Bug 506122

Summary: SELinux is preventing knotify4 from changing a writable memory segment executable.
Product: [Fedora] Fedora Reporter: Jerry Amundson <jamundso>
Component: kdebase-runtimeAssignee: Than Ngo <than>
Status: CLOSED CANTFIX QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: low    
Version: rawhideCC: christopher, drepper, dwalsh, fedora, jreznik, kevin, lorenzo, ltinkl, rdieter, smparrish, than
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2009-09-09 00:05:07 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Jerry Amundson 2009-06-15 16:52:10 UTC
Description of problem:
SELinux is preventing knotify4 from changing a writable memory segment executable. 

Version-Release number of selected component (if applicable):
Source RPM Packages:  kdebase-runtime-4.2.90-1.fc12
Policy RPM:  selinux-policy-3.6.15-1.fc12

How reproducible:
always

Steps to Reproduce:
1.logout of kde
2.
3.
  
Actual results:
avc

Expected results:
no avc

Additional info:

Summary:

SELinux is preventing knotify4 from changing a writable memory segment
executable.

Detailed Description:

[SELinux is in permissive mode, the operation would have been denied but was
permitted due to permissive mode.]

The knotify4 application attempted to change the access protection of memory
(e.g., allocated using malloc). This is a potential security problem.
Applications should not be doing this. Applications are sometimes coded
incorrectly and request this permission. The SELinux Memory Protection Tests
(http://people.redhat.com/drepper/selinux-mem.html) web page explains how to
remove this requirement. If knotify4 does not work and you need it to work, you
can configure SELinux temporarily to allow this access until the application is
fixed. Please file a bug report
(http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package.

Allowing Access:

If you trust knotify4 to run correctly, you can change the context of the
executable to execmem_exec_t. "chcon -t execmem_exec_t
'2F7573722F62696E2F6B6E6F7469667934202864656C6574656429'". You must also change
the default file context files on the system in order to preserve them even on a
full relabel. "semanage fcontext -a -t execmem_exec_t
'2F7573722F62696E2F6B6E6F7469667934202864656C6574656429'"

Fix Command:

chcon -t execmem_exec_t '2F7573722F62696E2F6B6E6F7469667934202864656C6574656429'

Additional Information:

Source Context                unconfined_u:unconfined_r:unconfined_t:s0
Target Context                unconfined_u:unconfined_r:unconfined_t:s0
Target Objects                None [ process ]
Source                        knotify4
Source Path                   2F7573722F62696E2F6B6E6F7469667934202864656C657465
                              6429
Port                          <Unknown>
Host                          jerry-opti755
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.6.15-1.fc12
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Permissive
Plugin Name                   allow_execmem
Host Name                     jerry-opti755
Platform                      Linux jerry-opti755
                              2.6.30-0.1.2.32.rc8.xendom0.fc12.x86_64 #1 SMP Thu
                              Jun 4 17:46:39 EDT 2009 x86_64 x86_64
Alert Count                   1
First Seen                    Mon 15 Jun 2009 11:10:06 AM CDT
Last Seen                     Mon 15 Jun 2009 11:10:06 AM CDT
Local ID                      c69d7546-500c-4733-b98f-2d91a9942e15
Line Numbers                  

Raw Audit Messages            

node=jerry-opti755 type=AVC msg=audit(1245082206.110:606): avc:  denied  { execmem } for  pid=3443 comm="knotify4" scontext=unconfined_u:unconfined_r:unconfined_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0 tclass=process

node=jerry-opti755 type=SYSCALL msg=audit(1245082206.110:606): arch=c000003e syscall=9 success=yes exit=140594919673856 a0=0 a1=a01000 a2=7 a3=20022 items=0 ppid=1 pid=3443 auid=2355 uid=2355 gid=100 euid=2355 suid=2355 fsuid=2355 egid=100 sgid=100 fsgid=100 tty=(none) ses=1 comm="knotify4" exe=2F7573722F62696E2F6B6E6F7469667934202864656C6574656429 subj=unconfined_u:unconfined_r:unconfined_t:s0 key=(null)

Comment 1 Kevin Kofler 2009-06-15 17:04:35 UTC
Please post the output of:
ldd /usr/bin/knotify4
(to see if you have any strange libraries getting loaded instead of the standard ones).

Comment 2 Jerry Amundson 2009-06-15 17:22:59 UTC
$ ldd /usr/bin/knotify4
        linux-vdso.so.1 =>  (0x00007ffffd758000)
        libkdeui.so.5 => /usr/lib64/libkdeui.so.5 (0x0000003219200000)
        libphonon.so.4 => /usr/lib64/libphonon.so.4 (0x000000321dc00000)
        libkdecore.so.5 => /usr/lib64/libkdecore.so.5 (0x0000003218c00000)
        libQtDBus.so.4 => /usr/lib64/libQtDBus.so.4 (0x0000003217c00000)
        libQtCore.so.4 => /usr/lib64/libQtCore.so.4 (0x0000003216e00000)
        libpthread.so.0 => /lib64/libpthread.so.0 (0x0000003617200000)
        libQtSvg.so.4 => /usr/lib64/libQtSvg.so.4 (0x0000003219a00000)
        libQtGui.so.4 => /usr/lib64/libQtGui.so.4 (0x0000003218000000)
        libstdc++.so.6 => /usr/lib64/libstdc++.so.6 (0x00007fa19dc6a000)
        libm.so.6 => /lib64/libm.so.6 (0x0000003616a00000)
        libgcc_s.so.1 => /lib64/libgcc_s.so.1 (0x00007fa19da50000)
        libc.so.6 => /lib64/libc.so.6 (0x0000003616600000)
        libSM.so.6 => /usr/lib64/libSM.so.6 (0x0000003215600000)
        libICE.so.6 => /usr/lib64/libICE.so.6 (0x000000361c200000)
        libX11.so.6 => /usr/lib64/libX11.so.6 (0x0000003618e00000)
        libXext.so.6 => /usr/lib64/libXext.so.6 (0x000000361a200000)
        libXft.so.2 => /usr/lib64/libXft.so.2 (0x0000003216a00000)
        libXau.so.6 => /usr/lib64/libXau.so.6 (0x0000003618a00000)
        libXdmcp.so.6 => /usr/lib64/libXdmcp.so.6 (0x0000003623e00000)
        libXpm.so.4 => /usr/lib64/libXpm.so.4 (0x0000003623a00000)
        libQtXml.so.4 => /usr/lib64/libQtXml.so.4 (0x0000003217400000)
        libXtst.so.6 => /usr/lib64/libXtst.so.6 (0x0000003624c00000)
        libXcursor.so.1 => /usr/lib64/libXcursor.so.1 (0x000000361c600000)
        libXfixes.so.3 => /usr/lib64/libXfixes.so.3 (0x000000361ce00000)
        libXrender.so.1 => /usr/lib64/libXrender.so.1 (0x000000361b600000)
        libdbus-1.so.3 => /lib64/libdbus-1.so.3 (0x000000361ec00000)
        libpng12.so.0 => /usr/lib64/libpng12.so.0 (0x00007fa19d824000)
        libfreetype.so.6 => /usr/lib64/libfreetype.so.6 (0x0000003214200000)
        libgobject-2.0.so.0 => /lib64/libgobject-2.0.so.0 (0x0000003213600000)
        libXi.so.6 => /usr/lib64/libXi.so.6 (0x000000361ca00000)
        libXrandr.so.2 => /usr/lib64/libXrandr.so.2 (0x000000361d600000)
        libXinerama.so.1 => /usr/lib64/libXinerama.so.1 (0x000000361d200000)
        libfontconfig.so.1 => /usr/lib64/libfontconfig.so.1 (0x0000003214a00000)
        libz.so.1 => /lib64/libz.so.1 (0x0000003617600000)
        libgthread-2.0.so.0 => /lib64/libgthread-2.0.so.0 (0x0000003213e00000)
        librt.so.1 => /lib64/librt.so.1 (0x0000003617a00000)
        libglib-2.0.so.0 => /lib64/libglib-2.0.so.0 (0x0000003212e00000)
        libdl.so.2 => /lib64/libdl.so.2 (0x0000003616e00000)
        libQtNetwork.so.4 => /usr/lib64/libQtNetwork.so.4 (0x0000003217800000)
        libbz2.so.1 => /lib64/libbz2.so.1 (0x0000003622c00000)
        libresolv.so.2 => /lib64/libresolv.so.2 (0x000000361de00000)
        /lib64/ld-linux-x86-64.so.2 (0x0000003616200000)
        libuuid.so.1 => /lib64/libuuid.so.1 (0x00007fa19d61a000)
        libxcb.so.1 => /usr/lib64/libxcb.so.1 (0x0000003619200000)
        libcap.so.2 => /lib64/libcap.so.2 (0x000000361e200000)
        libexpat.so.1 => /lib64/libexpat.so.1 (0x0000003619600000)
        libssl.so.8 => /usr/lib64/libssl.so.8 (0x0000003216600000)
        libcrypto.so.8 => /usr/lib64/libcrypto.so.8 (0x0000003216200000)
        libattr.so.1 => /lib64/libattr.so.1 (0x000000361da00000)
        libgssapi_krb5.so.2 => /lib64/libgssapi_krb5.so.2 (0x0000003215a00000)
        libkrb5.so.3 => /lib64/libkrb5.so.3 (0x0000003214e00000)
        libcom_err.so.2 => /lib64/libcom_err.so.2 (0x00007fa19d414000)
        libk5crypto.so.3 => /lib64/libk5crypto.so.3 (0x0000003215200000)
        libkrb5support.so.0 => /lib64/libkrb5support.so.0 (0x0000003215e00000)
        libkeyutils.so.1 => /lib64/libkeyutils.so.1 (0x0000003620800000)
        libselinux.so.1 => /lib64/libselinux.so.1 (0x0000003212600000)

Comment 3 Kevin Kofler 2009-06-15 17:34:25 UTC
Nothing suspicious there. However, Phonon loads some more stuff dynamically. Do you have any:
* proprietary graphics drivers?
* third-party codecs (e.g. Fluendo GStreamer codecs)?
* other third-party libraries which may find their way into Phonon?

Comment 4 Jerry Amundson 2009-06-15 17:50:29 UTC
Ah, now you're onto something - rpmfusion :

# rpm -qa --qf '%{NAME} %{VENDOR}\n' | grep RPM | awk '{ print $1 }' | xargs rpm -q
xvidcore-1.2.1-2.fc11.x86_64
libtunepimp-extras-freeworld-0.5.3-7.fc11.x86_64
x264-libs-0.0.0-0.24.20090319gitc109c8.fc11.x86_64
rpmfusion-free-release-11.90-1.noarch
libmpeg2-0.5.1-7.fc11.1.x86_64
lame-libs-3.98.2-3.fc11.x86_64
twolame-libs-0.3.12-4.fc11.x86_64
vcdimager-libs-0.7.23-10.fc11.x86_64
xine-lib-extras-freeworld-1.1.16.3-1.fc11.x86_64
gstreamer-plugins-ugly-0.10.11-1.fc11.x86_64
k3b-extras-freeworld-1.0.5-6.fc11.x86_64
a52dec-0.7.4-15.fc11.x86_64
vcdimager-0.7.23-10.fc11.x86_64
libdca-0.0.5-4.fc11.x86_64
faad2-libs-2.7-1.fc11.x86_64
gstreamer-ffmpeg-0.10.7-1.fc11.x86_64
madplay-0.15.2b-6.fc11.x86_64
libmad-0.15.1b-11.fc11.x86_64
faac-1.28-1.fc11.1.x86_64
ffmpeg-libs-0.5-2.fc11.x86_64

Comment 5 Kevin Kofler 2009-06-15 20:41:01 UTC
RPM Fusion's codecs are supposed to either not require execstack/execmem at all or have the relevant SELinux context set. If that's all the non-Fedora stuff you have, there must be a bug somewhere.

Comment 6 Kevin Kofler 2009-06-16 16:52:14 UTC
Ping dwalsh: Any idea how we can figure out which shared object is actually at fault here? Short of manually running readelf on every single shared library on the system?

Comment 7 Daniel Walsh 2009-06-17 14:27:09 UTC
Uli is much better at this stuff then I am.

Comment 8 Steven M. Parrish 2009-07-21 01:09:07 UTC
Uli do you have any ideas on this?

-- 
Steven M. Parrish - KDE Triage Master
                  - PackageKit Triager
Fedora Bugzappers volunteer triage team
https://fedoraproject.org/wiki/BugZappers

Comment 9 Ulrich Drepper 2009-07-21 02:35:59 UTC
It's not a text relocation, I assume.  In that case it's either an mmap() or mprotect() call.  Use strace to track all syscalls, locate the offenders, check what memory region they are modifying (in case of mprotect).  strace doesn't tell you where the call comes from, you need to deduce this from the context.

Comment 10 Steven M. Parrish 2009-08-26 18:40:18 UTC
Rex, Kevin what do we want to do with this and other selinux issues?

-- 
Steven M. Parrish - KDE Triage Master
                  - PackageKit Triager
Fedora Bugzappers volunteer triage team
https://fedoraproject.org/wiki/BugZappers

Comment 11 Rex Dieter 2009-08-26 18:44:09 UTC
For this one, I suggest
1. punt to rpmfusion (or ask reporter to reproduce free of rpmfusion bits).

or

2. wait, until someone can investigate further to reproduce or find the ultimate culprit 


Personally, I'd lean toward 1.

Comment 12 Rex Dieter 2009-09-09 00:05:07 UTC
punt to rpmfusion it is.  closing->cantfix (it's caused by software outside our control).

Comment 13 Rex Dieter 2009-09-09 00:06:32 UTC
*** Bug 506126 has been marked as a duplicate of this bug. ***

Comment 14 Christopher Antila 2010-08-28 05:54:50 UTC
I reported this to RPM Fusion: https://bugzilla.rpmfusion.org/show_bug.cgi?id=1381