Bug 524762
Summary: | setroubleshoot: SELinux is preventing /usr/bin/yelp "execmem" access on <Unknown>. | |||
---|---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Matthias Hölzl <tc> | |
Component: | yelp | Assignee: | Matthew Barnes <mbarnes> | |
Status: | CLOSED DUPLICATE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | |
Severity: | medium | Docs Contact: | ||
Priority: | low | |||
Version: | rawhide | CC: | atorkhov, dwalsh, jkubin, mbarnes, mgrepl | |
Target Milestone: | --- | |||
Target Release: | --- | |||
Hardware: | i386 | |||
OS: | Linux | |||
Whiteboard: | setroubleshoot_trace_hash:853161d471c13af19cd6c69dbdc79a36f31d258a885eabc50f676eed6d42a29b | |||
Fixed In Version: | Doc Type: | Bug Fix | ||
Doc Text: | Story Points: | --- | ||
Clone Of: | ||||
: | 524852 (view as bug list) | Environment: | ||
Last Closed: | 2009-10-27 23:42:17 UTC | Type: | --- | |
Regression: | --- | Mount Type: | --- | |
Documentation: | --- | CRM: | ||
Verified Versions: | Category: | --- | ||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
Cloudforms Team: | --- | Target Upstream Version: | ||
Embargoed: | ||||
Bug Depends On: | ||||
Bug Blocks: | 524852 |
Description
Matthias Hölzl
2009-09-22 05:34:40 UTC
Getting similar avcs from liferea: node=rawhide.tortilla.ru type=AVC msg=audit(1253617043.92:245): avc: denied { execmem } for pid=12729 comm="liferea" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process node=rawhide.tortilla.ru type=SYSCALL msg=audit(1253617043.92:245): arch=c000003e syscall=9 success=no exit=-13 a0=0 a1=4000 a2=5 a3=22 items=0 ppid=1 pid=12729 auid=502 uid=502 gid=502 euid=502 suid=502 fsuid=502 egid=502 sgid=502 fsgid=502 tty=(none) ses=1 comm="liferea" exe="/usr/bin/liferea" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null) yelp should not need execmem privs. Neither should liferea, you can open a bugzilla on that package. Are these both clean installs. Did you install any additional "codecs"? In my case this is absolutely clean install - no packages from other repositories. Oh, and this avc for liferea is happening on display of rss item page - may be it and yelp both use same library for displaying html which should have execmem? You mean should not need execmem :^) I did a clean install from the snapshot 3 Live CD and then installed additional packages from the rawhide repository, but nothing from any third party repository. How do I find out the relevant codec packages? The obvious searches result in [tc@raven ~]$ yum list gstreamer-plugins* Loaded plugins: presto, refresh-packagekit Installed Packages gstreamer-plugins-base.i686 0.10.24-2.fc12 @rawhide gstreamer-plugins-flumpegdemux.i686 0.10.15-7.fc12 @rawhide gstreamer-plugins-good.i686 0.10.16-1.fc12 @rawhide Available Packages gstreamer-plugins-base-devel.i686 0.10.24-2.fc12 rawhide gstreamer-plugins-good-devel.i686 0.10.16-1.fc12 rawhide gstreamer-plugins-schroedinger.i586 1.0.7-1.fc12 rawhide [tc@raven ~]$ yum list *codec* Loaded plugins: presto, refresh-packagekit Installed Packages jakarta-commons-codec.i686 1.3-11.4.fc12 @rawhide Available Packages grfcodec.i686 0.9.11-0.4.r2177.fc12 rawhide jakarta-commons-codec-javadoc.i686 1.3-11.4.fc12 rawhide [tc@raven ~]$ yum list *xine* *xmms* Loaded plugins: presto, refresh-packagekit Installed Packages libXinerama.i686 1.0.99.1-1.fc12 @rawhide libXinerama-devel.i686 1.0.99.1-1.fc12 @rawhide Available Packages [many...] I did not reformat the home partition, so in theory yelp might access something there. However, I can find nothing obviously suspicious, so pointers to "dangerous" directories would be welcome. The .gnome2/yelp file contains only [Geometry] width=932 height=844 In case of liferea this is an issue with webkitgtk - see bug 516057. This could be same issue with yelp too. Does fedora yelp use webkitgtk? It doesn't look like that to me: [tc@raven ~]$ ldd /usr/bin/yelp | grep webkit [tc@raven ~]$ Looking at mmaps for liferea process, seems it does: # grep webkit /proc/17554/maps 312fc00000-3130c7e000 r-xp 00000000 fd:04 150913 /usr/lib64/libwebkit-1.0.so.2.10.0 3130c7e000-3130e7e000 ---p 0107e000 fd:04 150913 /usr/lib64/libwebkit-1.0.so.2.10.0 3130e7e000-3130f96000 rw-p 0107e000 fd:04 150913 /usr/lib64/libwebkit-1.0.so.2.10.0 7f841a545000-7f841a549000 r--p 00000000 fd:04 35585 /usr/share/locale/ru/LC_MESSAGES/webkit.mo *** This bug has been marked as a duplicate of bug 507023 *** |