Thanks Lakshmi, I would give a try and update you at the earliest.
On Tue, Aug 9, 2011 at 4:26 PM, Lakshmipathi.G <[email protected]>wrote: > Hi - > If you don't have confidential data on your machine, I would suggest you to > turn of SELinux using "setenforce 0" (it needs root access) > and then verify it using "getenforce" . Or disable it completely by > modifying the file /etc/selinux/config. This is very much easier way. > > If you want to use SELinux with Skype,then do - > 1.add a selinux policy module using audit2allow command - "cat > /var/log/audit/audit.log | audit2allow > skype.pp" > > 2.Make sure selinux-policy-devel package is installed and now compile the > module. > #make -f /usr/share/selinux/devel/Makefile skype.pp > > 3)load the module "semodule -i skype.pp " > > 4)verify it - semodule -l | grep skype > > > Sometime back while working on OSS project, I found out SELinux documents > are extremely rare to find. > Few of them are - > Dan Walsh's blog - http://danwalsh.livejournal.com/ > and Dominick's http://selinux-mac.blogspot.com/ > > HTH > > On Tue, Aug 9, 2011 at 5:23 PM, anjaz ahmed <[email protected]> wrote: > >> Dear friends, >> >> Recently upgraded to Fedora 15, the skype application gets crashed >> frequently.....The error details are as mentioned below. Would be great if >> someone get it fixed. >> >> Thanks >> >> ===================================================================== >> >> SELinux is preventing /usr/bin/skype from mmap_zero access on the >> memprotect Unknown. >> >> ***** Plugin mmap_zero (53.1 confidence) suggests >> ************************** >> >> If you do not think /usr/bin/skype should need to mmap low memory in the >> kernel. >> Then you may be under attack by a hacker, this is a very dangerous access. >> >> Do >> contact your security administrator and report this issue. >> >> ***** Plugin catchall_boolean (42.6 confidence) suggests >> ******************* >> >> If you want to control the ability to mmap a low area of the address >> space, as configured by /proc/sys/kernel/mmap_min_addr. >> Then you must tell SELinux about this by enabling the 'mmap_low_allowed' >> boolean. >> Do >> setsebool -P mmap_low_allowed 1 >> >> ***** Plugin catchall (5.76 confidence) suggests >> *************************** >> >> If you believe that skype should be allowed mmap_zero access on the >> Unknown memprotect by default. >> Then you should report this as a bug. >> You can generate a local policy module to allow this access. >> Do >> allow this access for now by executing: >> # grep threaded-ml /var/log/audit/audit.log | audit2allow -M mypol >> # semodule -i mypol.pp >> >> Additional Information: >> Source Context unconfined_u:unconfined_r:unconfined_execmem_t:s0- >> s0:c0.c1023 >> Target Context unconfined_u:unconfined_r:unconfined_execmem_t:s0- >> s0:c0.c1023 >> Target Objects Unknown [ memprotect ] >> Source threaded-ml >> Source Path /usr/bin/skype >> Port <Unknown> >> Host anjaz.intelvision.sc >> Source RPM Packages skype-2.2.0.35-fc10 >> Target RPM Packages >> Policy RPM selinux-policy-3.9.16-35.fc15 >> Selinux Enabled True >> Policy Type targeted >> Enforcing Mode Enforcing >> Host Name anjaz.intelvision.sc >> Platform Linux anjaz.intelvision.sc 2.6.38.8-35.fc15.x86_64 >> #1 SMP Wed Jul 6 13:58:54 UTC 2011 x86_64 x86_64 >> Alert Count 125 >> First Seen Tue 09 Aug 2011 03:49:24 PM SCT >> Last Seen Tue 09 Aug 2011 03:49:27 PM SCT >> Local ID 943f7e9f-e074-437d-9ad1-cf76ac9f7615 >> >> Raw Audit Messages >> type=AVC msg=audit(1312890567.697:245): avc: denied { mmap_zero } for >> pid=4405 comm="skype" >> scontext=unconfined_u:unconfined_r:unconfined_execmem_t:s0-s0:c0.c1023 >> tcontext=unconfined_u:unconfined_r:unconfined_execmem_t:s0-s0:c0.c1023 >> tclass=memprotect >> >> >> type=SYSCALL msg=audit(1312890567.697:245): arch=i386 syscall=lgetxattr >> per=400000 success=no exit=EACCES a0=0 a1=1000 a2=3 a3=22 items=0 ppid=1769 >> pid=4405 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 >> sgid=500 fsgid=500 tty=(none) ses=1 comm=skype exe=/usr/bin/skype >> subj=unconfined_u:unconfined_r:unconfined_execmem_t:s0-s0:c0.c1023 >> key=(null) >> >> Hash: >> threaded-ml,unconfined_execmem_t,unconfined_execmem_t,memprotect,mmap_zero >> >> audit2allow >> >> #============= unconfined_execmem_t ============== >> #!!!! This avc can be allowed using the boolean 'mmap_low_allowed' >> >> allow unconfined_execmem_t self:memprotect mmap_zero; >> >> audit2allow -R >> >> #============= unconfined_execmem_t ============== >> #!!!! This avc can be allowed using the boolean 'mmap_low_allowed' >> >> allow unconfined_execmem_t self:memprotect mmap_zero; >> >> >> >> _______________________________________________ >> india mailing list >> [email protected] >> https://admin.fedoraproject.org/mailman/listinfo/india >> > > > > -- > ---- > Cheers, > Lakshmipathi.G > FOSS Programmer. > www.giis.co.in > > _______________________________________________ > india mailing list > [email protected] > https://admin.fedoraproject.org/mailman/listinfo/india > -- Regards, Anjaz Ahmed. Indian Mobile : +91-9597921153 VoIP : +248-2716918 Email : [email protected]
_______________________________________________ india mailing list [email protected] https://admin.fedoraproject.org/mailman/listinfo/india
