Description of problem: SELinux is preventing /usr/lib/nspluginwrapper/plugin-config from making the program stack executable. and npviewer-bin error Version-Release number of selected component (if applicable): How reproducible: Uncheck all SELinux memory protection boolean bypasses Steps to Reproduce: 1.uncheck all selinux boolean memory protections 2. 3. Actual results: Expected results: Additional info: Summary SELinux is preventing /usr/lib/nspluginwrapper/plugin-config from making the program stack executable. Detailed Description The /usr/lib/nspluginwrapper/plugin-config application attempted to make its stack executable. This is a potential security problem. This should never ever be necessary. Stack memory is not executable on most OSes these days and this will not change. Executable stack memory is one of the biggest security problems. An execstack error might in fact be most likely raised by malicious code. Applications are sometimes coded incorrectly and request this permission. The http://people.redhat.com/drepper/selinux-mem.html web page explains how to remove this requirement. If /usr/lib/nspluginwrapper /plugin-config does not work and you need it to work, you can configure SELinux temporarily to allow this access until the application is fixed. Please file a http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this package. Allowing Access Sometimes a library is accidentally marked with the execstack flag, if you find a library with this flag you can clear it with the execstack -c LIBRARY_PATH. Then retry your application. If the app continues to not work, you can turn the flag back on with execstack -s LIBRARY_PATH. Otherwise, if you trust /usr/lib/nspluginwrapper/plugin-config to run correctly, you can change the context of the executable to unconfined_execmem_exec_t. "chcon -t unconfined_execmem_exec_t /usr/lib/nspluginwrapper/plugin-config" You must also change the default file context files on the system in order to preserve them even on a full relabel. "semanage fcontext -a -t unconfined_execmem_exec_t /usr/lib/nspluginwrapper/plugin-config" The following command will allow this access: chcon -t unconfined_execmem_exec_t /usr/lib/nspluginwrapper/plugin-config Additional Information Source Context system_u:system_r:unconfined_t:s0 Target Context system_u:system_r:unconfined_t:s0 Target Objects None [ process ] Affected RPM Packages nspluginwrapper-0.9.91.5-12.fc8 [application] Policy RPM selinux-policy-3.0.8-53.fc8 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name plugins.allow_execstack Host Name localhost.localdomain Platform Linux localhost.localdomain 2.6.23.1-49.fc8PAE #1 SMP Thu Nov 8 21:33:13 EST 2007 i686 athlon Alert Count 105 First Seen Sat 17 Nov 2007 09:13:07 AM CET Last Seen Mon 19 Nov 2007 06:49:16 AM CET Local ID 75ead45e-9269-4b29-a53c-95c58e5c4274 Line Numbers Raw Audit Messages avc: denied { execstack } for comm=plugin-config egid=500 euid=0 exe=/usr/lib/nspluginwrapper/plugin-config exit=-13 fsgid=500 fsuid=0 gid=500 items=0 pid=2759 scontext=system_u:system_r:unconfined_t:s0 sgid=500 subj=system_u:system_r:unconfined_t:s0 suid=0 tclass=process tcontext=system_u:system_r:unconfined_t:s0 tty=(none) uid=500
Created attachment 263261 [details] npviewer.bin-bugreport.txt
*** This bug has been marked as a duplicate of 388691 ***