441253 – nspluginwrapper broken (probably for Flash)

Bug 441253 - nspluginwrapper broken (probably for Flash)

Summary: nspluginwrapper broken (probably for Flash)

Keywords:
Status:	CLOSED NOTABUG
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy
Sub Component:
Version:	rawhide
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Daniel Walsh
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2008-04-07 12:49 UTC by Nils Philippsen
Modified:	2008-04-08 14:38 UTC (History)
CC List:	1 user (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2008-04-08 02:31:31 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Nils Philippsen 2008-04-07 12:49:05 UTC

Description of problem:

I get SELinux access violations when visiting pages with Flash content and the
Adobe Flash plugin wrapped via nspluginwrapper (see bottom for detailed alert).

Version-Release number of selected component (if applicable):
selinux-policy-3.3.1-28.fc9.noarch
selinux-policy-targeted-3.3.1-28.fc9.noarch
flash-plugin-9.0.64.0-release.i386
nspluginwrapper-0.9.91.5-26.fc9.x86_64
nspluginwrapper-0.9.91.5-26.fc9.i386

How reproducible:
Reproducible.

Steps to Reproduce:
1. With the Adobe Flash plugin wrapped with nspluginwrapper (64bit system, 32bit
plugin), visit web pages with Flash content.
  
Actual results:
Browser hangs for a few seconds, AVC message as below.

Expected results:
No AVC message, no hang, Flash content displayed.

Additional info:
nils@gibraltar:~> ls -lZ /usr/lib/flash-plugin/libflashplayer.so
/usr/lib/mozilla/plugins/libflashplayer.so
/usr/lib/mozilla/plugins-wrapped/npwrapper.so
-rwxr-xr-x  root root system_u:object_r:textrel_shlib_t:s0
/usr/lib/flash-plugin/libflashplayer.so
lrwxrwxrwx  root root system_u:object_r:lib_t:s0      
/usr/lib/mozilla/plugins/libflashplayer.so ->
/usr/lib/flash-plugin/libflashplayer.so
lrwxrwxrwx  root root system_u:object_r:nsplugin_rw_t:s0
/usr/lib/mozilla/plugins-wrapped/npwrapper.so ->
/usr/lib/nspluginwrapper/npwrapper.so


Summary:

SELinux is preventing npviewer.bin (nsplugin_t) "execstack" to <Unknown>
(nsplugin_t).

Detailed Description:

SELinux denied access requested by npviewer.bin. It is not expected that this
access is required by npviewer.bin and this access may signal an intrusion
attempt. It is also possible that the specific version or configuration of the
application is causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Additional Information:

Source Context                unconfined_u:unconfined_r:nsplugin_t:s0-s0:c0.c102
                              3
Target Context                unconfined_u:unconfined_r:nsplugin_t:s0-s0:c0.c102
                              3
Target Objects                None [ process ]
Source                        npviewer.bin
Source Path                   /usr/lib/nspluginwrapper/npviewer.bin
Port                          <Unknown>
Host                          gibraltar
Source RPM Packages           nspluginwrapper-0.9.91.5-26.fc9
Target RPM Packages           
Policy RPM                    selinux-policy-3.3.1-28.fc9
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   catchall
Host Name                     gibraltar
Platform                      Linux gibraltar 2.6.25-0.200.rc8.git3.fc9.x86_64
                              #1 SMP Fri Apr 4 23:37:04 EDT 2008 x86_64 x86_64
Alert Count                   16
First Seen                    Mon 07 Apr 2008 02:31:50 PM CEST
Last Seen                     Mon 07 Apr 2008 02:35:11 PM CEST
Local ID                      c7b53631-e12d-4582-9362-0b607750e9d5
Line Numbers                  

Raw Audit Messages            

host=gibraltar type=AVC msg=audit(1207571711.397:37): avc:  denied  { execstack
} for  pid=6159 comm="npviewer.bin"
scontext=unconfined_u:unconfined_r:nsplugin_t:s0-s0:c0.c1023
tcontext=unconfined_u:unconfined_r:nsplugin_t:s0-s0:c0.c1023 tclass=process

host=gibraltar type=SYSCALL msg=audit(1207571711.397:37): arch=40000003
syscall=125 per=8 success=no exit=-13 a0=ffc06000 a1=1000 a2=1000007 a3=fffff000
items=0 ppid=3830 pid=6159 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500
egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm="npviewer.bin"
exe="/usr/lib/nspluginwrapper/npviewer.bin"
subj=unconfined_u:unconfined_r:nsplugin_t:s0-s0:c0.c1023 key=(null)

Comment 1 Daniel Walsh 2008-04-08 02:31:31 UTC

setsebool -P allow_nsplugin_execmem=1

You need to turn on the allow_nsplugin_execmem boolean.

Comment 2 Nils Philippsen 2008-04-08 08:00:04 UTC

Is that documented in the release notes?

Comment 3 Daniel Walsh 2008-04-08 13:19:56 UTC

Nope.

But there are around 100 booleans, do we need to document each one?

I am turning it on by default for final release.

selinux-policy-3.3.1-30.fc9

Of course this will only effect fresh installs.

Comment 4 Nils Philippsen 2008-04-08 13:47:37 UTC

Perhaps this could rather be addressed in setroubleshoot... How hard would it be
for me to write a plugin for it?

Comment 5 Daniel Walsh 2008-04-08 14:38:54 UTC

Yes there is a plugin for setroubleshoot that is supposed to check for
appropriate booleans and tell the user when one would fix his problem.

I will look to see if it is in Rawhide.

Note You need to log in before you can comment on or make changes to this bug.