Dear fellow testers and selinux experts, I have encountered several avcs. I want to ask you for advice before applying the suggested fixes. Summary: SELinux is preventing knotify4 from making the program stack executable. Detailed Description: The knotify4 application attempted to make its stack executable. This is a potential security problem. This should never ever be necessary. Stack memory is not executable on most OSes these days and this will not change. Executable stack memory is one of the biggest security problems. An execstack error might in fact be most likely raised by malicious code. Applications are sometimes coded incorrectly and request this permission. The SELinux Memory Protection Tests (http://people.redhat.com/drepper/selinux-mem.html) web page explains how to remove this requirement. If knotify4 does not work and you need it to work, you can configure SELinux temporarily to allow this access until the application is fixed. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package. Allowing Access: Sometimes a library is accidentally marked with the execstack flag, if you find a library with this flag you can clear it with the execstack -c LIBRARY_PATH. Then retry your application. If the app continues to not work, you can turn the flag back on with execstack -s LIBRARY_PATH. Otherwise, if you trust knotify4 to run correctly, you can change the context of the executable to unconfined_execmem_exec_t. "chcon -t unconfined_execmem_exec_t '/usr/bin/knotify4'" You must also change the default file context files on the system in order to preserve them even on a full relabel. "semanage fcontext -a -t unconfined_execmem_exec_t '/usr/bin/knotify4'" Fix Command: chcon -t unconfined_execmem_exec_t '/usr/bin/knotify4' Additional Information: Source Context unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1 023 Target Context unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1 023 Target Objects None [ process ] Source knotify4 Source Path /usr/bin/knotify4 Port <Unknown> Host riohigh Source RPM Packages kdebase-runtime-4.1.2-3.fc10 Target RPM Packages Policy RPM selinux-policy-3.5.10-3.fc10 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name allow_execstack Host Name riohigh Platform Linux riohigh 2.6.27-3.fc10.i686 #1 SMP Fri Oct 10 01:26:26 EDT 2008 i686 athlon Alert Count 2 First Seen Thu 16 Oct 2008 06:33:56 AM CDT Last Seen Thu 16 Oct 2008 06:33:56 AM CDT Local ID d2171be2-9d07-43e0-83bf-95f7f3e5e666 Line Numbers Raw Audit Messages node=riohigh type=AVC msg=audit(1224156836.173:93): avc: denied { execstack } for pid=2874 comm="knotify4" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process node=riohigh type=SYSCALL msg=audit(1224156836.173:93): arch=40000003 syscall=125 success=no exit=-13 a0=bf9c9000 a1=1000 a2=1000007 a3=fffff000 items=0 ppid=1 pid=2874 auid=501 uid=501 gid=501 euid=501 suid=501 fsuid=501 egid=501 sgid=501 fsgid=501 tty=(none) ses=1 comm="knotify4" exe="/usr/bin/knotify4" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null) Summary: SELinux is preventing hal-acl-tool (hald_acl_t) "sys_resource" hald_acl_t. Detailed Description: SELinux denied access requested by hal-acl-tool. It is not expected that this access is required by hal-acl-tool and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: You can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package. Additional Information: Source Context system_u:system_r:hald_acl_t:s0 Target Context system_u:system_r:hald_acl_t:s0 Target Objects None [ capability ] Source hal-acl-tool Source Path /usr/libexec/hal-acl-tool Port <Unknown> Host riohigh Source RPM Packages hal-0.5.12-3.20081013git.fc10 Target RPM Packages Policy RPM selinux-policy-3.5.10-3.fc10 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name catchall Host Name riohigh Platform Linux riohigh 2.6.27-3.fc10.i686 #1 SMP Fri Oct 10 01:26:26 EDT 2008 i686 athlon Alert Count 73 First Seen Sat 04 Oct 2008 11:10:27 AM CDT Last Seen Thu 16 Oct 2008 06:33:03 AM CDT Local ID 16181f84-ddf2-4510-bd51-aef5ff647a63 Line Numbers Raw Audit Messages node=riohigh type=AVC msg=audit(1224156783.891:89): avc: denied { sys_resource } for pid=2568 comm="hal-acl-tool" capability=24 scontext=system_u:system_r:hald_acl_t:s0 tcontext=system_u:system_r:hald_acl_t:s0 tclass=capability node=riohigh type=SYSCALL msg=audit(1224156783.891:89): arch=40000003 syscall=4 success=yes exit=2057 a0=5 a1=b7ff4000 a2=809 a3=809 items=0 ppid=1834 pid=2568 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="hal-acl-tool" exe="/usr/libexec/hal-acl-tool" subj=system_u:system_r:hald_acl_t:s0 key=(null) Summary: SELinux is preventing console-kit-dae (consolekit_t) "sys_resource" consolekit_t. Detailed Description: SELinux denied access requested by console-kit-dae. It is not expected that this access is required by console-kit-dae and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: You can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package. Additional Information: Source Context system_u:system_r:consolekit_t:s0-s0:c0.c1023 Target Context system_u:system_r:consolekit_t:s0-s0:c0.c1023 Target Objects None [ capability ] Source console-kit-dae Source Path /usr/sbin/console-kit-daemon Port <Unknown> Host riohigh Source RPM Packages ConsoleKit-0.3.0-2.fc10 Target RPM Packages Policy RPM selinux-policy-3.5.10-3.fc10 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name catchall Host Name riohigh Platform Linux riohigh 2.6.27-3.fc10.i686 #1 SMP Fri Oct 10 01:26:26 EDT 2008 i686 athlon Alert Count 87 First Seen Fri 03 Oct 2008 06:14:33 PM CDT Last Seen Thu 16 Oct 2008 06:33:02 AM CDT Local ID 0c8f36ea-d6b2-4646-ba59-1cdf5e6a0ee0 Line Numbers Raw Audit Messages node=riohigh type=AVC msg=audit(1224156782.948:86): avc: denied { sys_resource } for pid=1770 comm="console-kit-dae" capability=24 scontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tcontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tclass=capability node=riohigh type=SYSCALL msg=audit(1224156782.948:86): arch=40000003 syscall=4 success=yes exit=674 a0=1a a1=8c4b790 a2=2a2 a3=8c4b790 items=0 ppid=1 pid=1770 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="console-kit-dae" exe="/usr/sbin/console-kit-daemon" subj=system_u:system_r:consolekit_t:s0-s0:c0.c1023 key=(null) I had not encountered these ones before. And before applying the fixes, I will ask if no one has encountered these ones before. TIA, Antonio -- fedora-test-list mailing list fedora-test-list@xxxxxxxxxx To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-test-list
