Re: [FC8] SElinux - AVC Denial Messages... what is it???

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Dec 14, 2007 11:48 PM, Deepak Shrestha <d88pak@xxxxxxxxx> wrote:
> Hi
>
> I am getting the AVC Denial message from SELinux everytime I use any
> piece of program. These are some:
>
> ===================================
> Summary
> SELinux is preventing /usr/lib/openoffice.org/program/scalc.bin from
> changing the access protection of memory on the heap.
> ------------------------------
> Allowing Access
> If you want /usr/lib/openoffice.org/program/scalc.bin to continue, you
> must turn on the allow_execheap boolean. Note: This boolean will
> affect all applications on the system.The following command will allow
> this access:setsebool -P allow_execheap=1
> ===================================
> Summary
> SELinux is preventing /usr/lib/firefox-2.0.0.8/firefox-bin from
> loading /usr/lib/firefox-2.0.0.8/plugins/nppdf.so which requires text
> relocation.
> ---------------------------------
> Allowing Access
> If you trust /usr/lib/firefox-2.0.0.8/plugins/nppdf.so to run
> correctly, you can change the file context to textrel_shlib_t. "chcon
> -t textrel_shlib_t /usr/lib/firefox-2.0.0.8/plugins/nppdf.so" You must
> also change the default file context files on the system in order to
> preserve them even on a full relabel. "semanage fcontext -a -t
> textrel_shlib_t /usr/lib/firefox-2.0.0.8/plugins/nppdf.so"The
> following command will allow this access:chcon -t textrel_shlib_t
> /usr/lib/firefox-2.0.0.8/plugins/nppdf.so
> ===================================
> Summary
> SELinux is preventing /usr/bin/konqueror from changing the access
> protection of memory on the heap.
> --------------------------------
> Allowing Access
> If you want /usr/bin/konqueror to continue, you must turn on the
> allow_execheap boolean. Note: This boolean will affect all
> applications on the system.The following command will allow this
> access:setsebool -P allow_execheap=1
> ==================================
>
> So what are all these messages?? and should I allow this action as suggested???
>
> Thanks
>
> --
> fedora-list mailing list
> fedora-list@xxxxxxxxxx
> To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
>

Hi Deepak Shrestha!

SELinux (selinux - NSA Security-Enhanced Linux - see: man selinux)
creates a more secure computing environment by making it harder to
mis-use the environment (use it as a hacker would).

I would ask myself some questions:

Am I able to do all of the things I want to with the program?

If so, I would recommend that you do nothing except consider
implementing any updates that may come along and hopefully make false
denials less common.  I do see SELinux denials on my machine but they
are not preventing me from doing anything that I want to do so I would
rather have a bit extra protection than a flag free life.  I also have
the "plugins/nppdf.so" denial which is apparently tied to Adobe
reader.  The denial flag pops whenever I tell Firefox to read a PDF,
but, Adobe Reader comes up fine in Firefox anyway. So I am happy.

Do I know where the software comes from mentioned in the denial, and
what it is trying to do?

You may be catching a hacker in the act, hopefully preventing him from
controlling your machine or otherwise causing harm.  Take part of the
denial (such as the "plugins/nppdf.so" I mentioned from above) and
Google it.  Often you will find others dealing with the same issue and
be able to find out if what you have is a problem or simply an
inconvenience.

For myself I am happy to leave things as they are if they work, and
hope they will work better in the future.

Have Fun!

Tod


[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux