Bug 512139

Summary: setroubleshoot: SELinux is preventing gwibber from changing a writable memory segment executable.
Product: [Fedora] Fedora Reporter: Tom "spot" Callaway <tcallawa>
Component: gwibberAssignee: Ian Weller <ian>
Status: CLOSED DUPLICATE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: medium    
Version: rawhideCC: awilliam, drepper, dwalsh, ian, mgrepl, peter
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard: setroubleshoot_trace_hash:32619aa979feef44247da6ab1609ec7341a871469f6744ee27e99db89d1a6da9
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2009-10-18 00:59:42 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Tom "spot" Callaway 2009-07-16 14:17:07 UTC 
The following was filed automatically by setroubleshoot:

Summary:

SELinux is preventing gwibber from changing a writable memory segment
executable.

Detailed Description:

[SELinux is in permissive mode, the operation would have been denied but was
permitted due to permissive mode.]

The gwibber application attempted to change the access protection of memory
(e.g., allocated using malloc). This is a potential security problem.
Applications should not be doing this. Applications are sometimes coded
incorrectly and request this permission. The SELinux Memory Protection Tests
(http://people.redhat.com/drepper/selinux-mem.html) web page explains how to
remove this requirement. If gwibber does not work and you need it to work, you
can configure SELinux temporarily to allow this access until the application is
fixed. Please file a bug report
(http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package.

Allowing Access:

If you trust gwibber to run correctly, you can change the context of the
executable to execmem_exec_t. "chcon -t execmem_exec_t '/usr/bin/python'". You
must also change the default file context files on the system in order to
preserve them even on a full relabel. "semanage fcontext -a -t execmem_exec_t
'/usr/bin/python'"

Fix Command:

chcon -t execmem_exec_t '/usr/bin/python'

Additional Information:

Source Context                unconfined_u:unconfined_r:unconfined_t:s0
Target Context                unconfined_u:unconfined_r:unconfined_t:s0
Target Objects                None [ process ]
Source                        gwibber
Source Path                   /usr/bin/python
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           python-2.6-10.fc12
Target RPM Packages           
Policy RPM                    selinux-policy-3.6.21-3.fc12
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Permissive
Plugin Name                   allow_execmem
Host Name                     (removed)
Platform                      Linux (removed) 2.6.29.4-167.fc11.x86_64 #1 SMP
                              Wed May 27 17:27:08 EDT 2009 x86_64 x86_64
Alert Count                   141
First Seen                    Wed 01 Jul 2009 09:57:29 AM EDT
Last Seen                     Wed 15 Jul 2009 11:21:53 PM EDT
Local ID                      1c39f514-af62-42bd-a353-7485b0de1e3b
Line Numbers                  

Raw Audit Messages            

node=(removed) type=AVC msg=audit(1247714513.0:1270): avc:  denied  { execmem } for  pid=9221 comm="gwibber" scontext=unconfined_u:unconfined_r:unconfined_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0 tclass=process

node=(removed) type=SYSCALL msg=audit(1247714513.0:1270): arch=c000003e syscall=9 success=no exit=-1693696040 a0=0 a1=4000 a2=7 a3=22 items=0 ppid=1 pid=9221 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm="gwibber" exe="/usr/bin/python" subj=unconfined_u:unconfined_r:unconfined_t:s0 key=(null)


audit2allow suggests:

#============= unconfined_t ==============
allow unconfined_t self:process execmem;
Comment 1 Daniel Walsh 2009-07-19 15:55:25 UTC 
Why does it need this priv?

http://people.redhat.com/~drepper/selinux-mem.html
Comment 2 Ulrich Drepper 2009-10-14 09:25:50 UTC 
Tom, we need information.
Comment 3 Tom "spot" Callaway 2009-10-14 12:43:31 UTC 
That may be, but I have no idea why gwibber needs execmem.
Comment 4 Ulrich Drepper 2009-10-15 13:06:38 UTC 
(In reply to comment #3)
> That may be, but I have no idea why gwibber needs execmem.  

Then perhaps the maintainer can enlighten us.  If nobody knows the application it might not have a place in the distribution.  Granting the rights is wrong in any case.
Comment 5 Ian Weller 2009-10-15 21:56:53 UTC 
I can't really know what to do about this unless I know what exactly you did to cause this to happen. Nothing in this bug is specific at all to the usage that caused this AVC.
Comment 6 Ian Weller 2009-10-15 22:14:32 UTC 
Actually, this looks an awful lot like bug 516057 on webkitgtk... adding Peter to CC.
Comment 7 Daniel Walsh 2009-10-16 12:47:49 UTC 
Ian if qwibber uses webkitgtk, you can close this as a dup.
Comment 8 Ian Weller 2009-10-18 00:59:42 UTC 
Which it does. CLOSED DUPLICATE 516057

*** This bug has been marked as a duplicate of bug 516057 ***