Description of problem: Summary: SELinux is preventing skype "execmem" access on <Unknown>. Detailed Description: SELinux denied access requested by skype. The current boolean settings do not allow this access. If you have not setup skype to require this access this may signal an intrusion attempt. If you do intend this access you need to change the booleans on this system to allow the access. Allowing Access: One of the following booleans is set incorrectly: allow_execstack, allow_execmem Fix Command: Choose one of the following to allow access: Allow unconfined executables to make their stack executable. This should never, ever be necessary. Probably indicates a badly coded executable, but could indicate an attack. This executable should be reported in bugzilla") # setsebool -P allow_execstack 1 Allow unconfined executables to map a memory region as both executable and writable, this is dangerous and the executable should be reported in bugzilla") # setsebool -P allow_execmem 1 Additional Information: Source Context unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1 023 Target Context unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1 023 Target Objects None [ process ] Source skype Source Path skype Port <Unknown> Host localhost.localdomain Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.8.3-4.fc14 Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Plugin Name catchall_boolean Host Name localhost.localdomain Platform Linux localhost.localdomain 2.6.34-40.fc14.i686.PAE #1 SMP Wed Jun 16 15:15:36 UTC 2010 i686 i686 Alert Count 1 First Seen Thu 17 Jun 2010 07:02:23 PM MSD Last Seen Thu 17 Jun 2010 07:02:23 PM MSD Local ID 9f04bb59-bf65-4b7f-bd36-47e0c034e04f Line Numbers Raw Audit Messages node=localhost.localdomain type=AVC msg=audit(1276786943.735:13823): avc: denied { execmem } for pid=1297 comm="skype" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process node=localhost.localdomain type=SYSCALL msg=audit(1276786943.735:13823): arch=40000003 syscall=11 per=400000 success=no exit=-13 a0=1f5af48 a1=bff27730 a2=1f5fad0 a3=9dcc80 items=0 ppid=1 pid=1297 auid=500 uid=502 gid=502 euid=502 suid=502 fsuid=502 egid=502 sgid=502 fsgid=502 tty=(none) ses=1 comm="skype" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null) Version-Release number of selected component (if applicable): selinux-policy-3.8.3-4.fc14 How reproducible: Steps to Reproduce: 1. 2. 3. Actual results: Expected results: Additional info:
Where did you install the skype tool. chcon -t execmem_exec_t PATHTO/skype Will allow the access. setsebool -P allow_execmem 1 Will turn off the check. The mapping for the current path is /usr/bin/skype -- system_u:object_r:execmem_exec_t:s0 restorecon /usr/bin/skype will fix the label if that is where you stored it.
Thanks for the answer. Actually, Sir, I have not chosen where to install it, rpm did it. And it is: $ whereis skype skype: /usr/bin/skype /usr/share/skype. And skype always works before.
Did you run restorecon on it? restorecon -R -v /usr/bin/skype ls -lZ /usr/bin/skype
Thanks for the answer. I want to say, that skype was installed the same time when rawhide was, and it worked with selinux-policy-3.6.32-78 - selinux-policy-3.8.1-5. It stops work on 3.8.3-1 or 3.8.3-4, because I checked it only after 3.8.3-4 update. Output # ls -lZ /usr/bin/skype -rwxr-xr-x. root root system_u:object_r:execmem_exec_t:s0 /usr/bin/skype Shel I do: restorecon -R -v /usr/bin/skype then? Thanks.
No that is the correct label. Does it work now?
No, it doesn't work. That is why I wrote here.
I updated today. Now: Jun 23 11:34:23 Updated: selinux-policy-3.8.5-1.fc14.noarch Jun 23 11:36:20 Updated: selinux-policy-targeted-3.8.5-1.fc14.noarch Result the same. # ls -lZ /usr/bin/skype -rwxr-xr-x. root root system_u:object_r:execmem_exec_t:s0 /usr/bin/skype $ skype Killed Summary: SELinux is preventing skype "execmem" access on <Unknown>. Detailed Description: SELinux denied access requested by skype. The current boolean settings do not allow this access. If you have not setup skype to require this access this may signal an intrusion attempt. If you do intend this access you need to change the booleans on this system to allow the access. Allowing Access: One of the following booleans is set incorrectly: allow_execstack, allow_execmem Fix Command: Choose one of the following to allow access: Allow unconfined executables to make their stack executable. This should never, ever be necessary. Probably indicates a badly coded executable, but could indicate an attack. This executable should be reported in bugzilla") # setsebool -P allow_execstack 1 Allow unconfined executables to map a memory region as both executable and writable, this is dangerous and the executable should be reported in bugzilla") # setsebool -P allow_execmem 1 Additional Information: Source Context unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 Target Context unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 Target Objects None [ process ] Source skype Source Path skype Port <Unknown> Host localhost.localdomain Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.8.5-1.fc14 Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Plugin Name catchall_boolean Host Name localhost.localdomain Platform Linux localhost.localdomain 2.6.34-45.fc14.i686.PAE #1 SMP Mon Jun 21 21:27:49 UTC 2010 i686 i686 Alert Count 2 First Seen Wed 23 Jun 2010 12:11:31 AM MSD Last Seen Wed 23 Jun 2010 11:45:01 AM MSD Local ID fb4d235b-1fcb-41d5-93b7-b7ce040b05c6 Line Numbers Raw Audit Messages node=localhost.localdomain type=AVC msg=audit(1277279101.218:13658): avc: denied { execmem } for pid=1388 comm="skype" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process node=localhost.localdomain type=SYSCALL msg=audit(1277279101.218:13658): arch=40000003 syscall=11 per=400000 success=no exit=-13 a0=85d29b0 a1=85da9a8 a2=85d3a80 a3=85da9a8 items=0 ppid=1305 pid=1388 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=pts0 ses=1 comm="skype" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
Either you are not executing the skype you think you are, or there is something very strange on your machine. which skype
I executed: setsebool -P allow_execstack 1 And now skype works. Thanks.
I was too quick. "setsebool -P allow_execstack 1" works good but it application independent. Skype starts to work, but Firefox as well. I do not like that kind of protection. So I turned it back. Skype doesn't work now as well as some firefox plugins. What about my skype - I got it from skype web site. Skype 2.1.0.81. And I installed it with yum --nogpgcheck. Bug is open, because problem still exist.
Execute which skype THen execute ls -lZ `which skype`
Thanks for replay. [root@localhost ~]# which skype /usr/bin/skype [root@localhost ~]# ls -lZ `which skype` -rwxr-xr-x. root root system_u:object_r:execmem_exec_t:s0 /usr/bin/skype I installed skype with rawhide, and it works until the last selinux update.
Sorry, I meant: ... and it worked until the last selinux update.
If it helps you, output of the "strace": $ strace skype execve("/usr/bin/skype", ["skype"], [/* 45 vars */] <unfinished ...> +++ killed by SIGKILL +++ Killed
# cat > /usr/bin/myskype << _EOF #!/bin/sh id -Z _EOF # chmod +x /usr/bin/myskype # chcon -t execmem_exec_t /usr/bin/myskype # /usr/bin/myskype What does it output?
The output is: unconfined_u:unconfined_r:unconfined_execmem_t:s0-s0:c0.c1023
I tried to reinstall skype, removed it before, but still got the same result - killed and the same selinux deny.
Could you attach the latest avc messages? BTW I just used skype while on vacation for two weeks and it worked fine in confinement.
Am talking about rawhide Fedora 14. Summary: SELinux is preventing skype "execmem" access on <Unknown>. Detailed Description: SELinux denied access requested by skype. The current boolean settings do not allow this access. If you have not setup skype to require this access this may signal an intrusion attempt. If you do intend this access you need to change the booleans on this system to allow the access. Allowing Access: One of the following booleans is set incorrectly: allow_execstack, allow_execmem Fix Command: Choose one of the following to allow access: Allow unconfined executables to make their stack executable. This should never, ever be necessary. Probably indicates a badly coded executable, but could indicate an attack. This executable should be reported in bugzilla") # setsebool -P allow_execstack 1 Allow unconfined executables to map a memory region as both executable and writable, this is dangerous and the executable should be reported in bugzilla") # setsebool -P allow_execmem 1 Additional Information: Source Context unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1 023 Target Context unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1 023 Target Objects None [ process ] Source skype Source Path skype Port <Unknown> Host localhost.localdomain Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.8.6-2.fc14 Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Plugin Name catchall_boolean Host Name localhost.localdomain Platform Linux localhost.localdomain 2.6.35-0.31.rc4.git4.fc14.i686.PAE #1 SMP Fri Jul 9 01:18:51 UTC 2010 i686 i686 Alert Count 11 First Seen Mon 28 Jun 2010 11:30:39 PM MSD Last Seen Tue 13 Jul 2010 03:06:05 PM MSD Local ID 48dcfb61-3147-44f5-9691-5c3a0b5bca7c Line Numbers Raw Audit Messages node=localhost.localdomain type=AVC msg=audit(1279019165.534:25): avc: denied { execmem } for pid=1435 comm="skype" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process node=localhost.localdomain type=SYSCALL msg=audit(1279019165.534:25): arch=40000003 syscall=11 per=400000 success=no exit=-13 a0=9bc08d0 a1=9bc0948 a2=9bbaa80 a3=9bc0948 items=0 ppid=1401 pid=1435 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=pts1 ses=1 comm="skype" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null) Thanks
so am I. Could you give me the output of which skype ls -lZ `which skype`
Also could you execute # auditctl -w /etc/shadow -p w run skype # ausearch -m avc -ts recent And attach the avc messages.
As you ask. $ which skype /usr/bin/skype $ ls -lZ `which skype` -rwxr-xr-x. root root system_u:object_r:execmem_exec_t:s0 /usr/bin/skype time->Tue Jul 13 22:31:36 2010 type=PATH msg=audit(1279045896.962:33): item=1 name=(null) inode=26685 dev=fd:00 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:ld_so_t:s0 type=PATH msg=audit(1279045896.962:33): item=0 name="/usr/bin/skype" inode=59729 dev=fd:00 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:execmem_exec_t:s0 type=CWD msg=audit(1279045896.962:33): cwd="/home/vas" type=EXECVE msg=audit(1279045896.962:33): argc=1 a0="skype" type=SYSCALL msg=audit(1279045896.962:33): arch=40000003 syscall=11 per=400000 success=no exit=-13 a0=1d8fbe8 a1=bfbcb000 a2=1d947e0 a3=b48c80 items=2 ppid=1 pid=1537 auid=500 uid=502 gid=502 euid=502 suid=502 fsuid=502 egid=502 sgid=502 fsgid=502 tty=(none) ses=1 comm="skype" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1279045896.962:33): avc: denied { execmem } for pid=1537 comm="skype" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process I hope it helps.
As you asked. $ which skype /usr/bin/skype $ ls -lZ `which skype` -rwxr-xr-x. root root system_u:object_r:execmem_exec_t:s0 /usr/bin/skype time->Tue Jul 13 22:31:36 2010 type=PATH msg=audit(1279045896.962:33): item=1 name=(null) inode=26685 dev=fd:00 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:ld_so_t:s0 type=PATH msg=audit(1279045896.962:33): item=0 name="/usr/bin/skype" inode=59729 dev=fd:00 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:execmem_exec_t:s0 type=CWD msg=audit(1279045896.962:33): cwd="/home/vas" type=EXECVE msg=audit(1279045896.962:33): argc=1 a0="skype" type=SYSCALL msg=audit(1279045896.962:33): arch=40000003 syscall=11 per=400000 success=no exit=-13 a0=1d8fbe8 a1=bfbcb000 a2=1d947e0 a3=b48c80 items=2 ppid=1 pid=1537 auid=500 uid=502 gid=502 euid=502 suid=502 fsuid=502 egid=502 sgid=502 fsgid=502 tty=(none) ses=1 comm="skype" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1279045896.962:33): avc: denied { execmem } for pid=1537 comm="skype" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process I hope it helps.
Finally some synapses fired in my brain about this and I remember this being talked about years ago. http://www.nsa.gov/research/selinux/list-archive/0708/22072.shtml
Looks like I had allow_execstack turned on which is why skype was working for me. Sorry about that. runcon -t unconfined_execmem_t -- bash -c "/usr/bin/skype" Would work, or create a shell script in your homedir named skype, that executes /usr/bin/skype and label it execmem_exec_t. mkdir ~/bin cat > ~/bin/skype << _EOF #!/bin/sh /usr/bin/skype $* _EOF chmod +x ~/bin/skype chcon -t execmem_exec_t ~/bin/skype ~/bin/skype If yo add ~/bin to your path skype should work.
skype is the only app that I have seen this happen too.
Thanks, you have good memory, conversation was in 2007. I prefer "runcon", it is easy and doesn't change anything. But what about others, when rawhide will be Fedora 14, what will be a solution? Second, you probably new about the same problem with firefox? Summary SELinux is preventing firefox from making its memory writable and executable. Detailed Description The firefox application attempted to change the access protection of memory (e.g., allocated using malloc). This is a potential security problem. Firefox is probably not the problem here ,but one of its plugins. You could remove the plugin and the app would no longer require the access. If you figure out which plugin is causing the access request, please open a bug report on the plugin. I tried to start firefox like skype: runcon -t unconfined_execmem_t -- bash -c "/usr/bin/firefox" And it works of course. Can it be the same problem? Thanks for the solution. This bug I think now can be closed.