-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Antonio Olivares wrote: >> Dear all, >> >> Now I know why playing Penalty_Fever caused a problem. The >> following is clear evidence :( >> >> >> Summary: >> >> SELinux is preventing nspluginviewer from changing a >> writable memory segment >> executable. >> >> Detailed Description: >> >> The nspluginviewer application attempted to change the >> access protection of >> memory (e.g., allocated using malloc). This is a potential >> security problem. >> Applications should not be doing this. Applications are >> sometimes coded >> incorrectly and request this permission. The SELinux Memory >> Protection Tests >> (http://people.redhat.com/drepper/selinux-mem.html) web >> page explains how to >> remove this requirement. If nspluginviewer does not work >> and you need it to >> work, you can configure SELinux temporarily to allow this >> access until the >> application is fixed. Please file a bug report >> (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against >> this package. >> >> Allowing Access: >> >> If you trust nspluginviewer to run correctly, you can >> change the context of the >> executable to unconfined_execmem_exec_t. "chcon -t >> unconfined_execmem_exec_t >> '/usr/bin/nspluginviewer'". You must also >> change the default file context files >> on the system in order to preserve them even on a full >> relabel. "semanage >> fcontext -a -t unconfined_execmem_exec_t >> '/usr/bin/nspluginviewer'" >> >> Fix Command: >> >> chcon -t unconfined_execmem_exec_t >> '/usr/bin/nspluginviewer' >> >> Additional Information: >> >> Source Context >> unconfined_u:unconfined_r:unconfined_t:SystemLow- >> SystemHigh >> Target Context >> unconfined_u:unconfined_r:unconfined_t:SystemLow- >> SystemHigh >> Target Objects None [ process ] >> Source nspluginviewer >> Source Path /usr/bin/nspluginviewer >> Port <Unknown> >> Host localhost.localdomain >> Source RPM Packages kdebase-4.1.0-1.fc10 >> Target RPM Packages >> Policy RPM selinux-policy-3.5.1-4.fc10 >> Selinux Enabled True >> Policy Type targeted >> MLS Enabled True >> Enforcing Mode Enforcing >> Plugin Name allow_execmem >> Host Name localhost.localdomain >> Platform Linux localhost.localdomain >> 2.6.26.1 #1 SMP Sat >> Aug 2 21:36:01 CDT 2008 i686 >> i686 >> Alert Count 29 >> First Seen Sun 03 Aug 2008 12:55:21 PM >> CDT >> Last Seen Sun 03 Aug 2008 12:55:21 PM >> CDT >> Local ID >> 865503d3-baab-4dcd-adc0-47f8fff6ade6 >> Line Numbers >> >> Raw Audit Messages >> >> host=localhost.localdomain type=AVC >> msg=audit(1217786121.365:53): avc: denied { execmem } for >> pid=3262 comm="nspluginviewer" >> scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 >> tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 >> tclass=process >> >> host=localhost.localdomain type=SYSCALL >> msg=audit(1217786121.365:53): arch=40000003 syscall=125 >> success=no exit=-13 a0=b1aaa000 a1=1000 a2=5 a3=bfa32acc >> items=0 ppid=3222 pid=3262 auid=500 uid=500 gid=500 euid=500 >> suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) >> ses=1 comm="nspluginviewer" >> exe="/usr/bin/nspluginviewer" >> subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 >> key=(null) >> >> >> This was an old bug and it returns to bite back :( >> Is anybody else also encountering this problem? >> >> Regards, >> >> Antonio >> >> >> >> >> -- > > BTW, > > the old bug with nspluginwrapper was here: > > https://bugzilla.redhat.com/show_bug.cgi?id=431708 > > It was closed. It looks a little bit different, now I am not sure if it is related? > > Thanks, > > Antonio > > > > Most likely caused by one of the plugins you are using. You have multiple choices to fix this, one you could turn on nsplugin confinement # getsebool -a | grep nsplugin allow_nsplugin_execmem --> on allow_unconfined_nsplugin_transition --> on You should relabel your homedir if you do. restorecon -R -v ~ Then restart firefox. This would allow a confined nsplugin to execmem but not all apps run from unconfined_t. I have been running like this for a long time and have had few problems, although the more people who run with this mode the better so we can figure out what firefox plugins want to do. You can not run the offending plugin. You can ignore the error if it does not seem to cause the problem. You can turn on allow_execmem boolean. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkiXS1YACgkQrlYvE4MpobPgsgCgtS04Z/kSzNfsa6MILORC1ZxU QJEAn1v2xRLEMv3r5rmVQlE0xfpAnicO =1PTR -----END PGP SIGNATURE----- -- fedora-test-list mailing list fedora-test-list@xxxxxxxxxx To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-test-list
