Bug 493663

Summary: /lib64/libfreebl3.so installs with the execstack flag turned on causing setroubleshoot, rpm, NetworkManager to require execstack and execmem
Product: [Fedora] Fedora Reporter: Daniel Walsh <dwalsh>
Component: nssAssignee: Kai Engert (:kaie) (inactive account) <kengert>
Status: CLOSED RAWHIDE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: low    
Version: rawhideCC: dcantrell, drepper, jakub, kengert
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2009-04-03 21:16:19 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
Tell assembler to not mark stack as executable none

Description Daniel Walsh 2009-04-02 14:55:48 UTC 
Description of problem:

----
time->Thu Apr  2 10:42:03 2009
type=SYSCALL msg=audit(1238683323.595:1332): arch=c000003e syscall=10 success=no exit=-13 a0=7fff7aa39000 a1=1000 a2=1000007 a3=7f0772835781 items=0 ppid=7811 pid=7812 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="setroubleshootd" exe="/usr/bin/python" subj=system_u:system_r:setroubleshootd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1238683323.595:1332): avc:  denied  { execstack } for  pid=7812 comm="setroubleshootd" scontext=system_u:system_r:setroubleshootd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:setroubleshootd_t:s0-s0:c0.c1023 tclass=process


time->Thu Apr  2 10:54:30 2009
type=SYSCALL msg=audit(1238684070.551:1358): arch=c000003e syscall=10 success=no exit=-13 a0=7fffed13b000 a1=1000 a2=1000007 a3=7fb0e4f36781 items=0 ppid=6871 pid=7954 auid=3267 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=2 comm="rpm" exe="/bin/rpm" subj=unconfined_u:system_r:rpm_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1238684070.551:1358): avc:  denied  { execstack } for  pid=7954 comm="rpm" scontext=unconfined_u:system_r:rpm_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:rpm_t:s0-s0:c0.c1023 tclass=process


gcc-4.4.0-0.31.x86_64
glibc-2.9.90-12.x86_64
glibc-2.9.90-12.i686
kernel-2.6.29.1-37.rc1.fc11.x86_64

Not sure which package is causing this.
Comment 1 Daniel Walsh 2009-04-02 15:04:21 UTC 
X /lib64/libfreebl3.so

Looks like this library is marked execstack.
Comment 2 Ulrich Drepper 2009-04-02 16:09:34 UTC 
Created attachment 337841 [details]
Tell assembler to not mark stack as executable

This problem is partly my fault.  The intel-aes.s file doesn't have the stack annotation.  The proposed patch fixes this by telling the assembler the no .s file needs an executable stack.  This better be true and it means future new .s files are automatically covered.

Kai, can you please build a new RPM with this ASAP?  This problem is causing significant pain.
Comment 3 Kai Engert (:kaie) (inactive account) 2009-04-02 16:31:47 UTC 
ok, doing now. we should however get this landed upstream nss
Comment 4 Kai Engert (:kaie) (inactive account) 2009-04-02 16:44:05 UTC 
reported upstream
Comment 5 Kai Engert (:kaie) (inactive account) 2009-04-02 17:11:56 UTC 
I started this build:
https://koji.fedoraproject.org/koji/taskinfo?taskID=1273826

It already completed on i586, x86_64

For some reason the koji command line client gave me:
ProtocolError: <ProtocolError for koji.fedoraproject.org/kojihub: -1 >

and the web page reports the ppc builds are still in the "free" state.

Shall we wait, or cancel the build and retry?
Comment 6 Jesse Keating 2009-04-02 18:21:57 UTC 
The build completed.  Your local watch of the build had a timeout.  That's non-fatal.
Comment 7 Daniel Walsh 2009-04-03 21:16:19 UTC 
Seems to be fixed in rawhide.