bowman
9th February 2008, 05:27 PM
I installed skype on FC9. I got the following SELinux issue:
It suggested me to run "chcon -t unconfined_execmem_exec_t '<Unknown>'". Obviously it will not work this way with the 'Unknown' parameter. I tried to substitute 'Unknown' with the path to skype execulable "/usr/bin/skype" - did not help.
Any ideas how to fix it?
Summary:
SELinux is preventing skype from changing a writable memory segment executable.
Detailed Description:
The skype application attempted to change the access protection of memory (e.g.,
allocated using malloc). This is a potential security problem. Applications
should not be doing this. Applications are sometimes coded incorrectly and
request this permission. The SELinux Memory Protection Tests
(http://people.redhat.com/drepper/selinux-mem.html) web page explains how to
remove this requirement. If skype does not work and you need it to work, you can
configure SELinux temporarily to allow this access until the application is
fixed. Please file a bug report
(http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package.
Allowing Access:
If you trust skype to run correctly, you can change the context of the
executable to unconfined_execmem_exec_t. "chcon -t unconfined_execmem_exec_t '<Unknown>'".
You must also change the default file context files on the system in order to
preserve them even on a full relabel. "semanage fcontext -a -t
unconfined_execmem_exec_t '<Unknown>'"
The following command will allow this access:
chcon -t unconfined_execmem_exec_t '<Unknown>'
Additional Information:
Source Context unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1
023
Target Context unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1
023
Target Objects None [ process ]
Source skype
Source Path <Unknown>
Port <Unknown>
Host localhost.localdomain
Source RPM Packages
Target RPM Packages
Policy RPM selinux-policy-3.2.7-1.fc9
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name allow_execmem
Host Name localhost.localdomain
Platform Linux localhost.localdomain 2.6.24.1-26.fc9 #1 SMP
Fri Feb 8 19:56:42 EST 2008 i686 i686
Alert Count 6
First Seen Sat 09 Feb 2008 12:10:25 PM EST
Last Seen Sat 09 Feb 2008 12:19:44 PM EST
Local ID 7bb0b2ac-b18e-4b80-a4bf-0099ee7a050e
Line Numbers
Raw Audit Messages
host=localhost.localdomain type=AVC msg=audit(1202577584.579:33): avc: denied { execmem } for pid=7997 comm="skype" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process
host=localhost.localdomain type=SYSCALL msg=audit(1202577584.579:33): arch=40000003 syscall=11 success=no exit=-13 a0=8657b29 a1=89495c8 a2=8987e18 a3=bffdad24 items=0 ppid=1 pid=7997 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) comm="skype" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
It suggested me to run "chcon -t unconfined_execmem_exec_t '<Unknown>'". Obviously it will not work this way with the 'Unknown' parameter. I tried to substitute 'Unknown' with the path to skype execulable "/usr/bin/skype" - did not help.
Any ideas how to fix it?
Summary:
SELinux is preventing skype from changing a writable memory segment executable.
Detailed Description:
The skype application attempted to change the access protection of memory (e.g.,
allocated using malloc). This is a potential security problem. Applications
should not be doing this. Applications are sometimes coded incorrectly and
request this permission. The SELinux Memory Protection Tests
(http://people.redhat.com/drepper/selinux-mem.html) web page explains how to
remove this requirement. If skype does not work and you need it to work, you can
configure SELinux temporarily to allow this access until the application is
fixed. Please file a bug report
(http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package.
Allowing Access:
If you trust skype to run correctly, you can change the context of the
executable to unconfined_execmem_exec_t. "chcon -t unconfined_execmem_exec_t '<Unknown>'".
You must also change the default file context files on the system in order to
preserve them even on a full relabel. "semanage fcontext -a -t
unconfined_execmem_exec_t '<Unknown>'"
The following command will allow this access:
chcon -t unconfined_execmem_exec_t '<Unknown>'
Additional Information:
Source Context unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1
023
Target Context unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1
023
Target Objects None [ process ]
Source skype
Source Path <Unknown>
Port <Unknown>
Host localhost.localdomain
Source RPM Packages
Target RPM Packages
Policy RPM selinux-policy-3.2.7-1.fc9
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name allow_execmem
Host Name localhost.localdomain
Platform Linux localhost.localdomain 2.6.24.1-26.fc9 #1 SMP
Fri Feb 8 19:56:42 EST 2008 i686 i686
Alert Count 6
First Seen Sat 09 Feb 2008 12:10:25 PM EST
Last Seen Sat 09 Feb 2008 12:19:44 PM EST
Local ID 7bb0b2ac-b18e-4b80-a4bf-0099ee7a050e
Line Numbers
Raw Audit Messages
host=localhost.localdomain type=AVC msg=audit(1202577584.579:33): avc: denied { execmem } for pid=7997 comm="skype" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process
host=localhost.localdomain type=SYSCALL msg=audit(1202577584.579:33): arch=40000003 syscall=11 success=no exit=-13 a0=8657b29 a1=89495c8 a2=8987e18 a3=bffdad24 items=0 ppid=1 pid=7997 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) comm="skype" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
