Bug 389981 - non exec stack nspluginwrapper and nspviewer.bin error
non exec stack nspluginwrapper and nspviewer.bin error
Status: CLOSED DUPLICATE of bug 388691
Product: Fedora
Classification: Fedora
Component: nspluginwrapper (Show other bugs)
i386 Linux
low Severity medium
: ---
: ---
Assigned To: Martin Stransky
Fedora Extras Quality Assurance
Depends On:
  Show dependency treegraph
Reported: 2007-11-19 01:05 EST by Peter Harmsen
Modified: 2007-11-30 17:12 EST (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2007-11-19 12:40:09 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
npviewer.bin-bugreport.txt (219.02 KB, text/plain)
2007-11-19 01:05 EST, Peter Harmsen
no flags Details

  None (edit)
Description Peter Harmsen 2007-11-19 01:05:44 EST
Description of problem:
SELinux is preventing /usr/lib/nspluginwrapper/plugin-config from making the
    program stack executable.

npviewer-bin error

Version-Release number of selected component (if applicable):

How reproducible:
Uncheck all SELinux memory protection boolean bypasses

Steps to Reproduce:
1.uncheck all selinux boolean memory protections
Actual results:

Expected results:

Additional info:

    SELinux is preventing /usr/lib/nspluginwrapper/plugin-config from making the
    program stack executable.

Detailed Description
    The /usr/lib/nspluginwrapper/plugin-config application attempted to make its
    stack executable.  This is a potential security problem.  This should never
    ever be necessary. Stack memory is not executable on most OSes these days
    and this will not change. Executable stack memory is one of the biggest
    security problems. An execstack error might in fact be most likely raised by
    malicious code. Applications are sometimes coded incorrectly and request
    this permission.  The http://people.redhat.com/drepper/selinux-mem.html web
    page explains how to remove this requirement.  If /usr/lib/nspluginwrapper
    /plugin-config does not work and you need it to work, you can configure
    SELinux temporarily to allow this access until the application is fixed.
    Please file a http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this

Allowing Access
    Sometimes a library is accidentally marked with the execstack flag, if you
    find a library with this flag you can clear it with the execstack -c
    LIBRARY_PATH.  Then retry your application.  If the app continues to not
    work, you can turn the flag back on with execstack -s LIBRARY_PATH.
    Otherwise, if you trust /usr/lib/nspluginwrapper/plugin-config to run
    correctly, you can change the context of the executable to
    unconfined_execmem_exec_t. "chcon -t unconfined_execmem_exec_t
    /usr/lib/nspluginwrapper/plugin-config" You must also change the default
    file context files on the system in order to preserve them even on a full
    relabel.  "semanage fcontext -a -t unconfined_execmem_exec_t

    The following command will allow this access:
    chcon -t unconfined_execmem_exec_t /usr/lib/nspluginwrapper/plugin-config

Additional Information        

Source Context                system_u:system_r:unconfined_t:s0
Target Context                system_u:system_r:unconfined_t:s0
Target Objects                None [ process ]
Affected RPM Packages         nspluginwrapper- [application]
Policy RPM                    selinux-policy-3.0.8-53.fc8
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   plugins.allow_execstack
Host Name                     localhost.localdomain
Platform                      Linux localhost.localdomain #1
                              SMP Thu Nov 8 21:33:13 EST 2007 i686 athlon
Alert Count                   105
First Seen                    Sat 17 Nov 2007 09:13:07 AM CET
Last Seen                     Mon 19 Nov 2007 06:49:16 AM CET
Local ID                      75ead45e-9269-4b29-a53c-95c58e5c4274
Line Numbers                  

Raw Audit Messages            

avc: denied { execstack } for comm=plugin-config egid=500 euid=0
exe=/usr/lib/nspluginwrapper/plugin-config exit=-13 fsgid=500 fsuid=0 gid=500
items=0 pid=2759 scontext=system_u:system_r:unconfined_t:s0 sgid=500
subj=system_u:system_r:unconfined_t:s0 suid=0 tclass=process
tcontext=system_u:system_r:unconfined_t:s0 tty=(none) uid=500
Comment 1 Peter Harmsen 2007-11-19 01:05:44 EST
Created attachment 263261 [details]
Comment 2 Christopher Aillon 2007-11-19 12:40:09 EST

*** This bug has been marked as a duplicate of 388691 ***

Note You need to log in before you can comment on or make changes to this bug.