Following is AVC Do I replace '<unknown>' with skype?
Summary:
SELinux is preventing skype from changing a writable memory segment executable.
Detailed Description:
The skype application attempted to change the access protection of memory (e.g., allocated using malloc). This is a potential security problem. Applications should not be doing this. Applications are sometimes coded incorrectly and request this permission. The SELinux Memory Protection Tests (http://people.redhat.com/drepper/selinux-mem.html) web page explains how to remove this requirement. If skype does not work and you need it to work, you can configure SELinux temporarily to allow this access until the application is fixed. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package.
Allowing Access:
If you trust skype to run correctly, you can change the context of the executable to execmem_exec_t. "chcon -t execmem_exec_t '<Unknown>'". You must also change the default file context files on the system in order to preserve them even on a full relabel. "semanage fcontext -a -t execmem_exec_t '<Unknown>'"
Fix Command:
chcon -t execmem_exec_t '<Unknown>'
Additional Information:
Source Context unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1 023 Target Context unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1 023 Target Objects None [ process ] Source skype Source Path <Unknown> Port <Unknown> Host (removed) Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.6.22-2.fc12 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name allow_execmem Host Name (removed) Platform Linux internet01.frankly3d.local 2.6.31-0.86.rc3.git5.fc12.x86_64 #1 SMP Wed Jul 22 15:31:34 EDT 2009 x86_64 x86_64 Alert Count 1 First Seen Fri 24 Jul 2009 17:38:51 IST Last Seen Fri 24 Jul 2009 17:38:51 IST Local ID 6c5beb61-0671-4497-b86d-cd1bf0944901 Line Numbers
Raw Audit Messages
node=internet01.frankly3d.local type=AVC msg=audit(1248453531.351:24900): avc: denied { execmem } for pid=2079 comm="skype" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process
node=internet01.frankly3d.local type=SYSCALL msg=audit(1248453531.351:24900): arch=c000003e syscall=59 per=400000 success=no exit=-13 a0=1dae08f a1=1c0bcd0 a2=7fff70be3b38 a3=7fff70be2410 items=0 ppid=2078 pid=2079 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm="skype" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
On Fri, 2009-07-24 at 17:48 +0100, Frank Murphy wrote:
Following is AVC Do I replace '<unknown>' with skype?
Summary:
SELinux is preventing skype from changing a writable memory segment executable.
Detailed Description:
The skype application attempted to change the access protection of memory (e.g., allocated using malloc). This is a potential security problem. Applications should not be doing this. Applications are sometimes coded incorrectly and request this permission. The SELinux Memory Protection Tests (http://people.redhat.com/drepper/selinux-mem.html) web page explains how to remove this requirement. If skype does not work and you need it to work, you can configure SELinux temporarily to allow this access until the application is fixed. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package.
Allowing Access:
If you trust skype to run correctly, you can change the context of the executable to execmem_exec_t. "chcon -t execmem_exec_t '<Unknown>'". You must also change the default file context files on the system in order to preserve them even on a full relabel. "semanage fcontext -a -t execmem_exec_t '<Unknown>'"
Fix Command:
chcon -t execmem_exec_t '<Unknown>'
Additional Information:
Source Context unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1 023 Target Context unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1 023 Target Objects None [ process ] Source skype Source Path <Unknown> Port <Unknown> Host (removed) Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.6.22-2.fc12 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name allow_execmem Host Name (removed) Platform Linux internet01.frankly3d.local 2.6.31-0.86.rc3.git5.fc12.x86_64 #1 SMP Wed Jul 22 15:31:34 EDT 2009 x86_64 x86_64 Alert Count 1 First Seen Fri 24 Jul 2009 17:38:51 IST Last Seen Fri 24 Jul 2009 17:38:51 IST Local ID 6c5beb61-0671-4497-b86d-cd1bf0944901 Line Numbers
Raw Audit Messages
node=internet01.frankly3d.local type=AVC msg=audit(1248453531.351:24900): avc: denied { execmem } for pid=2079 comm="skype" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process
node=internet01.frankly3d.local type=SYSCALL msg=audit(1248453531.351:24900): arch=c000003e syscall=59 per=400000 success=no exit=-13 a0=1dae08f a1=1c0bcd0 a2=7fff70be3b38 a3=7fff70be2410 items=0 ppid=2078 pid=2079 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm="skype" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
Yes:
semanage fcontext -a -t execmem_exec_t /path/to/skype restorecon -v /path/to/skype
where "/path/to/skype" is the path to the skype executable file.
On 07/24/2009 12:55 PM, Dominick Grift wrote:
On Fri, 2009-07-24 at 17:48 +0100, Frank Murphy wrote:
Following is AVC Do I replace '<unknown>' with skype?
Summary:
SELinux is preventing skype from changing a writable memory segment executable.
Detailed Description:
The skype application attempted to change the access protection of memory (e.g., allocated using malloc). This is a potential security problem. Applications should not be doing this. Applications are sometimes coded incorrectly and request this permission. The SELinux Memory Protection Tests (http://people.redhat.com/drepper/selinux-mem.html) web page explains how to remove this requirement. If skype does not work and you need it to work, you can configure SELinux temporarily to allow this access until the application is fixed. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package.
Allowing Access:
If you trust skype to run correctly, you can change the context of the executable to execmem_exec_t. "chcon -t execmem_exec_t '<Unknown>'". You must also change the default file context files on the system in order to preserve them even on a full relabel. "semanage fcontext -a -t execmem_exec_t '<Unknown>'"
Fix Command:
chcon -t execmem_exec_t '<Unknown>'
Additional Information:
Source Context unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1 023 Target Context unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1 023 Target Objects None [ process ] Source skype Source Path <Unknown> Port <Unknown> Host (removed) Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.6.22-2.fc12 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name allow_execmem Host Name (removed) Platform Linux internet01.frankly3d.local 2.6.31-0.86.rc3.git5.fc12.x86_64 #1 SMP Wed Jul 22 15:31:34 EDT 2009 x86_64 x86_64 Alert Count 1 First Seen Fri 24 Jul 2009 17:38:51 IST Last Seen Fri 24 Jul 2009 17:38:51 IST Local ID 6c5beb61-0671-4497-b86d-cd1bf0944901 Line Numbers
Raw Audit Messages
node=internet01.frankly3d.local type=AVC msg=audit(1248453531.351:24900): avc: denied { execmem } for pid=2079 comm="skype" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process
node=internet01.frankly3d.local type=SYSCALL msg=audit(1248453531.351:24900): arch=c000003e syscall=59 per=400000 success=no exit=-13 a0=1dae08f a1=1c0bcd0 a2=7fff70be3b38 a3=7fff70be2410 items=0 ppid=2078 pid=2079 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm="skype" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
Yes:
semanage fcontext -a -t execmem_exec_t /path/to/skype restorecon -v /path/to/skype
where "/path/to/skype" is the path to the skype executable file.
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list
Please open a bugzilla on skype saying that apps should not require execmem privs to run.
Attach the following link.
On 27/07/09 13:54, Daniel J Walsh wrote:
Please open a bugzilla on skype saying that apps should not require execmem privs to run.
Attach the following link.
selinux@lists.fedoraproject.org