fedora-selinux February 2008 archive
Main Archive Page > Month Archives  > fedora-selinux archives
fedora-selinux: selinux/setroubleshoot reports trouble with nspl

selinux/setroubleshoot reports trouble with nspluginscan, NetworkManager_t

From: Antonio Olivares <olivares14031_at_nospam>
Date: Wed Feb 06 2008 - 01:51:07 GMT
To: fedora-test-list@redhat.com


Dear all,

Upon applying todays updates rawhide report 20080205, and the failed update/conflicts
\begin{QUOTE}
xorg-x11-xinit-1.0.7-3.fc9.i386 from development has depsolving problems
--> xorg-x11-xinit-1.0.7-3.fc9.i386 (development)
conflicts with dbus < 1.1
.4-3.fc9
Error: xorg-x11-xinit-1.0.7-3.fc9.i386 (development) conflicts with dbus < 1.
1.4-3.fc9
\end{QUOTE}

I get two denials from selinux

Summary:

SELinux is preventing nspluginscan from making the program stack executable.

Detailed Description:

The nspluginscan application attempted to make its stack executable. This is a
potential security problem. This should never ever be necessary. Stack memory is
not executable on most OSes these days and this will not change. Executable
stack memory is one of the biggest security problems. An execstack error might
in fact be most likely raised by malicious code. Applications are sometimes
coded incorrectly and request this permission. The SELinux Memory Protection
Tests
(http://people.redhat.com/drepper/selinux-mem.html) web page explains how
to remove this requirement. If nspluginscan does not work and you need it to
work, you can configure SELinux temporarily to allow this access until the
application is fixed. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package.

Allowing Access:

Sometimes a library is accidentally marked with the execstack flag, if you find
a library with this flag you can clear it with the execstack -c LIBRARY_PATH.
Then retry your application. If the app continues to not work, you can turn the
flag back on with execstack -s LIBRARY_PATH. Otherwise, if you trust
nspluginscan to run correctly, you can change the context of the executable to
unconfined_execmem_exec_t. "chcon -t
unconfined_execmem_exec_t
'/usr/bin/nspluginscan'" You must also change the default file context files on
the system in order to preserve them even on a full relabel. "semanage fcontext
-a -t unconfined_execmem_exec_t
'/usr/bin/nspluginscan'"

The following command will allow this access:

chcon -t unconfined_execmem_exec_t
'/usr/bin/nspluginscan'

Additional Information:

Source Context
unconfined_u:unconfined_r:unconfined_t:SystemLow- SystemHigh Target Context unconfined_u:unconfined_r:unconfined_t:SystemLow- SystemHigh Target Objects None [ process ] Source nspluginscan Source Path /usr/bin/nspluginscan Port <Unknown> Host localhost.localdomain Source RPM Packages kdebase-4.0.1-3.fc9 Target RPM Packages Policy RPM selinux-policy-3.2.6-5.fc9 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name allow_execstack Host Name localhost.localdomain Platform Linux localhost.localdomain 2.6.24-17.fc9 #1 SMP Mon Feb 4 19:02:27 EST 2008 i686 i686 Alert Count 2 First Seen Tue 05 Feb 2008 07:13:02 AM CST Last Seen Tue 05 Feb 2008 07:41:42 PM CST Local ID 7afb3a36-5b69-486c-a93b-02e714040250 Line Numbers Raw Audit Messages

host=localhost.localdomain type=AVC
msg=audit(1202262102.930:20): avc: denied { execstack } for pid=2866 comm="nspluginscan" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process

host=localhost.localdomain type=SYSCALL
msg=audit(1202262102.930:20): arch=40000003 syscall=125 success=no exit=-13 a0=bfce4000 a1=1000 a2=1000007 a3=fffff000 items=0 ppid=2855 pid=2866 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) comm="nspluginscan" exe="/usr/bin/nspluginscan" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)

Summary:

SELinux is preventing the 00-netreport
(NetworkManager_t) from executing ./init.

Detailed Description:

SELinux has denied the 00-netreport from executing ./init. If 00-netreport is
supposed to be able to execute ./init, this could be a labeling problem. Most
confined domains are allowed to execute files labeled bin_t. So you could change
the labeling on this file to bin_t and retry the application. If this
00-netreport is not supposed to execute ./init, this could signal a intrusion
attempt.

Allowing Access:

If you want to allow 00-netreport to execute ./init: chcon -t bin_t './init' If
this fix works, please update the file context on disk, with the following
command: semanage fcontext -a -t bin_t './init' Please specify the full path to
the executable, Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this selinux-policy
to make sure this becomes the default labeling.

Additional Information:

Source Context
system_u:system_r:NetworkManager_t Target Context system_u:object_r:etc_t Target Objects ./init [ file ] Source 00-netreport Source Path /bin/bash Port <Unknown> Host localhost.localdomain Source RPM Packages bash-3.2-20.fc9 Target RPM Packages Policy RPM selinux-policy-3.2.6-5.fc9 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name execute Host Name localhost.localdomain Platform Linux localhost.localdomain 2.6.24-17.fc9 #1 SMP Mon Feb 4 19:02:27 EST 2008 i686 i686 Alert Count 1 First Seen Tue 05 Feb 2008 07:42:33 PM CST Last Seen Tue 05 Feb 2008 07:42:33 PM CST Local ID 9a1f71bd-9256-450a-bc0c-a7ebb115cacb Line Numbers Raw Audit Messages

host=localhost.localdomain type=AVC
msg=audit(1202262153.640:107): avc: denied { execute } for pid=3226 comm="00-netreport" name="init" dev=dm-0 ino=360497
scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file

host=localhost.localdomain type=SYSCALL
msg=audit(1202262153.640:107): arch=40000003 syscall=33 success=no exit=-13 a0=9f7a370 a1=1 a2=11 a3=9f7a370 items=0 ppid=2385 pid=3226 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="00-netreport" exe="/bin/bash" subj=system_u:system_r:NetworkManager_t:s0 key=(null)

Thanks,

Antonio



Never miss a thing. Make Yahoo your home page. http://www.yahoo.com/r/hs -- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list