Bug 2278624

Summary: SELinux is preventing wine-preloader from using the 'execheap' accesses on a process.
Product: [Fedora] Fedora Reporter: Kamil Páral <kparal>
Component: selinux-policyAssignee: Zdenek Pytela <zpytela>
Status: CLOSED DUPLICATE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 40CC: dwalsh, knazekovan, kparal, lvrabec, mmalik, omosnacek, pkoncity, vmojzis, zpytela
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Unspecified   
Whiteboard: abrt_hash:1cb53da229f699b9195cecf3fc3781125cbc9c2d82b66b66d818e35e88df6389;VARIANT_ID=workstation;
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2024-05-03 07:24:13 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
File: description
none
File: os_info none

Description Kamil Páral 2024-05-02 13:07:04 UTC 
Description of problem:
This popped up after starting Steam (Flatpak version) and hitting the Download Update button inside it.
SELinux is preventing wine-preloader from using the 'execheap' accesses on a process.

*****  Plugin allow_execheap (53.1 confidence) suggests   ********************

If you do not think wine-preloader should need to map heap memory that is both writable and executable.
Then you need to report a bug. This is a potentially dangerous access.
Do
contact your security administrator and report this issue.

*****  Plugin catchall_boolean (42.6 confidence) suggests   ******************

If you want to allow selinuxuser to execheap
Then you must tell SELinux about this by enabling the 'selinuxuser_execheap' boolean.

Do
setsebool -P selinuxuser_execheap 1

*****  Plugin catchall (5.76 confidence) suggests   **************************

If you believe that wine-preloader should be allowed execheap access on processes labeled unconfined_t by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'wine-preloader' --raw | audit2allow -M my-winepreloader
# semodule -X 300 -i my-winepreloader.pp

Additional Information:
Source Context                unconfined_u:unconfined_r:unconfined_t:s0-
                              s0:c0.c1023
Target Context                unconfined_u:unconfined_r:unconfined_t:s0-
                              s0:c0.c1023
Target Objects                Unknown [ process ]
Source                        wine-preloader
Source Path                   wine-preloader
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           
Target RPM Packages           
SELinux Policy RPM            selinux-policy-targeted-40.17-1.fc40.noarch
Local Policy RPM              selinux-policy-targeted-40.17-1.fc40.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 6.8.8-300.fc40.x86_64 #1 SMP
                              PREEMPT_DYNAMIC Sat Apr 27 17:53:31 UTC 2024
                              x86_64
Alert Count                   1
First Seen                    2024-05-02 15:02:48 CEST
Last Seen                     2024-05-02 15:02:48 CEST
Local ID                      1c952af1-6b0b-4941-95b6-ebc8f156e0f6

Raw Audit Messages
type=AVC msg=audit(1714654968.610:1287): avc:  denied  { execheap } for  pid=188884 comm="wine-preloader" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process permissive=0


Hash: wine-preloader,unconfined_t,unconfined_t,process,execheap

Version-Release number of selected component:
selinux-policy-targeted-40.17-1.fc40.noarch

Additional info:
reporter:       libreport-2.17.15
reason:         SELinux is preventing wine-preloader from using the 'execheap' accesses on a process.
package:        selinux-policy-targeted-40.17-1.fc40.noarch
component:      selinux-policy
hashmarkername: setroubleshoot
type:           libreport
kernel:         6.8.8-300.fc40.x86_64
comment:        This popped up after starting Steam (Flatpak version) and hitting the Download Update button inside it.
component:      selinux-policy
Comment 1 Kamil Páral 2024-05-02 13:07:07 UTC 
Created attachment 2030871 [details]
File: description
Comment 2 Kamil Páral 2024-05-02 13:07:08 UTC 
Created attachment 2030872 [details]
File: os_info
Comment 3 Zdenek Pytela 2024-05-02 14:01:05 UTC 
The Linux implementation of mprotect (unlike POSIX) allows changing the access protection of memory on the heap, e. g. allocated using malloc. This AVC denial indicates that heap memory was supposed to be made executable. While the permission can be granted turning the selinuxuser_execheap boolean on as suggested by setroubleshoot, it should not be done without a thorough code review as in most cases it indicates a bug in the code and you should consider reporting a bug on the related component. If anonymous executable memory is needed, another method should be considered, e. g. allocating memory using mmap.

Please refer to the boolean description:

  # semanage boolean -l|grep execheap
selinuxuser_execheap           (off  ,  off)  Allow unconfined executables to make their heap memory executable.  Doing this is a really bad idea. Probably indicates a badly coded executable, but could indicate an attack. This executable should be reported in bugzilla


If there is no other information, I will close this bz.
Comment 4 Kamil Páral 2024-05-03 07:24:13 UTC 
Thanks. This seems to be a duplicate of bug 2247299, isn't it?

*** This bug has been marked as a duplicate of bug 2247299 ***