforcing > Plugin Name catchall_file > Host Name localhost.localdomain > Platform Linux > localhost.localdomain > > 2.6.26-0.17.rc3.fc10.i686 #1 SMP Sun May 18 > 19:05:03 EDT 2008 i686 > i686 > Alert Count 3 > First Seen Wed 21 May 2008 08:21:22 > AM CDT > Last Seen Thu 22 May 2008 06:51:05 > AM CDT > Local ID > 842c746b-258d-45ad-bb2e-22c271d0b9ef > Line Numbers > > Raw Audit Messages > > host=localhost.localdomain type=AVC > msg=audit(1211457065.391:7): avc: denied { read } > for pid=2501 comm="nm-system-setti" > name="PolicyKit.reload" dev=dm-0 ino=443096 > scontext=system_u:system_r:NetworkManager_t:s0-s0:c0.c1023 > tcontext=system_u:object_r:system_crond_var_lib_t:s0 > tclass=file > > host=localhost.localdomain type=SYSCALL > msg=audit(1211457065.391:7): arch=40000003 syscall=292 > success=no exit=-13 a0=6 a1=75d620 a2=106 a3=9b81f20 > items=0 ppid=2500 pid=2501 auid=4294967295 uid=0 gid=0 > euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) > ses=4294967295 comm="nm-system-setti" > exe="/usr/sbin/nm-system-settings" > subj=system_u:system_r:NetworkManager_t:s0-s0:c0.c1023 > key=(null) > > This is a bug which is fixed in F9 policy, but we have not been able to build policy for F10. It probably can be ignored. > > Summary: > > SELinux is preventing nm-system-setti > (NetworkManager_t) "getattr" to /dev/root > (fixed_disk_device_t). > > Detailed Description: > > SELinux denied access requested by nm-system-setti. It > is not expected that this > access is required by nm-system-setti and this access > may signal an intrusion > attempt. It is also possible that the specific version > or configuration of the > application is causing it to require additional > access. > > Allowing Access: > > Sometimes labeling problems can cause SELinux denials. > You could try to restore > the default system file context for /dev/root, > > restorecon -v '/dev/root' > > If this does not work, there is currently no automatic > way to allow this access. > Instead, you can generate a local policy module to > allow this access - see FAQ > (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) > Or you can disable > SELinux protection altogether. Disabling SELinux > protection is not recommended. > Please file a bug report > (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) > against this package. > > Additional Information: > > Source Context > system_u:system_r:NetworkManager_t:SystemLow- > SystemHigh > Target Context > system_u:object_r:fixed_disk_device_t > Target Objects /dev/root [ blk_file ] > Source nm-system-setti > Source Path > /usr/sbin/nm-system-settings > Port <Unknown> > Host localhost.localdomain > Source RPM Packages > NetworkManager-0.7.0-0.9.3.svn3675.fc10 > Target RPM Packages > Policy RPM > selinux-policy-3.3.1-45.fc10 > Selinux Enabled True > Policy Type targeted > MLS Enabled True > Enforcing Mode Enforcing > Plugin Name catchall_file > Host Name localhost.localdomain > Platform Linux > localhost.localdomain > > 2.6.26-0.17.rc3.fc10.i686 #1 SMP Sun May 18 > 19:05:03 EDT 2008 i686 > i686 > Alert Count 3 > First Seen Wed 21 May 2008 08:21:23 > AM CDT > Last Seen Thu 22 May 2008 06:51:07 > AM CDT > Local ID > 12a9ceb6-2b80-406f-86ce-eddd56016c6b > Line Numbers > > Raw Audit Messages > > host=localhost.localdomain type=AVC > msg=audit(1211457067.143:8): avc: denied { getattr } > for pid=2501 comm="nm-system-setti" path="/dev/root" > dev=tmpfs ino=402 > scontext=system_u:system_r:NetworkManager_t:s0-s0:c0.c1023 > tcontext=system_u:object_r:fixed_disk_device_t:s0 > tclass=blk_file > > host=localhost.localdomain type=SYSCALL > msg=audit(1211457067.143:8): arch=40000003 syscall=195 > success=no exit=-13 a0=415283d a1=bff720ec a2=3d8fff4 > a3=415283d items=0 ppid=1 pid=2501 auid=4294967295 > uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 > fsgid=0 tty=(none) ses=4294967295 > comm="nm-system-setti" > exe="/usr/sbin/nm-system-settings" > subj=system_u:system_r:NetworkManager_t:s0-s0:c0.c1023 > key=(null) > > Also can be ignored > > Summary: > > SELinux is preventing dbus-daemon (xdm_dbusd_t) > "execute" to ./gconfd-2 > (gconfd_exec_t). > > Detailed Description: > > SELinux denied access requested by dbus-daemon. It is > not expected that this > access is required by dbus-daemon and this access may > signal an intrusion > attempt. It is also possible that the specific version > or configuration of the > application is causing it to require additional > access. > > Allowing Access: > > Sometimes labeling problems can cause SELinux denials. > You could try to restore > the default system file context for ./gconfd-2, > > restorecon -v './gconfd-2' > > If this does not work, there is currently no automatic > way to allow this access. > Instead, you can generate a local policy module to > allow this access - see FAQ > (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) > Or you can disable > SELinux protection altogether. Disabling SELinux > protection is not recommended. > Please file a bug report > (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) > against this package. > > Additional Information: > > Source Context > system_u:system_r:xdm_dbusd_t:SystemLow-SystemHigh > Target Context > system_u:object_r:gconfd_exec_t > Target Objects ./gconfd-2 [ file ] > Source dbus-daemon > Source Path /bin/dbus-daemon > Port <Unknown> > Host localhost.localdomain > Source RPM Packages dbus-1.2.1-3.fc10 > Target RPM Packages > Policy RPM > selinux-policy-3.3.1-45.fc10 > Selinux Enabled True > Policy Type targeted > MLS Enabled True > Enforcing Mode Enforcing > Plugin Name catchall_file > Host Name localhost.localdomain > Platform Linux > localhost.localdomain > > 2.6.26-0.17.rc3.fc10.i686 #1 SMP Sun May 18 > 19:05:03 EDT 2008 i686 > i686 > Alert Count 401 > First Seen Wed 21 May 2008 08:21:39 > AM CDT > Last Seen Thu 22 May 2008 06:55:49 > AM CDT > Local ID > 3d366e28-6abd-4740-b078-7ec3f331bce5 > Line Numbers > > Raw Audit Messages > > host=localhost.localdomain type=AVC > msg=audit(1211457349.146:165): avc: denied { execute > } for pid=3544 comm="dbus-daemon" name="gconfd-2" > dev=dm-0 ino=125235 > scontext=system_u:system_r:xdm_dbusd_t:s0-s0:c0.c1023 > tcontext=system_u:object_r:gconfd_exec_t:s0 > tclass=file > > host=localhost.localdomain type=SYSCALL > msg=audit(1211457349.146:165): arch=40000003 > syscall=11 success=no exit=-13 a0=b8ed76f0 a1=b8edffa8 > a2=b8ede8f8 a3=b8edbb58 items=0 ppid=3543 pid=3544 > auid=4294967295 uid=42 gid=42 euid=42 suid=42 fsuid=42 > egid=42 sgid=42 fsgid=42 tty=(none) ses=4294967295 > comm="dbus-daemon" exe="/bin/dbus-daemon" > subj=system_u:system_r:xdm_dbusd_t:s0-s0:c0.c1023 > key=(null) > > > > > > Summary: > > SELinux is preventing access to files with the label, > file_t. > > Detailed Description: > > SELinux permission checks on files labeled file_t are > being denied. file_t is > the context the SELinux kernel gives to files that do > not have a label. This > indicates a serious labeling problem. No files on an > SELinux box should ever be > labeled file_t. If you have just added a new disk > drive to the system you can > relabel it using the restorecon command. Otherwise you > should relabel the entire > files system. > > Allowing Access: > > You can execute the following command as root to > relabel your computer system: > "touch /.autorelabel; reboot" > > Additional Information: > > Source Context > system_u:system_r:tmpreaper_t > Target Context system_u:object_r:file_t > Target Objects ./kpc [ dir ] > Source tmpwatch > Source Path /usr/sbin/tmpwatch > Port <Unknown> > Host localhost.localdomain > Source RPM Packages tmpwatch-2.9.13-2 > Target RPM Packages > Policy RPM > selinux-policy-3.3.1-45.fc10 > Selinux Enabled True > Policy Type targeted > MLS Enabled True > Enforcing Mode Enforcing > Plugin Name file > Host Name localhost.localdomain > Platform Linux > localhost.localdomain > > 2.6.26-0.17.rc3.fc10.i686 #1 SMP Sun May 18 > 19:05:03 EDT 2008 i686 > i686 > Alert Count 12 > First Seen Thu 28 Feb 2008 08:12:12 > AM CST > Last Seen Thu 22 May 2008 08:15:01 > AM CDT > Local ID > 78c39dd1-e417-40e6-8056-ac3a90e9e235 > Line Numbers > > Raw Audit Messages > > host=localhost.localdomain type=AVC > msg=audit(1211462101.317:204): avc: denied { read } > for pid=14967 comm="tmpwatch" name="kpc" dev=dm-0 > ino=885859 scontext=system_u:system_r:tmpreaper_t:s0 > tcontext=system_u:object_r:file_t:s0 tclass=dir > > host=localhost.localdomain type=SYSCALL > msg=audit(1211462101.317:204): arch=40000003 syscall=5 > success=no exit=-13 a0=804ac62 a1=98800 a2=0 a3=0 > items=0 ppid=14964 pid=14967 auid=4294967295 uid=0 > gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 > tty=(none) ses=4294967295 comm="tmpwatch" > exe="/usr/sbin/tmpwatch" > subj=system_u:system_r:tmpreaper_t:s0 key=(null) > > > > > > > > -- > fedora-selinux-list mailing list > fedora-selinux-list@xxxxxxxxxx > https://www.redhat.com/mailman/listinfo/fedora-selinux-list We will fix these as soon as we can update Rawhide Policy. -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
