523868 – setroubleshoot: SELinux is preventing /usr/bin/sound-juicer "execstack" access on <Unknown>.

Bug 523868 - setroubleshoot: SELinux is preventing /usr/bin/sound-juicer "execstack" access on <Unknown>.

Summary: setroubleshoot: SELinux is preventing /usr/bin/sound-juicer "execstack" ...

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	sound-juicer
Sub Component:
Version:	12
Hardware:	x86_64
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Bastien Nocera
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:	setroubleshoot_trace_hash:4253bfd5237...
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2009-09-16 22:59 UTC by Nicolas Mailhot
Modified:	2010-08-15 15:23 UTC (History)
CC List:	3 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2010-08-15 15:23:42 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Nicolas Mailhot 2009-09-16 22:59:43 UTC

The following was filed automatically by setroubleshoot:

Résumé:

SELinux is preventing /usr/bin/sound-juicer "execstack" access on <Unknown>.

Description détaillée:

SELinux denied access requested by sound-juicer. The current boolean settings do
not allow this access. If you have not setup sound-juicer to require this access
this may signal an intrusion attempt. If you do intend this access you need to
change the booleans on this system to allow the access.

Autoriser l'accès:

Confined processes can be configured to run requiring different access, SELinux
provides booleans to allow you to turn on/off access as needed. The boolean
allow_execstack is set incorrectly.
Boolean Description:
Allow unconfined executables to make their stack executable. This should never,
ever be necessary. Probably indicates a badly coded executable, but could
indicate an attack. This executable should be reported in bugzilla")


Commande de correction:

# setsebool -P allow_execstack 1

Informations complémentaires:

Contexte source               unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1
                              023
Contexte cible                unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1
                              023
Objets du contexte            None [ process ]
source                        totem
Chemin de la source           /usr/bin/totem
Port                          <Inconnu>
Hôte                         (removed)
Paquetages RPM source         sound-juicer-2.26.1-5.fc12
Paquetages RPM cible          
Politique RPM                 selinux-policy-3.6.32-1.fc12
Selinux activé               True
Type de politique             targeted
MLS activé                   True
Mode strict                   Enforcing
Nom du plugin                 catchall_boolean
Nom de l'hôte                (removed)
Plateforme                    Linux (removed) 2.6.31-17.fc12.x86_64 #1 SMP Wed
                              Sep 16 00:52:52 EDT 2009 x86_64 x86_64
Compteur d'alertes            89
Première alerte              jeu. 17 sept. 2009 00:39:23 CEST
Dernière alerte              jeu. 17 sept. 2009 00:44:09 CEST
ID local                      f5597003-5ca8-4504-b769-f19de4fe5d91
Numéros des lignes           

Messages d'audit bruts        

node=(removed) type=AVC msg=audit(1253141049.265:334): avc:  denied  { execstack } for  pid=3408 comm="sound-juicer" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process

node=(removed) type=SYSCALL msg=audit(1253141049.265:334): arch=c000003e syscall=10 success=no exit=-13 a0=7fff23f68000 a1=1000 a2=1000007 a3=7f9c91c27af9 items=0 ppid=1 pid=3408 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm="sound-juicer" exe="/usr/bin/sound-juicer" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)


audit2allow suggests:

#============= unconfined_t ==============
allow unconfined_t self:process execstack;

Comment 1 Nicolas Mailhot 2009-09-16 23:00:39 UTC

while playing a simple cd

Comment 2 Daniel Walsh 2009-09-17 17:50:56 UTC

Sound Juicer should not require execstack.

Nicolas you can turn on the boolean to listen to the cd.

Comment 3 Bastien Nocera 2009-09-17 18:00:26 UTC

Why does it say "totem" at one point and "sound-juicer" for the other?

In any case, this is likely due to 3rd party plugins. Remove your gstreamer plugins from /usr/lib*/gstreamer-0.10 one-by-one to see which one is causing problems.

I'd start by removing gstreamer-ffmpeg and the -bad and -ugly variants, and see if you can reproduce the problem.

Comment 4 Daniel Walsh 2009-09-17 20:12:31 UTC

totem versus sound-juicer looks like a bug in setroubleshoot.  The avc is about sound-juicer

Comment 5 Bug Zapper 2009-11-16 12:31:53 UTC

This bug appears to have been reported against 'rawhide' during the Fedora 12 development cycle.
Changing version to '12'.

More information and reason for this action is here:
http://fedoraproject.org/wiki/BugZappers/HouseKeeping

Comment 7 Nicolas Mailhot 2010-08-15 15:23:42 UTC

Haven't seen those for a long time

Note You need to log in before you can comment on or make changes to this bug.