Description of problem: SELinux Alert Browser here complains about "execstack" access problems with various applications. For each of the alerts it says (here for "totem"): | SELinux is preventing /usr/bin/totem-video-thumbnailer from | using the execstack access on a process. | | Plugin: catchall | you want to allow totem-video-thumbnailer to have execstack access | on the Unknown processIf you believe that totem-video-thumbnailer | should be allowed execstack access on processes labeled unconfined_t | by default. | You should report this as a bug. | You can generate a local policy module to allow this access. | Allow this access for now by executing: | # grep /usr/bin/totem-video-thumbnailer /var/log/audit/audit.log | audit2allow -M mypol | # semodule -i mypol.pp The command at the bottom gives: # grep /usr/bin/totem-video-thumbnailer /var/log/audit/audit.log | audit2allow -M mypol compilation failed: mypol.te:6:ERROR 'syntax error' at token '' on line 6: /usr/bin/checkmodule: error(s) encountered while parsing configuration /usr/bin/checkmodule: loading policy configuration from mypol.te # cat mypol.te module mypol 1.0; # grep /usr/bin/totem-video-thumbnailer /var/log/audit/audit.log type=SYSCALL msg=audit(1293622859.590:33915): arch=40000003 syscall=125 success=no exit=-13 a0=bfb9b000 a1=1000 a2=1000007 a3=b64fcf1c items=0 ppid=2280 pid=4759 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm="flvdemux0:sink" exe="/usr/bin/totem-video-thumbnailer" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null) type=SYSCALL msg=audit(1293623043.703:33916): arch=40000003 syscall=125 success=no exit=-13 a0=bfeda000 a1=1000 a2=1000007 a3=b63fcc1c items=0 ppid=2280 pid=4950 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm="qtdemux0:sink" exe="/usr/bin/totem-video-thumbnailer" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null) type=SYSCALL msg=audit(1293623073.680:33917): arch=40000003 syscall=125 success=no exit=-13 a0=bf8ba000 a1=1000 a2=1000007 a3=b64fcc1c items=0 ppid=2280 pid=4978 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm="qtdemux0:sink" exe="/usr/bin/totem-video-thumbnailer" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null) type=SYSCALL msg=audit(1293623103.728:33918): arch=40000003 syscall=125 success=no exit=-13 a0=bf826000 a1=1000 a2=1000007 a3=b64fcc1c items=0 ppid=2280 pid=4992 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm="qtdemux0:sink" exe="/usr/bin/totem-video-thumbnailer" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null) --------------------------- Version-Release number of selected component (if applicable): $ rpm -qf $(which sealert) setroubleshoot-server-3.0.15-1.fc14.i686 How reproducible: Always
Every suggestion from 'sealert' that I have attempted has failed, for example (note that the underlying problem with 'cachemgr.cgi' has been raised as a separate bug report): # sealert -l 3c1a7e4a-f196-40da-9cf0-7a57f541f5da SELinux is preventing /var/www/cgi-bin/cachemgr.cgi from search access on the directory /etc/squid. ***** Plugin catchall (100. confidence) suggests *************************** If you believe that cachemgr.cgi should be allowed search access on the squid directory by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep /var/www/cgi-bin/cachemgr.cgi /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp # grep /var/www/cgi-bin/cachemgr.cgi /var/log/audit/audit.log | audit2allow -M mypol compilation failed: mypol.te:6:ERROR 'syntax error' at token '' on line 6: /usr/bin/checkmodule: error(s) encountered while parsing configuration /usr/bin/checkmodule: loading policy configuration from mypol.te #
I have just had the same problem. I tried to make a security policy to allow sendmail on port 26 in the past, but it has not worked. Today there was an update of many files by yum, and then I found the similar suggestion. You should report this as a bug. You can generate a local policy module to allow this access. Allow this access for now by executing: # grep /usr/sbin/sendmail.sendmail /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp But following the command failed [root@PC146 ~]# grep /usr/sbin/sendmail.sendmail /var/log/audit/audit.log | audit2allow -M mypol compilation failed: mypol.te:6:ERROR 'syntax error' at token '' on line 6: /usr/bin/checkmodule: error(s) encountered while parsing configuration /usr/bin/checkmodule: loading policy configuration from mypol.te
[clearing NEEDINFO state set by mistake]
*** This bug has been marked as a duplicate of bug 665505 ***