Bug 250249
Summary: | policy for new package (nspluginwrapper) | ||||||
---|---|---|---|---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Martin Stransky <stransky> | ||||
Component: | nspluginwrapper | Assignee: | Martin Stransky <stransky> | ||||
Status: | CLOSED RAWHIDE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||
Severity: | medium | Docs Contact: | |||||
Priority: | medium | ||||||
Version: | rawhide | CC: | caillon, drepper, jakub, james_j_catchpole, jeanfrancois.brisse, katzj, ma, mcepl, mcepl, opie.reger, peldor, pezuc, phaceton, rvr | ||||
Target Milestone: | --- | ||||||
Target Release: | --- | ||||||
Hardware: | All | ||||||
OS: | Linux | ||||||
Whiteboard: | |||||||
Fixed In Version: | Doc Type: | Bug Fix | |||||
Doc Text: | Story Points: | --- | |||||
Clone Of: | Environment: | ||||||
Last Closed: | 2008-04-01 04:59:43 UTC | Type: | --- | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Bug Depends On: | |||||||
Bug Blocks: | 428169 | ||||||
Attachments: |
|
Description
Martin Stransky
2007-07-31 12:51:29 UTC
Created attachment 160313 [details]
Proposed patch to selinux-policy. I've derived it from the mozilla policy files.
What policy are you running where you are seeing these avc's? Please attach the avc messages? *** Bug 297341 has been marked as a duplicate of this bug. *** Packages: selinux-policy-mls-2.6.4-40.fc7 selinux-policy-strict-2.6.4-40.fc7 selinux-policy-targeted-2.6.4-40.fc7 From targeted: Sep 20 11:21:02 dhcp-lab-232 kernel: audit(1190280062.886:45): avc: denied { execmod } for pid=22831 comm="npviewer.bin" na me="nppdf.so" dev=sda1 ino=7100303 scontext=user_u:system_r:unconfined_t:s0 tcontext=user_u:object_r:lib_t:s0 tclass=file From strict: Sep 20 12:21:32 dhcp-lab-232 kernel: audit(1190283692.804:190): avc: denied { execstack } for pid=3024 comm="npviewer.bin" scontext=user_u:user_r:user_t:s0 tcontext=user_u:user_r:user_t:s0 tclass=process Sep 20 12:21:32 dhcp-lab-232 kernel: audit(1190283692.804:191): avc: denied { execmem } for pid=3024 comm="npviewer.bin" scontext=user_u:user_r:user_t:s0 tcontext=user_u:user_r:user_t:s0 tclass=process Sep 20 12:21:59 dhcp-lab-232 kernel: audit(1190283719.490:192): avc: denied { execmod } for pid=3050 comm="npviewer.bin" name="nppdf.so" dev=sda1 ino=7100303 scontext=user_u:user_r:user_t:s0 tcontext=user_u:object_r:lib_t:s0 tclass=file nppdf.so should not need execmod. This is a build problem. Also you can label npvierwer.bin as unconfined_execmem_exec_t to get it to work in targeted policy Does this app really need execstack and execmem to work? (In reply to comment #6) > nppdf.so should not need execmod. This is a build problem. Also you can label > npvierwer.bin as unconfined_execmem_exec_t to get it to work in targeted policy > > Does this app really need execstack and execmem to work? npvierwer.bin manually extracts symbols from loaded plugins (by dlopen/dlsym) and runs them. Can that cause the execstack / execmem issues? I checked the code but I have no idea what else can emit the messages.... (In reply to comment #7) > npvierwer.bin manually extracts symbols from loaded plugins (by dlopen/dlsym) > and runs them. Can that cause the execstack / execmem issues? No, there is no difference to calling the functions the traditional way. I've explained in http://people.redhat.com/drepper/selinux-mem.html and the papers it references how the various errors are created. It should be clear that this has nothing to do with dlopen etc. There's another part what can cause it. // Netscape exported functions static NPNetscapeFuncs mozilla_funcs; static const rpc_method_descriptor_t vtable[] = { ... } $ objdump -x npviewer.bin 0000000000410120 l O .rodata 0000000000000170 vtable.45223 0000000000614880 l O .bss 0000000000000158 mozilla_funcs These structures hold pointers to plugin / RPC functions, are exported to plugins and functions there are called from them... *** Bug 388691 has been marked as a duplicate of this bug. *** *** Bug 422481 has been marked as a duplicate of this bug. *** *** Bug 426770 has been marked as a duplicate of this bug. *** *** Bug 426964 has been marked as a duplicate of this bug. *** *** Bug 292641 has been marked as a duplicate of this bug. *** *** Bug 427967 has been marked as a duplicate of this bug. *** *** Bug 428025 has been marked as a duplicate of this bug. *** *** Bug 398621 has been marked as a duplicate of this bug. *** *** Bug 431446 has been marked as a duplicate of this bug. *** Should this be also considered part of this bug? Summary: SELinux is preventing plugin-config (nsplugin_config_t) "execstack" to <Unknown> (nsplugin_config_t). Detailed Description: SELinux denied access requested by plugin-config. It is not expected that this access is required by plugin-config and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: You can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package. Additional Information: Source Context unconfined_u:unconfined_r:nsplugin_config_t :SystemLow-SystemHigh Target Context unconfined_u:unconfined_r:nsplugin_config_t :SystemLow-SystemHigh Target Objects None [ process ] Source plugin-config Source Path /usr/lib/nspluginwrapper/plugin-config Port <Unknown> Host localhost Source RPM Packages nspluginwrapper-0.9.91.5-22.fc9 Target RPM Packages Policy RPM selinux-policy-3.3.0-1.fc9 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name catchall Host Name localhost Platform Linux localhost 2.6.25-0.65.rc2.git7.fc9 #1 SMP Sat Feb 23 23:06:09 EST 2008 i686 athlon Alert Count 4 First Seen Tue 26 Feb 2008 03:17:23 PM CST Last Seen Wed 27 Feb 2008 06:44:46 AM CST Local ID 276820c9-9871-4632-8ec1-c8909c8d7c0b Line Numbers Raw Audit Messages host=localhost type=AVC msg=audit(1204116286.116:403): avc: denied { execstack } for pid=8821 comm="plugin-config" scontext=unconfined_u:unconfined_r:nsplugin_config_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:nsplugin_config_t:s0-s0:c0.c1023 tclass=process host=localhost type=SYSCALL msg=audit(1204116286.116:403): arch=40000003 syscall=125 success=no exit=-13 a0=bfbf3000 a1=1000 a2=1000007 a3=fffff000 items=0 ppid=8819 pid=8821 auid=500 uid=500 gid=500 euid=0 suid=0 fsuid=0 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm="plugin-config" exe="/usr/lib/nspluginwrapper/plugin-config" subj=unconfined_u:unconfined_r:nsplugin_config_t:s0-s0:c0.c1023 key=(null) and/or also the nptviewer? Summary: SELinux is preventing npviewer.bin (nsplugin_t) "read" to controlC0 (sound_device_t). Detailed Description: SELinux denied access requested by npviewer.bin. It is not expected that this access is required by npviewer.bin and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: Sometimes labeling problems can cause SELinux denials. You could try to restore the default system file context for controlC0, restorecon -v 'controlC0' If this does not work, there is currently no automatic way to allow this access. Instead, you can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package. Additional Information: Source Context unconfined_u:unconfined_r:nsplugin_t:SystemLow- SystemHigh Target Context system_u:object_r:sound_device_t Target Objects controlC0 [ chr_file ] Source npviewer.bin Source Path /usr/lib/nspluginwrapper/npviewer.bin Port <Unknown> Host localhost Source RPM Packages nspluginwrapper-0.9.91.5-22.fc9 Target RPM Packages Policy RPM selinux-policy-3.3.0-1.fc9 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name catchall_file Host Name localhost Platform Linux localhost 2.6.25-0.65.rc2.git7.fc9 #1 SMP Sat Feb 23 23:06:09 EST 2008 i686 athlon Alert Count 176 First Seen Tue 26 Feb 2008 03:24:34 PM CST Last Seen Tue 26 Feb 2008 03:24:47 PM CST Local ID 469b1532-4ab3-4757-be58-2248cc0f9f05 Line Numbers Raw Audit Messages host=localhost type=AVC msg=audit(1204061087.213:287): avc: denied { read } for pid=20571 comm="npviewer.bin" name="controlC0" dev=tmpfs ino=5318 scontext=unconfined_u:unconfined_r:nsplugin_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sound_device_t:s0 tclass=chr_file host=localhost type=SYSCALL msg=audit(1204061087.213:287): arch=40000003 syscall=5 success=no exit=-13 a0=bfe5d482 a1=0 a2=1e a3=bfe5d482 items=0 ppid=20512 pid=20571 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm="npviewer.bin" exe="/usr/lib/nspluginwrapper/npviewer.bin" subj=unconfined_u:unconfined_r:nsplugin_t:s0-s0:c0.c1023 key=(null) I ask this in order for them not be duplicate bugs :) Also, ntpviewer does not exist in bugzilla. Please let me know if I should file a new bug and against what component(s). Thanks, Antonio *** Bug 439886 has been marked as a duplicate of this bug. *** *** Bug 439885 has been marked as a duplicate of this bug. *** *** Bug 437508 has been marked as a duplicate of this bug. *** Fixed in selinux-policy-3.3.1-26.fc9.noarch |