Description of problem: I get this AVC from npviewer.bin when I watch some clips on hulu.com. SELinux is preventing /usr/lib64/nspluginwrapper/npviewer.bin from execstack access on the None . ***** Plugin catchall (100. confidence) suggests *************************** If you believe that npviewer.bin should be allowed execstack access on the <Unknown> by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep npviewer.bin /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context staff_u:staff_r:mozilla_plugin_t:s0-s0:c0.c1023 Target Context staff_u:staff_r:mozilla_plugin_t:s0-s0:c0.c1023 Target Objects [ None ] Source npviewer.bin Source Path /usr/lib64/nspluginwrapper/npviewer.bin Port <Unknown> Host tlondon.localhost.org Source RPM Packages nspluginwrapper-1.4.4-2.fc17.x86_64 Target RPM Packages Policy RPM selinux-policy-3.10.0-80.fc17.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name tlondon.localhost.org Platform Linux tlondon.localhost.org 3.3.0-0.rc1.git3.1.fc17.x86_64 #1 SMP Thu Jan 26 01:48:20 UTC 2012 x86_64 x86_64 Alert Count 5 First Seen Thu 26 Jan 2012 06:46:24 AM PST Last Seen Fri 27 Jan 2012 07:02:16 AM PST Local ID 85b61157-196d-4386-b56d-a67d3aee9a67 Raw Audit Messages type=AVC msg=audit(1327676536.378:65): avc: denied { execstack } for pid=1671 comm="npviewer.bin" scontext=staff_u:staff_r:mozilla_plugin_t:s0-s0:c0.c1023 tcontext=staff_u:staff_r:mozilla_plugin_t:s0-s0:c0.c1023 tclass=processnode=tlondon.localhost.org type=SYSCALL msg=audit(1327676536.378:65): arch=c000003e syscall=10 success=no exit=-13 a0=7fff5a9bb000 a1=1000 a2=1000007 a3=3b70820000 items=0 ppid=1589 pid=1671 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=2 comm="npviewer.bin" exe="/usr/lib64/nspluginwrapper/npviewer.bin" subj=staff_u:staff_r:mozilla_plugin_t:s0-s0:c0.c1023 key=(null) Hash: npviewer.bin,mozilla_plugin_t,mozilla_plugin_t,None,execstack audit2allow audit2allow -R Version-Release number of selected component (if applicable): nspluginwrapper-1.4.4-2.fc17.x86_64 flash-plugin-11.1.102.55-release How reproducible: Every time.... May have to watch several clips. Steps to Reproduce: 1. 2. 3. Actual results: Expected results: Additional info:
This bug appears to have been reported against 'rawhide' during the Fedora 19 development cycle. Changing version to '19'. (As we did not run this process for some time, it could affect also pre-Fedora 19 development cycle bugs. We are very sorry. It will help us with cleanup during Fedora 19 End Of Life. Thank you.) More information and reason for this action is here: https://fedoraproject.org/wiki/BugZappers/HouseKeeping/Fedora19
No sure we want to allow flash the execstack...but that's a question for selinux folks.
We now give this access by default.