Bug 372841
| Summary: | SELinux is preventing /usr/lib/openoffice.org/program/swriter.bin from changing the access protection of memory on the heap. | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | The Hermit <eloign> |
| Component: | openoffice.org | Assignee: | Caolan McNamara <caolanm> |
| Status: | CLOSED WORKSFORME | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | urgent | Docs Contact: | |
| Priority: | low | ||
| Version: | 7 | CC: | dwalsh, jnavrati |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | i686 | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2007-11-21 10:52:04 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
I don't get this on my own selinux enabled F-7 box with the same version. Someone else reported this as bug #364871, and then said that it "just started working" and closed it. Basically we do everything that http://people.redhat.com/drepper/selinux-mem.html says to do if you need executable memory, i.e. the dual mmap trick and the mechanism in our 2.3.0 is the same as in previous versions which never had this problem, and we don't call mprotect directly from any OOo code. Have you anything *else* failing with the same message, e.g. can you launch glxgears (from package glx-utils) ? [hermit@localhost secondlife]$ glxgears 8692 frames in 5.0 seconds = 1735.551 FPS 7980 frames in 5.0 seconds = 1595.862 FPS 7958 frames in 5.0 seconds = 1590.862 FPS As a thought one somewhat less than usual thing is I am running a dual screen system. The Hardware Browser output shows: nVidia Corporation G73 [GeForce 7600GS] driver: nvidiafb Running openoffice.org -writer from a command line: $ openoffice.org -writer yields: logo Opens window hangs before creating any output in window. no output to command line Killing thw window leaves: /usr/lib/openoffice.org/program/soffice: line 147: 7311 Killed "$sd_prog/$sd_binary" "$@" Attempting: $ sudo tail -n50 /var/log/messages Before and after running the command line invocation above shows nothing written to the log. invoking: $ openoffice.org Yields: logo frame menu opening the word processor from the menu produces a window which looks complete ie has menus, tab lines, document shape, but is non-responsive ie cannot type in it or select menu options. Killing it yields: [hermit@localhost ~]$ openoffice.org /usr/lib/openoffice.org/program/soffice: line 147: 7362 Killed "$sd_prog/$sd_binary" "$@" Again no output to /var/log/messages So you have the binary nvidia driver ? Didn't happen for me on fedora 7 with selinux enabled in targeted or enforcing mode, and there isn't a couple of thousand duplicates for this as I'd expect if it was a generic problem. |
Description of problem: Version-Release number of selected component (if applicable): openoffice.org-writer-2.3.0-6.4.fc7 selinux-policy-2.6.4-49.fc7 How reproducible: Completely Steps to Reproduce: 1.Attempt to invoke the Word Processor component from the menu 2.Further Error - attempting to follow "Allowing Access" instructions as a non root user: If you want /usr/lib/openoffice.org/program/swriter.bin to continue, you must turn on the allow_execheap boolean. Note: This boolean will affect all applications on the system.The following command will allow this access:setsebool -P allow_execheap=1 Also fails as setsebool requires root permisions. Using su/sudo also fails as setsebool is located in /usr/sbin 3. Executing "sudo /usr/sbin/setsebool -P allow_execheap=1" gives no messages but also does not cure the problem, the word processor still hangs, but a further SE Linux alert is not generated. Actual results: Application hangs with SE failure. Recommended bypass does not work. Expected results: Runs Additional info: The /usr/lib/openoffice.org/program/swriter.bin application attempted to change the access protection of memory on the heap (e,g., allocated using malloc). This is a potential security problem. Applications should not be doing this. Applications are sometimes coded incorrectly and request this permission. The SELinux Memory Protection Tests web page explains how to remove this requirement. If /usr/lib/openoffice.org/program/swriter.bin does not work and you need it to work, you can configure SELinux temporarily to allow this access until the application is fixed. Please file a bug report against this package. Source Context: user_u:system_r:unconfined_execmem_tTarget Context: user_u:system_r:unconfined_execmem_tTarget Objects: None [ process ]Affected RPM Packages: openoffice.org-writer-2.3.0-6.4.fc7 [application]Policy RPM: selinux-policy-2.6.4-49.fc7Selinux Enabled: TruePolicy Type: targetedMLS Enabled: TrueEnforcing Mode: EnforcingPlugin Name: plugins.allow_execheapHost Name: localhost.localdomainPlatform: Linux localhost.localdomain 2.6.23.1-21.fc7 #1 SMP Thu Nov 1 21:09:24 EDT 2007 i686 i686Alert Count: 0First Seen: Fri 09 Nov 2007 08:36:40 AM CSTLast Seen: Fri 09 Nov 2007 08:36:40 AM CSTLocal ID: b1bad101-5607-4007-a3d7-4c14cbc6285cLine Numbers: Raw Audit Messages :avc: denied { execheap } for comm="swriter.bin" egid=500 euid=500 exe="/usr/lib/openoffice.org/program/swriter.bin" exit=-13 fsgid=500 fsuid=500 gid=500 items=0 pid=5811 scontext=user_u:system_r:unconfined_execmem_t:s0 sgid=500 subj=user_u:system_r:unconfined_execmem_t:s0 suid=500 tclass=process tcontext=user_u:system_r:unconfined_execmem_t:s0 tty=(none) uid=500