Bug 679093 - SELinux is preventing /opt/Adobe AIR/Versions/1.0/Adobe AIR Application Installer from using the 'execstack' accesses on a process.
Summary: SELinux is preventing /opt/Adobe AIR/Versions/1.0/Adobe AIR Application Insta...
Keywords:
Status: CLOSED DUPLICATE of bug 652297
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 14
Hardware: i386
OS: Linux
unspecified
medium
Target Milestone: ---
Assignee: Miroslav Grepl
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: setroubleshoot_trace_hash:d07ad758d30...
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2011-02-21 15:04 UTC by Alex Ozhegov
Modified: 2011-03-18 18:52 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2011-02-21 16:23:11 UTC
Type: ---
Embargoed:


Attachments (Terms of Use)

Description Alex Ozhegov 2011-02-21 15:04:55 UTC
SELinux is preventing /opt/Adobe AIR/Versions/1.0/Adobe AIR Application Installer from using the 'execstack' accesses on a process.

*****  Plugin allow_execstack (53.1 confidence) suggests  ********************

If you believe that 
None
should not require execstack
Then you should clear the execstack flag and see if /opt/Adobe AIR/Versions/1.0/Adobe AIR Application Installer works correctly.
Report this as a bug on None.
You can clear the exestack flag by executing:
Do
execstack -c None

*****  Plugin catchall_boolean (42.6 confidence) suggests  *******************

If you want to allow unconfined executables to make their stack executable.  This should never, ever be necessary. Probably indicates a badly coded executable, but could indicate an attack. This executable should be reported in bugzilla
Then you must tell SELinux about this by enabling the 'allow_execstack' boolean.
Do
setsebool -P allow_execstack 1

*****  Plugin catchall (5.76 confidence) suggests  ***************************

If you believe that Adobe AIR Application Installer should be allowed execstack access on processes labeled unconfined_t by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep 41646F626520414952204170706C69 /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1
                              023
Target Context                unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1
                              023
Target Objects                Unknown [ process ]
Source                        41646F626520414952204170706C69
Source Path                   /opt/Adobe AIR/Versions/1.0/Adobe AIR Application
                              Installer
Port                          <Неизвестно>
Host                          (removed)
Source RPM Packages           adobeair-2.5.1-17730
Target RPM Packages           
Policy RPM                    selinux-policy-3.9.7-29.fc14
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Permissive
Host Name                     (removed)
Platform                      Linux (removed) 2.6.35.11-83.fc14.i686.PAE #1 SMP
                              Mon Feb 7 06:57:55 UTC 2011 i686 i686
Alert Count                   1
First Seen                    Пнд 21 Фев 2011 17:53:28
Last Seen                     Пнд 21 Фев 2011 17:53:28
Local ID                      f9dd63cd-7e09-4e49-9773-465e47b6ee47

Raw Audit Messages
type=AVC msg=audit(1298300008.137:25394): avc:  denied  { execstack } for  pid=2415 comm=41646F626520414952204170706C69 scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process


type=SYSCALL msg=audit(1298300008.137:25394): arch=i386 syscall=mprotect success=yes exit=0 a0=bfe90000 a1=1000 a2=1000007 a3=bfe904b4 items=0 ppid=1 pid=2415 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm=41646F626520414952204170706C69 exe=2F6F70742F41646F6265204149522F56657273696F6E732F312E302F41646F626520414952204170706C69636174696F6E20496E7374616C6C6572 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)

Hash: 41646F626520414952204170706C69,unconfined_t,unconfined_t,process,execstack

audit2allow

#============= unconfined_t ==============
#!!!! This avc can be allowed using the boolean 'allow_execstack'

allow unconfined_t self:process execstack;

audit2allow -R

#============= unconfined_t ==============
#!!!! This avc can be allowed using the boolean 'allow_execstack'

allow unconfined_t self:process execstack;

Comment 1 Daniel Walsh 2011-02-21 16:23:11 UTC

*** This bug has been marked as a duplicate of bug 652297 ***


Note You need to log in before you can comment on or make changes to this bug.