Bug 508122

Summary: yelp triggering selinux "AVC-denial" (similar to or same as bug #507023)
Product: [Fedora] Fedora Reporter: lmerithew
Component: yelpAssignee: Matthew Barnes <mbarnes>
Status: CLOSED DUPLICATE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: low    
Version: 11CC: mbarnes
Target Milestone: ---   
Target Release: ---   
Hardware: i586   
OS: Linux   
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2009-06-28 23:51:36 EDT Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Description lmerithew 2009-06-25 13:35:54 EDT
Description of problem: gnome-help tried to change a writable memory segment executable. 

Version-Release number of selected component (if applicable):Source RPM Packages:  yelp-2.26.0-3.fc11

How reproducible: click "help" icon when setting mouse preferences

Steps to Reproduce:
1.  System > Preferences > Mouse
2.  Click on "help" icon on lower left of window
Actual results:  SELinux troubleshooter window opens; icon at top right of screen also indicates "AVC-denial"

Expected results:

Additional info:  Full text of setroubleshoot browser window:

SELinux is preventing gnome-help from changing a writable memory segment executable. 

Detailed Description
The gnome-help application attempted to change the access protection of memory (e.g., allocated using malloc). This is a potential security problem. Applications should not be doing this. Applications are sometimes coded incorrectly and request this permission. The SELinux Memory Protection Tests web page explains how to remove this requirement. If gnome-help does not work and you need it to work, you can configure SELinux temporarily to allow this access until the application is fixed. Please file a bug report against this package. 

Allowing Access
If you trust gnome-help to run correctly, you can change the context of the executable to execmem_exec_t. "chcon -t execmem_exec_t '/usr/bin/yelp'". You must also change the default file context files on the system in order to preserve them even on a full relabel. "semanage fcontext -a -t execmem_exec_t '/usr/bin/yelp'" 

Fix Command
chcon -t execmem_exec_t '/usr/bin/yelp'

Additional Information
Source Context:  unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
Target Context:  unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
Target Objects:  None [ process ]
Source:  yelp
Source Path:  /usr/bin/yelp
Port:  <Unknown>
Host:  ******
Source RPM Packages:  yelp-2.26.0-3.fc11
Target RPM Packages:  
Policy RPM:  selinux-policy-3.6.12-50.fc11
Selinux Enabled:  True
Policy Type:  targeted
MLS Enabled:  True
Enforcing Mode:  Enforcing
Plugin Name:  allow_execmem
Host Name:  *****
Platform:  Linux ***** #1 SMP Wed May 27 17:14:37 EDT 2009 i686 i686
Alert Count:  12
First Seen:  Thu 18 Jun 2009 10:39:25 PM EDT
Last Seen:  Thu 25 Jun 2009 12:57:04 PM EDT
Local ID:  1e0b56e4-dcfb-41ee-b2a5-e3ecd8f8ced5
Line Numbers:
Raw Audit Messages :
node=***** type=AVC msg=audit(1245949024.326:28): avc: denied { execmem } for pid=6169 comm="gnome-help" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process 

node=***** type=SYSCALL msg=audit(1245949024.326:28): arch=40000003 syscall=192 success=no exit=-13 a0=0 a1=2000 a2=7 a3=22 items=0 ppid=1 pid=6169 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm="gnome-help" exe="/usr/bin/yelp" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null) 

(Info that may personally identify me has been redacted.)
Comment 1 Matthew Barnes 2009-06-28 23:51:36 EDT

*** This bug has been marked as a duplicate of bug 507023 ***