Attachment 295080 Details for Bug 433142 – SETroubleshoot Alert

SETroubleshoot Alert

selinux-alert-just-in-case.log (text/plain), 3.55 KB, created by Martyn Hare on 2008-02-16 20:59:26 UTC

(hide)

Description:

Filename:

MIME Type:

Creator: Martyn Hare

Created: 2008-02-16 20:59:26 UTC

Size: 3.55 KB

patch

obsolete

>
>Summary:
>
>SELinux is preventing ksmserver(/usr/bin/ksmserver) from making the program
>stack executable.
>
>Detailed Description:
>
>The ksmserver(/usr/bin/ksmserver) application attempted to make its stack
>executable. This is a potential security problem. This should never ever be
>necessary. Stack memory is not executable on most OSes these days and this will
>not change. Executable stack memory is one of the biggest security problems. An
>execstack error might in fact be most likely raised by malicious code.
>Applications are sometimes coded incorrectly and request this permission. The
>SELinux Memory Protection Tests
>(http://people.redhat.com/drepper/selinux-mem.html) web page explains how to
>remove this requirement. If ksmserver(/usr/bin/ksmserver) does not work and you
>need it to work, you can configure SELinux temporarily to allow this access
>until the application is fixed. Please file a bug report
>(http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package.
>
>Allowing Access:
>
>Sometimes a library is accidentally marked with the execstack flag, if you find
>a library with this flag you can clear it with the execstack -c LIBRARY_PATH.
>Then retry your application. If the app continues to not work, you can turn the
>flag back on with execstack -s LIBRARY_PATH. Otherwise, if you trust
>ksmserver(/usr/bin/ksmserver) to run correctly, you can change the context of
>the executable to unconfined_execmem_exec_t. "chcon -t unconfined_execmem_exec_t
>ksmserver(/usr/bin/ksmserver)" You must also change the default file context
>files on the system in order to preserve them even on a full relabel. "semanage
>fcontext -a -t unconfined_execmem_exec_t ksmserver(/usr/bin/ksmserver)"
>
>The following command will allow this access:
>
>chcon -t unconfined_execmem_exec_t ksmserver(/usr/bin/ksmserver)
>
>Additional Information:
>
>Source Context                unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1
>                              023
>Target Context                unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1
>                              023
>Target Objects                None [ process ]
>Source                        ksmserver(/usr/bin/ksmserver)
>Port                          <Unknown>
>Host                          HP3700
>Source RPM Packages           
>Target RPM Packages           
>Policy RPM                    selinux-policy-3.2.5-18.fc9
>Selinux Enabled               True
>Policy Type                   targeted
>MLS Enabled                   True
>Enforcing Mode                Enforcing
>Plugin Name                   allow_execstack
>Host Name                     HP3700
>Platform                      Linux HP3700 2.6.24-2.fc9 #1 SMP Fri Jan 25
>                              12:52:32 EST 2008 x86_64 x86_64
>Alert Count                   6
>First Seen                    Sat 16 Feb 2008 08:17:02 PM GMT
>Last Seen                     Sat 16 Feb 2008 08:47:07 PM GMT
>Local ID                      54612afe-6480-4e8c-8d11-39cc185ea8fc
>Line Numbers                  
>
>Raw Audit Messages            
>
>host=HP3700 type=AVC msg=audit(1203194827.454:129): avc:  denied  { execstack } for  pid=23006 comm="ksmserver" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process
>
>host=HP3700 type=SYSCALL msg=audit(1203194827.454:129): arch=c000003e syscall=10 success=no exit=-13 a0=7fffabb95000 a1=1000 a2=1000007 a3=4 items=0 ppid=22527 pid=23006 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts2 comm="ksmserver" exe="/usr/bin/ksmserver" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
>
>

Actions: View

Attachments on bug 433142: 295080