Bug 506122
Summary: | SELinux is preventing knotify4 from changing a writable memory segment executable. | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Jerry Amundson <jamundso> |
Component: | kdebase-runtime | Assignee: | Than Ngo <than> |
Status: | CLOSED CANTFIX | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | medium | Docs Contact: | |
Priority: | low | ||
Version: | rawhide | CC: | christopher, drepper, dwalsh, fedora, jreznik, kevin, lorenzo, ltinkl, rdieter, smparrish, than |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2009-09-09 00:05:07 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Jerry Amundson
2009-06-15 16:52:10 UTC
Please post the output of: ldd /usr/bin/knotify4 (to see if you have any strange libraries getting loaded instead of the standard ones). $ ldd /usr/bin/knotify4 linux-vdso.so.1 => (0x00007ffffd758000) libkdeui.so.5 => /usr/lib64/libkdeui.so.5 (0x0000003219200000) libphonon.so.4 => /usr/lib64/libphonon.so.4 (0x000000321dc00000) libkdecore.so.5 => /usr/lib64/libkdecore.so.5 (0x0000003218c00000) libQtDBus.so.4 => /usr/lib64/libQtDBus.so.4 (0x0000003217c00000) libQtCore.so.4 => /usr/lib64/libQtCore.so.4 (0x0000003216e00000) libpthread.so.0 => /lib64/libpthread.so.0 (0x0000003617200000) libQtSvg.so.4 => /usr/lib64/libQtSvg.so.4 (0x0000003219a00000) libQtGui.so.4 => /usr/lib64/libQtGui.so.4 (0x0000003218000000) libstdc++.so.6 => /usr/lib64/libstdc++.so.6 (0x00007fa19dc6a000) libm.so.6 => /lib64/libm.so.6 (0x0000003616a00000) libgcc_s.so.1 => /lib64/libgcc_s.so.1 (0x00007fa19da50000) libc.so.6 => /lib64/libc.so.6 (0x0000003616600000) libSM.so.6 => /usr/lib64/libSM.so.6 (0x0000003215600000) libICE.so.6 => /usr/lib64/libICE.so.6 (0x000000361c200000) libX11.so.6 => /usr/lib64/libX11.so.6 (0x0000003618e00000) libXext.so.6 => /usr/lib64/libXext.so.6 (0x000000361a200000) libXft.so.2 => /usr/lib64/libXft.so.2 (0x0000003216a00000) libXau.so.6 => /usr/lib64/libXau.so.6 (0x0000003618a00000) libXdmcp.so.6 => /usr/lib64/libXdmcp.so.6 (0x0000003623e00000) libXpm.so.4 => /usr/lib64/libXpm.so.4 (0x0000003623a00000) libQtXml.so.4 => /usr/lib64/libQtXml.so.4 (0x0000003217400000) libXtst.so.6 => /usr/lib64/libXtst.so.6 (0x0000003624c00000) libXcursor.so.1 => /usr/lib64/libXcursor.so.1 (0x000000361c600000) libXfixes.so.3 => /usr/lib64/libXfixes.so.3 (0x000000361ce00000) libXrender.so.1 => /usr/lib64/libXrender.so.1 (0x000000361b600000) libdbus-1.so.3 => /lib64/libdbus-1.so.3 (0x000000361ec00000) libpng12.so.0 => /usr/lib64/libpng12.so.0 (0x00007fa19d824000) libfreetype.so.6 => /usr/lib64/libfreetype.so.6 (0x0000003214200000) libgobject-2.0.so.0 => /lib64/libgobject-2.0.so.0 (0x0000003213600000) libXi.so.6 => /usr/lib64/libXi.so.6 (0x000000361ca00000) libXrandr.so.2 => /usr/lib64/libXrandr.so.2 (0x000000361d600000) libXinerama.so.1 => /usr/lib64/libXinerama.so.1 (0x000000361d200000) libfontconfig.so.1 => /usr/lib64/libfontconfig.so.1 (0x0000003214a00000) libz.so.1 => /lib64/libz.so.1 (0x0000003617600000) libgthread-2.0.so.0 => /lib64/libgthread-2.0.so.0 (0x0000003213e00000) librt.so.1 => /lib64/librt.so.1 (0x0000003617a00000) libglib-2.0.so.0 => /lib64/libglib-2.0.so.0 (0x0000003212e00000) libdl.so.2 => /lib64/libdl.so.2 (0x0000003616e00000) libQtNetwork.so.4 => /usr/lib64/libQtNetwork.so.4 (0x0000003217800000) libbz2.so.1 => /lib64/libbz2.so.1 (0x0000003622c00000) libresolv.so.2 => /lib64/libresolv.so.2 (0x000000361de00000) /lib64/ld-linux-x86-64.so.2 (0x0000003616200000) libuuid.so.1 => /lib64/libuuid.so.1 (0x00007fa19d61a000) libxcb.so.1 => /usr/lib64/libxcb.so.1 (0x0000003619200000) libcap.so.2 => /lib64/libcap.so.2 (0x000000361e200000) libexpat.so.1 => /lib64/libexpat.so.1 (0x0000003619600000) libssl.so.8 => /usr/lib64/libssl.so.8 (0x0000003216600000) libcrypto.so.8 => /usr/lib64/libcrypto.so.8 (0x0000003216200000) libattr.so.1 => /lib64/libattr.so.1 (0x000000361da00000) libgssapi_krb5.so.2 => /lib64/libgssapi_krb5.so.2 (0x0000003215a00000) libkrb5.so.3 => /lib64/libkrb5.so.3 (0x0000003214e00000) libcom_err.so.2 => /lib64/libcom_err.so.2 (0x00007fa19d414000) libk5crypto.so.3 => /lib64/libk5crypto.so.3 (0x0000003215200000) libkrb5support.so.0 => /lib64/libkrb5support.so.0 (0x0000003215e00000) libkeyutils.so.1 => /lib64/libkeyutils.so.1 (0x0000003620800000) libselinux.so.1 => /lib64/libselinux.so.1 (0x0000003212600000) Nothing suspicious there. However, Phonon loads some more stuff dynamically. Do you have any: * proprietary graphics drivers? * third-party codecs (e.g. Fluendo GStreamer codecs)? * other third-party libraries which may find their way into Phonon? Ah, now you're onto something - rpmfusion : # rpm -qa --qf '%{NAME} %{VENDOR}\n' | grep RPM | awk '{ print $1 }' | xargs rpm -q xvidcore-1.2.1-2.fc11.x86_64 libtunepimp-extras-freeworld-0.5.3-7.fc11.x86_64 x264-libs-0.0.0-0.24.20090319gitc109c8.fc11.x86_64 rpmfusion-free-release-11.90-1.noarch libmpeg2-0.5.1-7.fc11.1.x86_64 lame-libs-3.98.2-3.fc11.x86_64 twolame-libs-0.3.12-4.fc11.x86_64 vcdimager-libs-0.7.23-10.fc11.x86_64 xine-lib-extras-freeworld-1.1.16.3-1.fc11.x86_64 gstreamer-plugins-ugly-0.10.11-1.fc11.x86_64 k3b-extras-freeworld-1.0.5-6.fc11.x86_64 a52dec-0.7.4-15.fc11.x86_64 vcdimager-0.7.23-10.fc11.x86_64 libdca-0.0.5-4.fc11.x86_64 faad2-libs-2.7-1.fc11.x86_64 gstreamer-ffmpeg-0.10.7-1.fc11.x86_64 madplay-0.15.2b-6.fc11.x86_64 libmad-0.15.1b-11.fc11.x86_64 faac-1.28-1.fc11.1.x86_64 ffmpeg-libs-0.5-2.fc11.x86_64 RPM Fusion's codecs are supposed to either not require execstack/execmem at all or have the relevant SELinux context set. If that's all the non-Fedora stuff you have, there must be a bug somewhere. Ping dwalsh: Any idea how we can figure out which shared object is actually at fault here? Short of manually running readelf on every single shared library on the system? Uli is much better at this stuff then I am. Uli do you have any ideas on this? -- Steven M. Parrish - KDE Triage Master - PackageKit Triager Fedora Bugzappers volunteer triage team https://fedoraproject.org/wiki/BugZappers It's not a text relocation, I assume. In that case it's either an mmap() or mprotect() call. Use strace to track all syscalls, locate the offenders, check what memory region they are modifying (in case of mprotect). strace doesn't tell you where the call comes from, you need to deduce this from the context. Rex, Kevin what do we want to do with this and other selinux issues? -- Steven M. Parrish - KDE Triage Master - PackageKit Triager Fedora Bugzappers volunteer triage team https://fedoraproject.org/wiki/BugZappers For this one, I suggest 1. punt to rpmfusion (or ask reporter to reproduce free of rpmfusion bits). or 2. wait, until someone can investigate further to reproduce or find the ultimate culprit Personally, I'd lean toward 1. punt to rpmfusion it is. closing->cantfix (it's caused by software outside our control). *** Bug 506126 has been marked as a duplicate of this bug. *** I reported this to RPM Fusion: https://bugzilla.rpmfusion.org/show_bug.cgi?id=1381 |