>> Dear all,
>>
>> Now I know why playing Penalty_Fever caused a
problem. The
>> following is clear evidence :(
>>
>>
>> Summary:
>>
>> SELinux is preventing nspluginviewer from changing
a
>> writable memory segment
>> executable.
>>
>> Detailed Description:
>>
>> The nspluginviewer application attempted to change
the
>> access protection of
>> memory (e.g., allocated using malloc). This is a
potential
>> security problem.
>> Applications should not be doing this.
Applications are
>> sometimes coded
>> incorrectly and request this permission. The
SELinux Memory
>> Protection Tests
>>
(
http://people.redhat.com/drepper/selinux-mem.html) web
>> page explains how to
>> remove this requirement. If nspluginviewer does
not work
>> and you need it to
>> work, you can configure SELinux temporarily to
allow this
>> access until the
>> application is fixed. Please file a bug report
>>
(
http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against
>> this package.
>>
>> Allowing Access:
>>
>> If you trust nspluginviewer to run correctly, you
can
>> change the context of the
>> executable to unconfined_execmem_exec_t.
"chcon -t
>> unconfined_execmem_exec_t
>> '/usr/bin/nspluginviewer'". You must
also
>> change the default file context files
>> on the system in order to preserve them even on a
full
>> relabel. "semanage
>> fcontext -a -t unconfined_execmem_exec_t
>> '/usr/bin/nspluginviewer'"
>>
>> Fix Command:
>>
>> chcon -t unconfined_execmem_exec_t
>> '/usr/bin/nspluginviewer'
>>
>> Additional Information:
>>
>> Source Context
>> unconfined_u:unconfined_r:unconfined_t:SystemLow-
>> SystemHigh
>> Target Context
>> unconfined_u:unconfined_r:unconfined_t:SystemLow-
>> SystemHigh
>> Target Objects None [ process ]
>> Source nspluginviewer
>> Source Path
/usr/bin/nspluginviewer
>> Port <Unknown>
>> Host
localhost.localdomain
>> Source RPM Packages kdebase-4.1.0-1.fc10
>> Target RPM Packages
>> Policy RPM
selinux-policy-3.5.1-4.fc10
>> Selinux Enabled True
>> Policy Type targeted
>> MLS Enabled True
>> Enforcing Mode Enforcing
>> Plugin Name allow_execmem
>> Host Name
localhost.localdomain
>> Platform Linux
localhost.localdomain
>> 2.6.26.1 #1 SMP Sat
>> Aug 2 21:36:01 CDT
2008 i686
>> i686
>> Alert Count 29
>> First Seen Sun 03 Aug 2008
12:55:21 PM
>> CDT
>> Last Seen Sun 03 Aug 2008
12:55:21 PM
>> CDT
>> Local ID
>> 865503d3-baab-4dcd-adc0-47f8fff6ade6
>> Line Numbers
>>
>> Raw Audit Messages
>>
>> host=localhost.localdomain type=AVC
>> msg=audit(1217786121.365:53): avc: denied {
execmem } for
>> pid=3262 comm="nspluginviewer"
>>
scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
>>
tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
>> tclass=process
>>
>> host=localhost.localdomain type=SYSCALL
>> msg=audit(1217786121.365:53): arch=40000003
syscall=125
>> success=no exit=-13 a0=b1aaa000 a1=1000 a2=5
a3=bfa32acc
>> items=0 ppid=3222 pid=3262 auid=500 uid=500
gid=500 euid=500
>> suid=500 fsuid=500 egid=500 sgid=500 fsgid=500
tty=(none)
>> ses=1 comm="nspluginviewer"
>> exe="/usr/bin/nspluginviewer"
>>
subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
>> key=(null)
>>
>>
>> This was an old bug and it returns to bite back :(
>> Is anybody else also encountering this problem?
>>
>> Regards,
>>
>> Antonio
>>
>>
>>
>>
>> --
>
> BTW,
>
> the old bug with nspluginwrapper was here:
>
>
https://bugzilla.redhat.com/show_bug.cgi?id=431708
>
> It was closed. It looks a little bit different, now I
am not sure if it is related?
>
> Thanks,
>
> Antonio
>
>
>
>
Most likely caused by one of the plugins you are using.
You have
multiple choices to fix this, one you could turn on
nsplugin confinement
# getsebool -a | grep nsplugin
allow_nsplugin_execmem --> on
allow_unconfined_nsplugin_transition --> on
You should relabel your homedir if you do.
restorecon -R -v ~
Then restart firefox. This would allow a confined nsplugin
to execmem
but not all apps run from unconfined_t. I have been
running like this
for a long time and have had few problems, although the
more people who
run with this mode the better so we can figure out what
firefox plugins
want to do.
I am running konqueror on KDE 4.1 Rawhide. Firefox and Seamonkey are
not reliable and I yum removed 'em. I was playing a flash game and it was working
nicely, but then I got to the next level and CPU went up to 100% and crashed. I can try
the suggestions, but I am not sure that konqueror behaves like firefox with the plugins.
You can not run the offending plugin.
You can ignore the error if it does not seem to cause the
problem.
You can turn on allow_execmem boolean.
I'll take a look into that.
Regards,
Antonio