Bug 1781466

Summary: sddm, ksplashqml, krunner, plasmashell, ksmserver-logout-greeter, etc... not work, selinux denied execmod in tmpfs
Product: [Fedora] Fedora Reporter: lin <linuxbg>
Component: selinux-policyAssignee: Zdenek Pytela <zpytela>
Status: CLOSED EOL QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: low Docs Contact:
Priority: low    
Version: 30CC: dwalsh, gwync, jgrulich, kde-sig, lvrabec, me, mgrepl, m, pierluigi.fiorini, plautrba, rdieter, zpytela
Target Milestone: ---   
Target Release: ---   
Hardware: i686   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-05-26 18:15:36 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description lin 2019-12-10 04:36:49 UTC 
-rwxr-xr-x. 1 root root system_u:object_r:xdm_exec_t:s0 2177068 mai  3  2019 /bin/sddm-greeter

-rwxr-xr-x. 1 root root system_u:object_r:lib_t:s0 7235640 out 16 03:26 /usr/lib/libQt5Qml.so.5.12.5



change for, not work
-rwxr-xr-x. 1 root root system_u:object_r:xserver_exec_t:s0 2177068 mai  3  2019 /bin/sddm-greeter

-rwxr-xr-x. 1 root root system_u:object_r:textrel_shlib_t:s0 7235640 out 16 03:26 /usr/lib/libQt5Qml.so.5.12.5



type=AVC msg=audit(1574048065.544:363): avc:  denied  { execmod } for  pid=1657 comm="sddm-greeter" path=2F6D656D66643A4A4954436F64653A2F6C69622F6C6962517435516D6C2E736F2E35202864656C6574656429 dev="tmpfs" ino=46235 scontext=system_u:system_r:xserver_t:s0-s0:c0.c1023 tcontext=system_u:object_r:xserver_tmpfs_t:s0 tclass=file permissive=0

not work
/etc/environment
QML_DISABLE_DISK_CACHE=1


of 2019-03-08 again?
https://bugzilla.redhat.com/show_bug.cgi?id=1686675

fix 
setsebool -P selinuxuser_execmod 1
Comment 1 Zdenek Pytela 2019-12-20 15:39:58 UTC 
Hi,

The execmod permission is disabled by default for security reasons. This issue needs to be investigated by sddm team first.
Comment 2 Rex Dieter 2019-12-20 18:57:38 UTC 
It does appear to be the same (or very similar) issue covered by bug #1686875 , was that fix/change reverted?

commit b449b264e39f381beef1cb99977f543731972c64 (HEAD -> rawhide, origin/rawhide)
Author: Lukas Vrabec <lvrabec>
Date:   Wed Mar 27 18:42:55 2019 +0100

    Allow xdm_t domain to execmod temp files BZ(1686675)
Comment 3 lin 2019-12-23 03:06:43 UTC 
selinux-policy


* Wed Oct 09 2019 Lukas Vrabec <lvrabec> - 3.14.3-49

- Allow avahi_t to send msg to xdm_t


* Tue Aug 13 2019 Lukas Vrabec <lvrabec> - 3.14.3-44

- Allow xdm_t domain to read kernel sysctl BZ(1740385)
- Add sys_admin capability for xdm_t in user namespace. BZ(1740386)


Wed Jul 10 2019 Lukas Vrabec <lvrabec> - 3.14.3-40

- Allow xdm_t domain to mmap /var/lib/gdm/.cache/fontconfig BZ(1725509)


Wed Apr 03 2019 Lukas Vrabec <lvrabec> - 3.14.3-27

- Allow xdm_t domain to execmod temp files BZ(1686675)
- Revert "Allow xdm_t domain to create own tmp files BZ(1686675)"
- Allow xdm_t domain to create own tmp files BZ(1686675)
Comment 4 lin 2019-12-27 05:49:11 UTC 
fix, I think
Allow all domains with permission, to execmod in temp files, by boolean
Comment 5 lin 2020-01-06 03:47:23 UTC 
type=AVC msg=audit(1578114017.383:276): avc:  denied  { execmod } for  pid=1059 comm="ksplashqml" path=2F6D656D66643A4A4954436F64653A2F6C69622F6C6962517435516D6C2E736F2E35202864656C6574656429 dev="tmpfs" ino=29380 scontext=unconfined_u:unconfined_r:xserver_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:xserver_tmpfs_t:s0 tclass=file permissive=0
type=AVC msg=audit(1578114048.443:283): avc:  denied  { execmod } for  pid=1237 comm="krunner" path=2F6D656D66643A4A4954436F64653A2F6C69622F6C6962517435516D6C2E736F2E35202864656C6574656429 dev="tmpfs" ino=31585 scontext=unconfined_u:unconfined_r:xserver_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:xserver_tmpfs_t:s0 tclass=file permissive=0
type=AVC msg=audit(1578114064.113:293): avc:  denied  { execmod } for  pid=1400 comm="plasmashell" path=2F6D656D66643A4A4954436F64653A2F6C69622F6C6962517435516D6C2E736F2E35202864656C6574656429 dev="tmpfs" ino=33753 scontext=unconfined_u:unconfined_r:xserver_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:xserver_tmpfs_t:s0 tclass=file permissive=0
type=AVC msg=audit(1578114139.133:302): avc:  denied  { execmod } for  pid=1575 comm="ksmserver-logou" path=2F6D656D66643A4A4954436F64653A2F6C69622F6C6962517435516D6C2E736F2E35202864656C6574656429 dev="tmpfs" ino=36484 scontext=unconfined_u:unconfined_r:xserver_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:xserver_tmpfs_t:s0 tclass=file permissive=0
Comment 6 lin 2020-01-17 06:22:24 UTC 
https://bugreports.qt.io/browse/QTBUG-58508
https://doc-snapshots.qt.io/qt5-5.15/qmldiskcache.html
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=939400

deny_execmem on?
https://bugzilla.redhat.com/show_bug.cgi?id=1781466
Comment 7 lin 2020-01-17 06:28:17 UTC 
deny_execmem on?
https://bugzilla.redhat.com/show_bug.cgi?id=1686675
Comment 8 Lukas Vrabec 2020-01-17 11:13:06 UTC 
Hi Lin, 


Is execmod really required for xserver_tmpfs_t files? 

Thanks,
Lukas.
Comment 9 lin 2020-01-18 05:35:56 UTC 
Good question.

seems denied by tmpfs.

all need execmem, sddm-greeter, ksplashqml, krunner, plasmashell, ksmserver-logout-greeter
execmem by xserver_exec_t

rule, denied execmod in tmpfs is new, in 29, 28, nothing. or Qt5Qml no execute in cache, temp in version 29, 28?

question, works, fix, that's right?

thanks
Comment 10 Rex Dieter 2020-01-18 20:26:45 UTC 
Ah, makes sense, explains why I personally hadn't been able to reproduce this (I disabled tmpfs one of my low-memory laptops).

So workaround for those interested, until this is properly fixed on selinux side, is to also disable tmpfs feature (effectively disables the mounting of any separate partition onto /tmp):

systemctl mask tmp.mount

(See also https://fedoraproject.org/wiki/Features/tmp-on-tmpfs#Release_Notes )
Comment 11 lin 2020-01-19 03:29:24 UTC 
caches 

/var/lib/sddm/.cache/sddm-greeter/qmlcache/
/home/user_name/.cache/ksplashqml/qmlcache/
/home/user_name/.cache/krunner/qmlcache/
/home/user_name/.cache/plasmashell/qmlcache/
/home/user_name/.cache/ksmserver-logout-greeter/qmlcache/


/var/log/messages
in pt_BR
Jan 18 23:48:06 CP setroubleshoot[1510]: O SELinux está impedindo que o plasmashell acesse o execmod no arquivo /memfd:JITCode:/lib/libQt5Qml.so.5 (deleted). Para obter mensagens completas do SELinux, execute: sealert -I89c6c9f0-22e9-40ab-bdc8-66f40cb169ce
Jan 18 23:48:07 CP python3[1510]: O SELinux está impedindo que o plasmashell acesse o execmod no arquivo /memfd:JITCode:/lib/libQt5Qml.so.5 (deleted).#012#012*****  Plugin restorecon (confiança 79.2) sugere  ****************************#012#012Se você quiser consertar o rótulo.$TARGETO rótulo padrão _PATH deve ser default_t.#012Entãovocê pode executar o restorecon. A tentativa de acesso pode ter sido interrompida devido a permissões insuficientes para acessar um diretório pai. Nesse caso, tente alterar o seguinte comando de acordo.#012Faça#012# /sbin/restorecon -v /memfd:JITCode:/lib/libQt5Qml.so.5 (deleted)#012#012*****  Plugin allow_execmod (confiança 8.37) sugere  *************************#012#012this issue occurred during normal system operation.#012Entãothis alert could be a serious issue and your system could be compromised. Setroubleshoot examined '/memfd:JITCode:/lib/libQt5Qml.so.5.(deleted)' to make sure it was built correctly, but can not determine if this application has been compromised.#012Faça#012contact your security administrator and report this issue#012#012*****  Plugin httpd_unified (confiança 6.79) sugere  *************************#012#012Se você quiser permitir que o httpd execute scripts cgi e unifique o tratamento HTTPD de todos os arquivos de conteúdo.#012Entãovocê precisa informar o SELinux sobre esta ação, habilitando o 'httpd_unified' e 'http_enable_cgi' booleans#012Faça#012# setsebool -P httpd_unified=1 httpd_enable_cgi=1#012#012*****  Plugin catchall_boolean (confiança 6.79) sugere  **********************#012#012Se você quiser allow all unconfined executables to use libraries requiring text relocation that are not labeled textrel_shlib_t#012Entãovocê deve informar o SELinux sobre isso habilitando o booleano 'selinuxuser_execmod'.#012#012Faça#012setsebool -P selinuxuser_execmod 1#012#012*****  Plugin catchall (confiança 1.28) sugere  ******************************#012#012Se você acredita nisso plasmashell deve ser permitido execmod acesso no libQt5Qml.so.5 (deleted) file por padrão.#012Entãovocê deve informar que este é um erro.#012Você pode gerar um módulo de política local para permitir este acesso.#012Faça#012permitir este acesso por agora executando: # ausearch -c 'plasmashell'--raw | audit2allow -M my-plasmashell # semodule -X 300 -i my-plasmashell.pp#012
Comment 12 lin 2020-02-01 05:06:34 UTC 
hi Lukas 

i seems yes, come on test?
Post in selinux project, what they talk?


 xserver_tmpfs_t

- Set files with the xserver_tmpfs_t type, if you want to store xserver files on a tmpfs file system. 


thanks
Comment 13 Ben Cotton 2020-04-30 20:28:56 UTC 
This message is a reminder that Fedora 30 is nearing its end of life.
Fedora will stop maintaining and issuing updates for Fedora 30 on 2020-05-26.
It is Fedora's policy to close all bug reports from releases that are no longer
maintained. At that time this bug will be closed as EOL if it remains open with a
Fedora 'version' of '30'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version.

Thank you for reporting this issue and we are sorry that we were not 
able to fix it before Fedora 30 is end of life. If you would still like 
to see this bug fixed and are able to reproduce it against a later version 
of Fedora, you are encouraged  change the 'version' to a later Fedora 
version prior this bug is closed as described in the policy above.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events. Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.
Comment 14 Ben Cotton 2020-05-26 18:15:36 UTC 
Fedora 30 changed to end-of-life (EOL) status on 2020-05-26. Fedora 30 is
no longer maintained, which means that it will not receive any further
security or bug fix updates. As a result we are closing this bug.

If you can reproduce this bug against a currently maintained version of
Fedora please feel free to reopen this bug against that version. If you
are unable to reopen this bug, please file a new report against the
current release. If you experience problems, please add a comment to this
bug.

Thank you for reporting this bug and we are sorry it could not be fixed.