> >> Dear all, > >> > >> Now I know why playing Penalty_Fever caused a > problem. The > >> following is clear evidence :( > >> > >> > >> Summary: > >> > >> SELinux is preventing nspluginviewer from changing > a > >> writable memory segment > >> executable. > >> > >> Detailed Description: > >> > >> The nspluginviewer application attempted to change > the > >> access protection of > >> memory (e.g., allocated using malloc). This is a > potential > >> security problem. > >> Applications should not be doing this. > Applications are > >> sometimes coded > >> incorrectly and request this permission. The > SELinux Memory > >> Protection Tests > >> > (http://people.redhat.com/drepper/selinux-mem.html) web > >> page explains how to > >> remove this requirement. If nspluginviewer does > not work > >> and you need it to > >> work, you can configure SELinux temporarily to > allow this > >> access until the > >> application is fixed. Please file a bug report > >> > (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against > >> this package. > >> > >> Allowing Access: > >> > >> If you trust nspluginviewer to run correctly, you > can > >> change the context of the > >> executable to unconfined_execmem_exec_t. > "chcon -t > >> unconfined_execmem_exec_t > >> '/usr/bin/nspluginviewer'". You must > also > >> change the default file context files > >> on the system in order to preserve them even on a > full > >> relabel. "semanage > >> fcontext -a -t unconfined_execmem_exec_t > >> '/usr/bin/nspluginviewer'" > >> > >> Fix Command: > >> > >> chcon -t unconfined_execmem_exec_t > >> '/usr/bin/nspluginviewer' > >> > >> Additional Information: > >> > >> Source Context > >> unconfined_u:unconfined_r:unconfined_t:SystemLow- > >> SystemHigh > >> Target Context > >> unconfined_u:unconfined_r:unconfined_t:SystemLow- > >> SystemHigh > >> Target Objects None [ process ] > >> Source nspluginviewer > >> Source Path > /usr/bin/nspluginviewer > >> Port <Unknown> > >> Host > localhost.localdomain > >> Source RPM Packages kdebase-4.1.0-1.fc10 > >> Target RPM Packages > >> Policy RPM > selinux-policy-3.5.1-4.fc10 > >> Selinux Enabled True > >> Policy Type targeted > >> MLS Enabled True > >> Enforcing Mode Enforcing > >> Plugin Name allow_execmem > >> Host Name > localhost.localdomain > >> Platform Linux > localhost.localdomain > >> 2.6.26.1 #1 SMP Sat > >> Aug 2 21:36:01 CDT > 2008 i686 > >> i686 > >> Alert Count 29 > >> First Seen Sun 03 Aug 2008 > 12:55:21 PM > >> CDT > >> Last Seen Sun 03 Aug 2008 > 12:55:21 PM > >> CDT > >> Local ID > >> 865503d3-baab-4dcd-adc0-47f8fff6ade6 > >> Line Numbers > >> > >> Raw Audit Messages > >> > >> host=localhost.localdomain type=AVC > >> msg=audit(1217786121.365:53): avc: denied { > execmem } for > >> pid=3262 comm="nspluginviewer" > >> > scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 > >> > tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 > >> tclass=process > >> > >> host=localhost.localdomain type=SYSCALL > >> msg=audit(1217786121.365:53): arch=40000003 > syscall=125 > >> success=no exit=-13 a0=b1aaa000 a1=1000 a2=5 > a3=bfa32acc > >> items=0 ppid=3222 pid=3262 auid=500 uid=500 > gid=500 euid=500 > >> suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 > tty=(none) > >> ses=1 comm="nspluginviewer" > >> exe="/usr/bin/nspluginviewer" > >> > subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 > >> key=(null) > >> > >> > >> This was an old bug and it returns to bite back :( > >> Is anybody else also encountering this problem? > >> > >> Regards, > >> > >> Antonio > >> > >> > >> > >> > >> -- > > > > BTW, > > > > the old bug with nspluginwrapper was here: > > > > https://bugzilla.redhat.com/show_bug.cgi?id=431708 > > > > It was closed. It looks a little bit different, now I > am not sure if it is related? > > > > Thanks, > > > > Antonio > > > > > > > > > Most likely caused by one of the plugins you are using. > You have > multiple choices to fix this, one you could turn on > nsplugin confinement > > # getsebool -a | grep nsplugin > allow_nsplugin_execmem --> on > allow_unconfined_nsplugin_transition --> on > > You should relabel your homedir if you do. > > restorecon -R -v ~ > > Then restart firefox. This would allow a confined nsplugin > to execmem > but not all apps run from unconfined_t. I have been > running like this > for a long time and have had few problems, although the > more people who > run with this mode the better so we can figure out what > firefox plugins > want to do. I am running konqueror on KDE 4.1 Rawhide. Firefox and Seamonkey are not reliable and I yum removed 'em. I was playing a flash game and it was working nicely, but then I got to the next level and CPU went up to 100% and crashed. I can try the suggestions, but I am not sure that konqueror behaves like firefox with the plugins. > > You can not run the offending plugin. > > You can ignore the error if it does not seem to cause the > problem. > > You can turn on allow_execmem boolean. I'll take a look into that. Regards, Antonio -- fedora-test-list mailing list fedora-test-list@xxxxxxxxxx To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-test-list
