Bug 248275

Summary: SELinux Alert on Eclipse libupdate.so
Product: [Fedora] Fedora Reporter: Kevin Crocker <kevin.b.crocker>
Component: eclipseAssignee: Ben Konrath <ben>
Status: CLOSED NOTABUG QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: low    
Version: 7   
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2007-07-15 01:38:19 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Description Kevin Crocker 2007-07-14 23:27:21 UTC
Description of problem:
SELinux alert blocking org.eclipse.osgi

Version-Release number of selected component (if applicable):
Eclipse Europa 3.3 (brand new install)

How reproducible:
Every single time I try to do an update

Steps to Reproduce:
1. Start Eclipse ... Software Updates ... select entries to update
Actual results:
SE block makes Eclipse completely unstable

Expected results:
the SE would stop doing this, or that Eclipse would put the right SE attributes

Additional info:
Appended SETroubleShoot Alert

    SELinux is preventing /eclipse.yoxos/eclipse/eclipse from loading /eclipse.y
    bupdate.so which requires text relocation.

Detailed Description
    The /eclipse.yoxos/eclipse/eclipse application attempted to load /eclipse.yo
    update.so which requires text relocation.  This is a potential security
    problem. Most libraries do not need this permission. Libraries are sometimes
    coded incorrectly and request this permission.  The
    http://people.redhat.com/drepper/selinux-mem.html web page explains how to
    remove this requirement.  You can configure SELinux temporarily to allow /ec
    /x86/libupdate.so to use relocation as a workaround, until the library is
    fixed. Please file a http://bugzilla.redhat.com/bugzilla/enter_bug.cgi
    against this package.

Allowing Access
    If you trust /eclipse.yoxos/eclipse/configuration/org.eclipse.osgi/bundles/3
    9/1/.cp/os/linux/x86/libupdate.so to run correctly, you can change the file
    context to textrel_shlib_t. "chcon -t textrel_shlib_t /eclipse.yoxos/eclipse

    The following command will allow this access:
    chcon -t textrel_shlib_t

Additional Information        

Source Context                root:system_r:unconfined_t:SystemLow-SystemHigh
Target Context                root:object_r:etc_runtime_t
Target Objects                /eclipse.yoxos/eclipse/configuration/org.eclipse.o
                              sgi/bundles/39/1/.cp/os/linux/x86/libupdate.so [
                              file ]
Affected RPM Packages         
Policy RPM                    selinux-policy-2.6.4-26.fc7
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   plugins.allow_execmod
Host Name                     desktop
Platform                      Linux desktop 2.6.21-1.3228.fc7 #1 SMP Tue Jun 12
                              15:37:31 EDT 2007 i686 athlon
Alert Count                   1
First Seen                    Sat 14 Jul 2007 06:20:37 PM CDT
Last Seen                     Sat 14 Jul 2007 06:20:37 PM CDT
Local ID                      a8c8dd24-8306-4fa7-8f70-31bd7e94d742
Line Numbers                  

Raw Audit Messages            

avc: denied { execmod } for comm="eclipse" dev=dm-0 egid=0 euid=0
exe="/eclipse.yoxos/eclipse/eclipse" exit=-13 fsgid=0 fsuid=0 gid=0 items=0
name="libupdate.so" path="/eclipse.yoxos/eclipse/configuration/org.eclipse.osgi/
bundles/39/1/.cp/os/linux/x86/libupdate.so" pid=19352
scontext=root:system_r:unconfined_t:s0-s0:c0.c1023 sgid=0
subj=root:system_r:unconfined_t:s0-s0:c0.c1023 suid=0 tclass=file
tcontext=root:object_r:etc_runtime_t:s0 tty=(none) uid=0

Comment 1 Andrew Overholt 2007-07-15 01:38:19 UTC
This doesn't happen with Fedora Eclipse, does it?  The fact that your
information shows yoxos indicates that this isn't happening with what we ship.

This has been fixed upstream for 3.3 by adding -fPIC to the libupdate.so
compilation line which we've carried for a while in Fedora Eclipse and RHDS. 
The upstream bug is https://bugs.eclipse.org/bugs/show_bug.cgi?id=170517.

I see this myself sometimes with upstream downloads but I never notice
instability as a result.