Description of problem: I get SELinux access violations when visiting pages with Flash content and the Adobe Flash plugin wrapped via nspluginwrapper (see bottom for detailed alert). Version-Release number of selected component (if applicable): selinux-policy-3.3.1-28.fc9.noarch selinux-policy-targeted-3.3.1-28.fc9.noarch flash-plugin-9.0.64.0-release.i386 nspluginwrapper-0.9.91.5-26.fc9.x86_64 nspluginwrapper-0.9.91.5-26.fc9.i386 How reproducible: Reproducible. Steps to Reproduce: 1. With the Adobe Flash plugin wrapped with nspluginwrapper (64bit system, 32bit plugin), visit web pages with Flash content. Actual results: Browser hangs for a few seconds, AVC message as below. Expected results: No AVC message, no hang, Flash content displayed. Additional info: nils@gibraltar:~> ls -lZ /usr/lib/flash-plugin/libflashplayer.so /usr/lib/mozilla/plugins/libflashplayer.so /usr/lib/mozilla/plugins-wrapped/npwrapper.so -rwxr-xr-x root root system_u:object_r:textrel_shlib_t:s0 /usr/lib/flash-plugin/libflashplayer.so lrwxrwxrwx root root system_u:object_r:lib_t:s0 /usr/lib/mozilla/plugins/libflashplayer.so -> /usr/lib/flash-plugin/libflashplayer.so lrwxrwxrwx root root system_u:object_r:nsplugin_rw_t:s0 /usr/lib/mozilla/plugins-wrapped/npwrapper.so -> /usr/lib/nspluginwrapper/npwrapper.so Summary: SELinux is preventing npviewer.bin (nsplugin_t) "execstack" to <Unknown> (nsplugin_t). Detailed Description: SELinux denied access requested by npviewer.bin. It is not expected that this access is required by npviewer.bin and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: You can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package. Additional Information: Source Context unconfined_u:unconfined_r:nsplugin_t:s0-s0:c0.c102 3 Target Context unconfined_u:unconfined_r:nsplugin_t:s0-s0:c0.c102 3 Target Objects None [ process ] Source npviewer.bin Source Path /usr/lib/nspluginwrapper/npviewer.bin Port <Unknown> Host gibraltar Source RPM Packages nspluginwrapper-0.9.91.5-26.fc9 Target RPM Packages Policy RPM selinux-policy-3.3.1-28.fc9 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name catchall Host Name gibraltar Platform Linux gibraltar 2.6.25-0.200.rc8.git3.fc9.x86_64 #1 SMP Fri Apr 4 23:37:04 EDT 2008 x86_64 x86_64 Alert Count 16 First Seen Mon 07 Apr 2008 02:31:50 PM CEST Last Seen Mon 07 Apr 2008 02:35:11 PM CEST Local ID c7b53631-e12d-4582-9362-0b607750e9d5 Line Numbers Raw Audit Messages host=gibraltar type=AVC msg=audit(1207571711.397:37): avc: denied { execstack } for pid=6159 comm="npviewer.bin" scontext=unconfined_u:unconfined_r:nsplugin_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:nsplugin_t:s0-s0:c0.c1023 tclass=process host=gibraltar type=SYSCALL msg=audit(1207571711.397:37): arch=40000003 syscall=125 per=8 success=no exit=-13 a0=ffc06000 a1=1000 a2=1000007 a3=fffff000 items=0 ppid=3830 pid=6159 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm="npviewer.bin" exe="/usr/lib/nspluginwrapper/npviewer.bin" subj=unconfined_u:unconfined_r:nsplugin_t:s0-s0:c0.c1023 key=(null)
setsebool -P allow_nsplugin_execmem=1 You need to turn on the allow_nsplugin_execmem boolean.
Is that documented in the release notes?
Nope. But there are around 100 booleans, do we need to document each one? I am turning it on by default for final release. selinux-policy-3.3.1-30.fc9 Of course this will only effect fresh installs.
Perhaps this could rather be addressed in setroubleshoot... How hard would it be for me to write a plugin for it?
Yes there is a plugin for setroubleshoot that is supposed to check for appropriate booleans and tell the user when one would fix his problem. I will look to see if it is in Rawhide.