On Fri, 2009-07-24 at 17:48 +0100, Frank Murphy wrote: > Following is AVC > Do I replace '<unknown>' with skype? > > > > Summary: > > > > SELinux is preventing skype from changing a writable memory segment executable. > > > > Detailed Description: > > > > The skype application attempted to change the access protection of memory (e.g., > > allocated using malloc). This is a potential security problem. Applications > > should not be doing this. Applications are sometimes coded incorrectly and > > request this permission. The SELinux Memory Protection Tests > > (http://people.redhat.com/drepper/selinux-mem.html) web page explains how to > > remove this requirement. If skype does not work and you need it to work, you can > > configure SELinux temporarily to allow this access until the application is > > fixed. Please file a bug report > > (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package. > > > > Allowing Access: > > > > If you trust skype to run correctly, you can change the context of the > > executable to execmem_exec_t. "chcon -t execmem_exec_t '<Unknown>'". You must > > also change the default file context files on the system in order to preserve > > them even on a full relabel. "semanage fcontext -a -t execmem_exec_t '<Unknown>'" > > > > Fix Command: > > > > chcon -t execmem_exec_t '<Unknown>' > > > > Additional Information: > > > > Source Context unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1 > > 023 > > Target Context unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1 > > 023 > > Target Objects None [ process ] > > Source skype > > Source Path <Unknown> > > Port <Unknown> > > Host (removed) > > Source RPM Packages > > Target RPM Packages > > Policy RPM selinux-policy-3.6.22-2.fc12 > > Selinux Enabled True > > Policy Type targeted > > MLS Enabled True > > Enforcing Mode Enforcing > > Plugin Name allow_execmem > > Host Name (removed) > > Platform Linux internet01.frankly3d.local > > 2.6.31-0.86.rc3.git5.fc12.x86_64 #1 SMP Wed Jul 22 > > 15:31:34 EDT 2009 x86_64 x86_64 > > Alert Count 1 > > First Seen Fri 24 Jul 2009 17:38:51 IST > > Last Seen Fri 24 Jul 2009 17:38:51 IST > > Local ID 6c5beb61-0671-4497-b86d-cd1bf0944901 > > Line Numbers > > > > Raw Audit Messages > > > > node=internet01.frankly3d.local type=AVC msg=audit(1248453531.351:24900): avc: denied { execmem } for pid=2079 comm="skype" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process > > > > node=internet01.frankly3d.local type=SYSCALL msg=audit(1248453531.351:24900): arch=c000003e syscall=59 per=400000 success=no exit=-13 a0=1dae08f a1=1c0bcd0 a2=7fff70be3b38 a3=7fff70be2410 items=0 ppid=2078 pid=2079 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm="skype" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null) > > > > Yes: semanage fcontext -a -t execmem_exec_t /path/to/skype restorecon -v /path/to/skype where "/path/to/skype" is the path to the skype executable file.
Attachment:
signature.asc
Description: This is a digitally signed message part
-- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list