Bug 666485 - SELinux is preventing /usr/libexec/gstreamer-0.10/gst-plugin-scanner from using the 'execstack' accesses on a process.
Summary: SELinux is preventing /usr/libexec/gstreamer-0.10/gst-plugin-scanner from usi...
Keywords:
Status: CLOSED DUPLICATE of bug 652297
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 14
Hardware: i386
OS: Linux
low
medium
Target Milestone: ---
Assignee: Miroslav Grepl
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: setroubleshoot_trace_hash:566acc26233...
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2010-12-31 02:58 UTC by Basil Mohamed Gohar
Modified: 2011-02-05 18:57 UTC (History)
16 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2011-01-03 14:21:12 UTC
Type: ---
Embargoed:


Attachments (Terms of Use)

Description Basil Mohamed Gohar 2010-12-31 02:58:41 UTC
SELinux is preventing /usr/libexec/gstreamer-0.10/gst-plugin-scanner from using the 'execstack' accesses on a process.

*****  Plugin allow_execstack (53.1 confidence) suggests  ********************

If you do not think /usr/libexec/gstreamer-0.10/gst-plugin-scanner should need to map stack memory that is both writable and executable.
Then you need to report a bug. This is a potentially dangerous access.
Do
contact your security administrator and report this issue.

*****  Plugin catchall_boolean (42.6 confidence) suggests  *******************

If you want to allow unconfined executables to make their stack executable.  This should never, ever be necessary. Probably indicates a badly coded executable, but could indicate an attack. This executable should be reported in bugzilla
Then you must tell SELinux about this by enabling the 'allow_execstack' boolean.
Do
setsebool -P allow_execstack 1

*****  Plugin catchall (5.76 confidence) suggests  ***************************

If you believe that gst-plugin-scanner should be allowed execstack access on processes labeled unconfined_t by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep /usr/libexec/gstreamer-0.10/gst-plugin-scanner /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1
                              023
Target Context                unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1
                              023
Target Objects                Unknown [ process ]
Source                        gst-plugin-scan
Source Path                   /usr/libexec/gstreamer-0.10/gst-plugin-scanner
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           gstreamer-0.10.31-1.fc14
Target RPM Packages           
Policy RPM                    selinux-policy-3.9.7-19.fc14
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 2.6.35.10-74.fc14.i686 #1 SMP Thu Dec
                              23 16:17:40 UTC 2010 i686 i686
Alert Count                   3
First Seen                    Thu 30 Dec 2010 09:54:24 PM EST
Last Seen                     Thu 30 Dec 2010 09:54:28 PM EST
Local ID                      bc6f93a3-f4ff-4642-ae37-245ffcabb0e2

Raw Audit Messages
type=AVC msg=audit(1293764068.165:53833): avc:  denied  { execstack } for  pid=7799 comm="gst-plugin-scan" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process

gst-plugin-scan,unconfined_t,unconfined_t,process,execstack
type=SYSCALL msg=audit(1293764068.165:53833): arch=i386 syscall=mprotect success=no exit=EACCES a0=bfcea000 a1=1000 a2=1000007 a3=bfce99b0 items=0 ppid=7797 pid=7799 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm=gst-plugin-scan exe=/usr/libexec/gstreamer-0.10/gst-plugin-scanner subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
gst-plugin-scan,unconfined_t,unconfined_t,process,execstack

#============= unconfined_t ==============
#!!!! This avc can be allowed using the boolean 'allow_execstack'

allow unconfined_t self:process execstack;

Comment 1 Miroslav Grepl 2011-01-03 14:21:12 UTC

*** This bug has been marked as a duplicate of bug 652297 ***

Comment 2 Rafi Baig 2011-01-14 04:06:43 UTC
I had the same problem - workaround I used was to create a local policy module to allow this access only for gst-plugin-scanner:

# grep gst-plugin-scan /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Comment 3 Daniel Walsh 2011-01-14 14:26:10 UTC
Rafi, did you look for the bad libraries?  Removing the execstack from from them might solve your problem.

http://danwalsh.livejournal.com/38736.html

Comment 4 Rafi Baig 2011-01-14 15:31:16 UTC
Hi Dan - thanks for the assist, I did not look for the bad libraries, but I will do now - the workaround I posted has done the trick though

Comment 5 dweb98 2011-01-14 19:01:27 UTC
(In reply to comment #3)
> Rafi, did you look for the bad libraries?  Removing the execstack from from
> them might solve your problem.
> 
> http://danwalsh.livejournal.com/38736.html

Thanks Dan, for the info. I followed your instructions on your Blog and found 9 in mine. Well see how things go now... 

Don


Note You need to log in before you can comment on or make changes to this bug.