Bug 522917

Summary: setroubleshoot: SELinux is preventing /usr/bin/liferea from changing a writable memory segment executable.
Product: [Fedora] Fedora Reporter: Nicolas Mailhot <nicolas.mailhot>
Component: lifereaAssignee: Steven M. Parrish <smparrish>
Status: CLOSED DUPLICATE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: medium    
Version: rawhideCC: allinux4, cla.florio, drepper, dwalsh, idht4n, jfrieben, marko.nurmenniemi, mgrepl, nigel, notting, olivares14031, pfpschneider, smparrish, Stefan.Zink, stevenward666, vchelban
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard: setroubleshoot_trace_hash:01e33c6da95bb750c9010cf4b0b29ca7f0d1dd3f07dc0b335dde7706f73be2f4
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2009-09-21 16:20:48 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Nicolas Mailhot 2009-09-12 07:29:22 UTC 
The following was filed automatically by setroubleshoot:

Résumé:

SELinux is preventing /usr/bin/liferea from changing a writable memory segment
executable.

Description détaillée:

[liferea has a permissive type (unconfined_t). This access was not denied.]

The liferea application attempted to change the access protection of memory
(e.g., allocated using malloc). This is a potential security problem.
Applications should not be doing this. Applications are sometimes coded
incorrectly and request this permission. The SELinux Memory Protection Tests
(http://people.redhat.com/drepper/selinux-mem.html) web page explains how to
remove this requirement. If liferea does not work and you need it to work, you
can configure SELinux temporarily to allow this access until the application is
fixed. Please file a bug report against this package.

Autoriser l'accès:

If you trust liferea to run correctly, you can change the context of the
executable to execmem_exec_t. "chcon -t execmem_exec_t '/usr/bin/liferea'". You
must also change the default file context files on the system in order to
preserve them even on a full relabel. "semanage fcontext -a -t execmem_exec_t
'/usr/bin/liferea'"

Commande de correction:

chcon -t execmem_exec_t '/usr/bin/liferea'

Informations complémentaires:

Contexte source               unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1
                              023
Contexte cible                unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1
                              023
Objets du contexte            None [ process ]
source                        liferea
Chemin de la source           /usr/bin/liferea
Port                          <Inconnu>
Hôte                         (removed)
Paquetages RPM source         liferea-1.6.0-0.fc12
Paquetages RPM cible          
Politique RPM                 selinux-policy-3.6.31-3.fc12
Selinux activé               True
Type de politique             targeted
MLS activé                   True
Mode strict                   Enforcing
Nom du plugin                 allow_execmem
Nom de l'hôte                (removed)
Plateforme                    Linux (removed) 2.6.31-2.fc12.x86_64 #1 SMP Thu
                              Sep 10 00:25:40 EDT 2009 x86_64 x86_64
Compteur d'alertes            1
Première alerte              sam. 12 sept. 2009 09:25:47 CEST
Dernière alerte              sam. 12 sept. 2009 09:25:47 CEST
ID local                      b22c2187-df6f-4bc5-bfec-553ecfd5dff8
Numéros des lignes           

Messages d'audit bruts        

node=(removed) type=AVC msg=audit(1252740347.693:496): avc:  denied  { execmem } for  pid=2114 comm="liferea" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process

node=(removed) type=SYSCALL msg=audit(1252740347.693:496): arch=c000003e syscall=9 success=yes exit=140534071214080 a0=0 a1=4000 a2=5 a3=22 items=0 ppid=2015 pid=2114 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm="liferea" exe="/usr/bin/liferea" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)


audit2allow suggests:

#============= unconfined_t ==============
allow unconfined_t self:process execmem;
Comment 1 Daniel Walsh 2009-09-14 15:38:57 UTC 
Liferea should not require execmem.

This is a dangerous permission and should be fixed.



http://people.redhat.com/~drepper/selinux-mem.html
Comment 2 Bill Nottingham 2009-09-21 16:20:48 UTC 

*** This bug has been marked as a duplicate of bug 516057 ***