Bug 431708

Summary: SELinux is preventing nspluginscan from making the program stack executable.
Product: [Fedora] Fedora Reporter: Antonio A. Olivares <olivares14031>
Component: kdebaseAssignee: Than Ngo <than>
Status: CLOSED RAWHIDE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: low Docs Contact:
Priority: low    
Version: rawhideCC: caillon, kevin, ltinkl, rdieter, wtogami
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2008-04-08 14:40:35 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Antonio A. Olivares 2008-02-06 16:34:41 UTC 
Description of problem:

 Summary:
 
 SELinux is preventing nspluginscan from making the
 program stack executable.
 
 Detailed Description:
 
 The nspluginscan application attempted to make its
 stack executable. This is a
 potential security problem. This should never ever be
 necessary. Stack memory is
 not executable on most OSes these days and this will
 not change. Executable
 stack memory is one of the biggest security problems.
 An execstack error might
 in fact be most likely raised by malicious code.
 Applications are sometimes
 coded incorrectly and request this permission. The
 SELinux Memory Protection
 Tests
 (http://people.redhat.com/drepper/selinux-mem.html)
 web page explains how
 to remove this requirement. If nspluginscan does not
 work and you need it to
 work, you can configure SELinux temporarily to allow
 this access until the
 application is fixed. Please file a bug report
 (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
 against this package.
 
 Allowing Access:
 
 Sometimes a library is accidentally marked with the
 execstack flag, if you find
 a library with this flag you can clear it with the
 execstack -c LIBRARY_PATH.
 Then retry your application. If the app continues to
 not work, you can turn the
 flag back on with execstack -s LIBRARY_PATH.
 Otherwise, if you trust
 nspluginscan to run correctly, you can change the
 context of the executable to
 unconfined_execmem_exec_t. "chcon -t
 unconfined_execmem_exec_t
 '/usr/bin/nspluginscan'" You must also change the
 default file context files on
 the system in order to preserve them even on a full
 relabel. "semanage fcontext
 -a -t unconfined_execmem_exec_t
 '/usr/bin/nspluginscan'"
 
 The following command will allow this access:
 
 chcon -t unconfined_execmem_exec_t
 '/usr/bin/nspluginscan'
 
 Additional Information:
 
 Source Context               
 unconfined_u:unconfined_r:unconfined_t:SystemLow-
                               SystemHigh
 Target Context               
 unconfined_u:unconfined_r:unconfined_t:SystemLow-
                               SystemHigh
 Target Objects                None [ process ]
 Source                        nspluginscan
 Source Path                   /usr/bin/nspluginscan
 Port                          <Unknown>
 Host                          localhost.localdomain
 Source RPM Packages           kdebase-4.0.1-3.fc9
 Target RPM Packages           
 Policy RPM                   
 selinux-policy-3.2.6-5.fc9
 Selinux Enabled               True
 Policy Type                   targeted
 MLS Enabled                   True
 Enforcing Mode                Enforcing
 Plugin Name                   allow_execstack
 Host Name                     localhost.localdomain
 Platform                      Linux
 localhost.localdomain 2.6.24-17.fc9 #1 SMP
                               Mon Feb 4 19:02:27 EST
 2008 i686 i686
 Alert Count                   2
 First Seen                    Tue 05 Feb 2008 07:13:02
 AM CST
 Last Seen                     Tue 05 Feb 2008 07:41:42
 PM CST
 Local ID                     
 7afb3a36-5b69-486c-a93b-02e714040250
 Line Numbers                  
 
 Raw Audit Messages            
 
 host=localhost.localdomain type=AVC
 msg=audit(1202262102.930:20): avc:  denied  {
 execstack } for  pid=2866 comm="nspluginscan"
 scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
 tclass=process
 
 host=localhost.localdomain type=SYSCALL
 msg=audit(1202262102.930:20): arch=40000003
 syscall=125 success=no exit=-13 a0=bfce4000 a1=1000
 a2=1000007 a3=fffff000 items=0 ppid=2855 pid=2866
 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500
 egid=500 sgid=500 fsgid=500 tty=(none)
 comm="nspluginscan" exe="/usr/bin/nspluginscan"
 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
 key=(null)


Version-Release number of selected component (if applicable):

nspluginscan
I cannot find nspluginscan, so I wen with nspluginwrapper 

How reproducible:
Upon starting up machine, the setroubleshoot kicks in and displays this when
using KDE.  On the other machine that uses gnome, it does not happen.  

Steps to Reproduce:
1.
2.
3.
  
Actual results:


Expected results:


Additional info:

Upon Request.
Comment 1 Antonio A. Olivares 2008-02-06 16:56:25 UTC 
Sorry, but searching through google, there is no nspluginscan package but there
might be a konquereor-nspluginscan, but it is not in bugzilla either :(
Comment 2 Antonio A. Olivares 2008-02-06 16:57:19 UTC 
Ahh, it should be filed against 

kdebase-4.0.1-3.fc9

Correct?

Thanks,

Antonio
Comment 3 Martin Stransky 2008-02-19 17:18:54 UTC 
moving to kdebase.
Comment 4 Rex Dieter 2008-02-19 17:24:19 UTC 
dup of bug #428036 ?
Comment 5 Rex Dieter 2008-02-19 17:25:03 UTC 
Antonio, what arch?  x86_64?
Comment 6 Kevin Kofler 2008-02-19 17:27:17 UTC 
The "Additional information" from SELinux says i686.
Comment 7 Kevin Kofler 2008-02-19 17:35:54 UTC 
The stack on nspluginscan itself is marked RW, not RWE, so this must be an 
issue in one of the libraries. Is your qimageblitz up to date?
Comment 8 Kevin Kofler 2008-04-07 14:50:14 UTC 
Any news on this one?
Comment 9 Antonio A. Olivares 2008-04-08 14:18:37 UTC 
It seems to be working now.  No more selinux problems with nspluginwrapper.  I 
will let you know if something pops up.