Bug 431708 - SELinux is preventing nspluginscan from making the program stack executable.
SELinux is preventing nspluginscan from making the program stack executable.
Product: Fedora
Classification: Fedora
Component: kdebase (Show other bugs)
All Linux
low Severity low
: ---
: ---
Assigned To: Ngo Than
Fedora Extras Quality Assurance
Depends On:
  Show dependency treegraph
Reported: 2008-02-06 11:34 EST by Antonio A. Olivares
Modified: 2008-04-08 10:40 EDT (History)
5 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2008-04-08 10:40:35 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Antonio A. Olivares 2008-02-06 11:34:41 EST
Description of problem:

 SELinux is preventing nspluginscan from making the
 program stack executable.
 Detailed Description:
 The nspluginscan application attempted to make its
 stack executable. This is a
 potential security problem. This should never ever be
 necessary. Stack memory is
 not executable on most OSes these days and this will
 not change. Executable
 stack memory is one of the biggest security problems.
 An execstack error might
 in fact be most likely raised by malicious code.
 Applications are sometimes
 coded incorrectly and request this permission. The
 SELinux Memory Protection
 web page explains how
 to remove this requirement. If nspluginscan does not
 work and you need it to
 work, you can configure SELinux temporarily to allow
 this access until the
 application is fixed. Please file a bug report
 against this package.
 Allowing Access:
 Sometimes a library is accidentally marked with the
 execstack flag, if you find
 a library with this flag you can clear it with the
 execstack -c LIBRARY_PATH.
 Then retry your application. If the app continues to
 not work, you can turn the
 flag back on with execstack -s LIBRARY_PATH.
 Otherwise, if you trust
 nspluginscan to run correctly, you can change the
 context of the executable to
 unconfined_execmem_exec_t. "chcon -t
 '/usr/bin/nspluginscan'" You must also change the
 default file context files on
 the system in order to preserve them even on a full
 relabel. "semanage fcontext
 -a -t unconfined_execmem_exec_t
 The following command will allow this access:
 chcon -t unconfined_execmem_exec_t
 Additional Information:
 Source Context               
 Target Context               
 Target Objects                None [ process ]
 Source                        nspluginscan
 Source Path                   /usr/bin/nspluginscan
 Port                          <Unknown>
 Host                          localhost.localdomain
 Source RPM Packages           kdebase-4.0.1-3.fc9
 Target RPM Packages           
 Policy RPM                   
 Selinux Enabled               True
 Policy Type                   targeted
 MLS Enabled                   True
 Enforcing Mode                Enforcing
 Plugin Name                   allow_execstack
 Host Name                     localhost.localdomain
 Platform                      Linux
 localhost.localdomain 2.6.24-17.fc9 #1 SMP
                               Mon Feb 4 19:02:27 EST
 2008 i686 i686
 Alert Count                   2
 First Seen                    Tue 05 Feb 2008 07:13:02
 Last Seen                     Tue 05 Feb 2008 07:41:42
 Local ID                     
 Line Numbers                  
 Raw Audit Messages            
 host=localhost.localdomain type=AVC
 msg=audit(1202262102.930:20): avc:  denied  {
 execstack } for  pid=2866 comm="nspluginscan"
 host=localhost.localdomain type=SYSCALL
 msg=audit(1202262102.930:20): arch=40000003
 syscall=125 success=no exit=-13 a0=bfce4000 a1=1000
 a2=1000007 a3=fffff000 items=0 ppid=2855 pid=2866
 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500
 egid=500 sgid=500 fsgid=500 tty=(none)
 comm="nspluginscan" exe="/usr/bin/nspluginscan"

Version-Release number of selected component (if applicable):

I cannot find nspluginscan, so I wen with nspluginwrapper 

How reproducible:
Upon starting up machine, the setroubleshoot kicks in and displays this when
using KDE.  On the other machine that uses gnome, it does not happen.  

Steps to Reproduce:
Actual results:

Expected results:

Additional info:

Upon Request.
Comment 1 Antonio A. Olivares 2008-02-06 11:56:25 EST
Sorry, but searching through google, there is no nspluginscan package but there
might be a konquereor-nspluginscan, but it is not in bugzilla either :(

Comment 2 Antonio A. Olivares 2008-02-06 11:57:19 EST
Ahh, it should be filed against 




Comment 3 Martin Stransky 2008-02-19 12:18:54 EST
moving to kdebase.
Comment 4 Rex Dieter 2008-02-19 12:24:19 EST
dup of bug #428036 ?
Comment 5 Rex Dieter 2008-02-19 12:25:03 EST
Antonio, what arch?  x86_64?
Comment 6 Kevin Kofler 2008-02-19 12:27:17 EST
The "Additional information" from SELinux says i686.
Comment 7 Kevin Kofler 2008-02-19 12:35:54 EST
The stack on nspluginscan itself is marked RW, not RWE, so this must be an 
issue in one of the libraries. Is your qimageblitz up to date?
Comment 8 Kevin Kofler 2008-04-07 10:50:14 EDT
Any news on this one?
Comment 9 Antonio A. Olivares 2008-04-08 10:18:37 EDT
It seems to be working now.  No more selinux problems with nspluginwrapper.  I 
will let you know if something pops up.  

Note You need to log in before you can comment on or make changes to this bug.