Re: Rawhide F12 and Skype AVC

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 07/24/2009 12:55 PM, Dominick Grift wrote:
> On Fri, 2009-07-24 at 17:48 +0100, Frank Murphy wrote:
>> Following is AVC
>> Do I replace '<unknown>' with skype?
>>
>>
>>> Summary:
>>>
>>> SELinux is preventing skype from changing a writable memory segment executable.
>>>
>>> Detailed Description:
>>>
>>> The skype application attempted to change the access protection of memory (e.g.,
>>> allocated using malloc). This is a potential security problem. Applications
>>> should not be doing this. Applications are sometimes coded incorrectly and
>>> request this permission. The SELinux Memory Protection Tests
>>> (http://people.redhat.com/drepper/selinux-mem.html) web page explains how to
>>> remove this requirement. If skype does not work and you need it to work, you can
>>> configure SELinux temporarily to allow this access until the application is
>>> fixed. Please file a bug report
>>> (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package.
>>>
>>> Allowing Access:
>>>
>>> If you trust skype to run correctly, you can change the context of the
>>> executable to execmem_exec_t. "chcon -t execmem_exec_t '<Unknown>'". You must
>>> also change the default file context files on the system in order to preserve
>>> them even on a full relabel. "semanage fcontext -a -t execmem_exec_t '<Unknown>'"
>>>
>>> Fix Command:
>>>
>>> chcon -t execmem_exec_t '<Unknown>'
>>>
>>> Additional Information:
>>>
>>> Source Context                unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1
>>>                               023
>>> Target Context                unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1
>>>                               023
>>> Target Objects                None [ process ]
>>> Source                        skype
>>> Source Path                   <Unknown>
>>> Port                          <Unknown>
>>> Host                          (removed)
>>> Source RPM Packages           
>>> Target RPM Packages           
>>> Policy RPM                    selinux-policy-3.6.22-2.fc12
>>> Selinux Enabled               True
>>> Policy Type                   targeted
>>> MLS Enabled                   True
>>> Enforcing Mode                Enforcing
>>> Plugin Name                   allow_execmem
>>> Host Name                     (removed)
>>> Platform                      Linux internet01.frankly3d.local
>>>                               2.6.31-0.86.rc3.git5.fc12.x86_64 #1 SMP Wed Jul 22
>>>                               15:31:34 EDT 2009 x86_64 x86_64
>>> Alert Count                   1
>>> First Seen                    Fri 24 Jul 2009 17:38:51 IST
>>> Last Seen                     Fri 24 Jul 2009 17:38:51 IST
>>> Local ID                      6c5beb61-0671-4497-b86d-cd1bf0944901
>>> Line Numbers                  
>>>
>>> Raw Audit Messages            
>>>
>>> node=internet01.frankly3d.local type=AVC msg=audit(1248453531.351:24900): avc:  denied  { execmem } for  pid=2079 comm="skype" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process
>>>
>>> node=internet01.frankly3d.local type=SYSCALL msg=audit(1248453531.351:24900): arch=c000003e syscall=59 per=400000 success=no exit=-13 a0=1dae08f a1=1c0bcd0 a2=7fff70be3b38 a3=7fff70be2410 items=0 ppid=2078 pid=2079 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm="skype" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
>>>
>>>
> Yes: 
> 
> semanage fcontext -a -t execmem_exec_t /path/to/skype
> restorecon -v /path/to/skype
> 
> where "/path/to/skype" is the path to the skype executable file.
> 
> 
> 
> ------------------------------------------------------------------------
> 
> --
> fedora-selinux-list mailing list
> fedora-selinux-list@xxxxxxxxxx
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
Please open a bugzilla on skype saying that apps should not require execmem privs to run.

Attach the following link.

http://people.redhat.com/~drepper/selinux-mem.html

--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list

[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux