Bug 468416 - SELinux is preventing mixer_applet2 from making the program stack executable.
SELinux is preventing mixer_applet2 from making the program stack executable.
Status: CLOSED DUPLICATE of bug 466014
Product: Fedora
Classification: Fedora
Component: gnome-applets (Show other bugs)
rawhide
All Linux
medium Severity medium
: ---
: ---
Assigned To: Ray Strode [halfline]
Fedora Extras Quality Assurance
: SELinux
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2008-10-24 12:50 EDT by Matěj Cepl
Modified: 2018-04-11 08:12 EDT (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-10-27 15:53:57 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Matěj Cepl 2008-10-24 12:50:38 EDT
Souhrn:

SELinux is preventing mixer_applet2 from making the program stack executable.

Podrobný popis:

The mixer_applet2 application attempted to make its stack executable. This is a
potential security problem. This should never ever be necessary. Stack memory is
not executable on most OSes these days and this will not change. Executable
stack memory is one of the biggest security problems. An execstack error might
in fact be most likely raised by malicious code. Applications are sometimes
coded incorrectly and request this permission. The SELinux Memory Protection
Tests (http://people.redhat.com/drepper/selinux-mem.html) web page explains how
to remove this requirement. If mixer_applet2 does not work and you need it to
work, you can configure SELinux temporarily to allow this access until the
application is fixed. Please file a bug report
(http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package.

Povolení přístupu:

Sometimes a library is accidentally marked with the execstack flag, if you find
a library with this flag you can clear it with the execstack -c LIBRARY_PATH.
Then retry your application. If the app continues to not work, you can turn the
flag back on with execstack -s LIBRARY_PATH. Otherwise, if you trust
mixer_applet2 to run correctly, you can change the context of the executable to
unconfined_execmem_exec_t. "chcon -t unconfined_execmem_exec_t
'/usr/libexec/mixer_applet2'" You must also change the default file context
files on the system in order to preserve them even on a full relabel. "semanage
fcontext -a -t unconfined_execmem_exec_t '/usr/libexec/mixer_applet2'"

Příkaz pro opravu:

chcon -t unconfined_execmem_exec_t '/usr/libexec/mixer_applet2'

Další informace:

Kontext zdroje                unconfined_u:unconfined_r:unconfined_t:SystemLow-
                              SystemHigh
Kontext cíle                 unconfined_u:unconfined_r:unconfined_t:SystemLow-
                              SystemHigh
Objekty cíle                 None [ process ]
Zdroj                         firefox
Cesta zdroje                  /usr/lib/firefox-3.0.2/firefox
Port                          <Neznámé>
Počítač                    viklef
RPM balíčky zdroje          gnome-applets-2.24.0.1-4.fc10
RPM balíčky cíle           
RPM politiky                  selinux-policy-3.5.13-2.fc10
Selinux povolen               True
Typ politiky                  targeted
MLS povoleno                  True
Vynucovací režim            Enforcing
Název zásuvného modulu     allow_execstack
Název počítače            viklef
Platforma                     Linux viklef 2.6.27.3-30.rc1.fc10.i686 #1 SMP Mon
                              Oct 20 01:35:32 EDT 2008 i686 i686
Počet upozornění           4
Poprvé viděno               Po 20. říjen 2008, 13:21:41 CEST
Naposledy viděno             Pá 24. říjen 2008, 13:23:33 CEST
Místní ID                   2e104446-bbbc-450e-91d3-dbf98e2b915a
Čísla řádků              

Původní zprávy auditu      

node=viklef type=AVC msg=audit(1224847413.868:93): avc:  denied  { execstack } for  pid=4343 comm="mixer_applet2" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process

node=viklef type=SYSCALL msg=audit(1224847413.868:93): arch=40000003 syscall=125 success=no exit=-13 a0=bff28000 a1=1000 a2=1000007 a3=fffff000 items=0 ppid=4324 pid=4343 auid=505 uid=505 gid=506 euid=505 suid=505 fsuid=505 egid=506 sgid=506 fsgid=506 tty=(none) ses=11 comm="mixer_applet2" exe="/usr/libexec/mixer_applet2" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
Comment 1 John Poelstra 2008-10-24 20:49:11 EDT
Adding to blocker because "no AVCs" is part of release criteria
Comment 2 Matthias Clasen 2008-10-25 17:07:22 EDT
Likely caused by loading some gstreamer plugins that need execstack.
Comment 3 Daniel Walsh 2008-10-27 15:53:57 EDT
Marking as duplicate, because I believe that updating the fluendo codecs will fix the problem.

*** This bug has been marked as a duplicate of bug 466014 ***

Note You need to log in before you can comment on or make changes to this bug.