Bug 2255713
| Summary: | SELinux is preventing /usr/bin/nextcloud from execmod access on the file /memfd:JITCode:QtQml (deleted). | ||
|---|---|---|---|
| Product: | [Fedora] Fedora EPEL | Reporter: | Joerg <jkastnin> |
| Component: | nextcloud-client | Assignee: | Mukundan Ragavan <nonamedotc> |
| Status: | NEW --- | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | epel9 | CC: | gwync, jan.public, martin.abbrent+fedoraproject.org, michel, nb, nonamedotc, uwe.arnold |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | Type: | Bug | |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
Hi, I'm running the nextcloud-client on Fedora 39, too. There I don't have the SELinux denial messages in the system journal. Version information: Name : nextcloud-client Version : 3.11.0 Release : 1.fc39 Architecture : x86_64 I hope this helps to track down and solve the issue. Merry Christmas, Jörg |
Description of problem: Using the package nextcloud-client on RHEL 9 results in a lot of selinux errors in the system journal. IMHO that should not happen using the package in the intended way. Version-Release number of selected component (if applicable): Name : nextcloud-client Version : 3.6.4 Release : 4.el9 Architecture: x86_64 How reproducible: Every time running nextcloud-client. Steps to Reproduce: 1. Run /usr/bin/nextcloud 2. sudo journalctl -t setroubleshoot 3. sudo sealert -l 81fd8a6c-e608-4804-ac39-4958d823d499 Actual results: ~~~ $ sudo sealert -l 81fd8a6c-e608-4804-ac39-4958d823d499 SELinux is preventing /usr/bin/nextcloud from execmod access on the file /memfd:JITCode:QtQml (deleted). ***** Plugin catchall_boolean (89.3 confidence) suggests ****************** If you want to allow selinuxuser to execmod Then you must tell SELinux about this by enabling the 'selinuxuser_execmod' boolean. Do setsebool -P selinuxuser_execmod 1 ***** Plugin catchall (11.6 confidence) suggests ************************** If you believe that nextcloud should be allowed execmod access on the memfd:JITCode:QtQml (deleted) file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'nextcloud' --raw | audit2allow -M my-nextcloud # semodule -X 300 -i my-nextcloud.pp Additional Information: Source Context unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1 023 Target Context unconfined_u:object_r:user_tmp_t:s0 Target Objects /memfd:JITCode:QtQml (deleted) [ file ] Source nextcloud Source Path /usr/bin/nextcloud Port <Unknown> Host example Source RPM Packages nextcloud-client-3.6.4-4.el9.x86_64 Target RPM Packages SELinux Policy RPM selinux-policy-targeted-38.1.23-1.el9.noarch Local Policy RPM selinux-policy-targeted-38.1.23-1.el9.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name example Platform Linux example 5.14.0-362.13.1.el9_3.x86_64 #1 SMP PREEMPT_DYNAMIC Fri Nov 24 01:57:57 EST 2023 x86_64 x86_64 Alert Count 569 First Seen 2023-11-24 07:35:19 CET Last Seen 2023-12-22 03:09:43 CET Local ID 81fd8a6c-e608-4804-ac39-4958d823d499 Raw Audit Messages type=AVC msg=audit(1703210983.96:1043): avc: denied { execmod } for pid=13685 comm="nextcloud" path=2F6D656D66643A4A4954436F64653A5174516D6C202864656C6574656429 dev="tmpfs" ino=5241 scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=file permissive=0 type=SYSCALL msg=audit(1703210983.96:1043): arch=x86_64 syscall=mprotect success=no exit=EACCES a0=7f1c0d964000 a1=5d0 a2=5 a3=ffffffff items=0 ppid=13261 pid=13685 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=3 comm=nextcloud exe=/usr/bin/nextcloud subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null) Hash: nextcloud,unconfined_t,user_tmp_t,file,execmod ~~~ Expected results: IMHO nextcloud should be allowed execmod access on the memfd:JITCode:QtQml (deleted) file by default, to be able to use the nextcloud-client without causing hundreds and thousands of error messages in system journal.