Bug 524762

Summary: setroubleshoot: SELinux is preventing /usr/bin/yelp "execmem" access on <Unknown>.
Product: [Fedora] Fedora Reporter: Matthias Hölzl <tc>
Component: yelpAssignee: Matthew Barnes <mbarnes>
Status: CLOSED DUPLICATE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: low    
Version: rawhideCC: atorkhov, dwalsh, jkubin, mbarnes, mgrepl
Target Milestone: ---   
Target Release: ---   
Hardware: i386   
OS: Linux   
Whiteboard: setroubleshoot_trace_hash:853161d471c13af19cd6c69dbdc79a36f31d258a885eabc50f676eed6d42a29b
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 524852 (view as bug list) Environment:
Last Closed: 2009-10-27 19:42:17 EDT Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Bug Depends On:    
Bug Blocks: 524852    

Description Matthias Hölzl 2009-09-22 01:34:40 EDT
The following was filed automatically by setroubleshoot:

Summary:

SELinux is preventing /usr/bin/yelp "execmem" access on <Unknown>.

Detailed Description:

[SELinux is in permissive mode. This access was not denied.]

SELinux denied access requested by gnome-help. The current boolean settings do
not allow this access. If you have not setup gnome-help to require this access
this may signal an intrusion attempt. If you do intend this access you need to
change the booleans on this system to allow the access.

Allowing Access:

One of the following booleans is set incorrectly: allow_execstack, allow_execmem

Fix Command:

Choose one of the following to allow access:
Allow unconfined executables to make their stack executable. This should never,
ever be necessary. Probably indicates a badly coded executable, but could
indicate an attack. This executable should be reported in bugzilla")
# setsebool -P allow_execstack 1
Allow unconfined executables to map a memory region as both executable and
writable, this is dangerous and the executable should be reported in bugzilla")
# setsebool -P allow_execmem 1


Additional Information:

Source Context                unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1
                              023
Target Context                unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1
                              023
Target Objects                None [ process ]
Source                        gnome-help
Source Path                   /usr/bin/yelp
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           yelp-2.27.5-1.fc12
Target RPM Packages           
Policy RPM                    selinux-policy-3.6.32-7.fc12
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Permissive
Plugin Name                   catchall_boolean
Host Name                     (removed)
Platform                      Linux (removed) 2.6.31-33.fc12.i686 #1 SMP Thu Sep 17
                              15:56:11 EDT 2009 i686 athlon
Alert Count                   1
First Seen                    Tue 22 Sep 2009 07:33:50 AM CEST
Last Seen                     Tue 22 Sep 2009 07:33:50 AM CEST
Local ID                      530b9729-f87f-4f6a-9f69-078c1dbfd05a
Line Numbers                  

Raw Audit Messages            

node=(removed) type=AVC msg=audit(1253597630.343:44): avc:  denied  { execmem } for  pid=7499 comm="gnome-help" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process

node=(removed) type=SYSCALL msg=audit(1253597630.343:44): arch=40000003 syscall=192 success=yes exit=2404352 a0=0 a1=1000 a2=7 a3=22 items=0 ppid=1 pid=7499 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm="gnome-help" exe="/usr/bin/yelp" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)


audit2allow suggests:

#============= unconfined_t ==============
allow unconfined_t self:process execmem;
Comment 1 Alexey Torkhov 2009-09-22 07:00:31 EDT
Getting similar avcs from liferea:

node=rawhide.tortilla.ru type=AVC msg=audit(1253617043.92:245): avc: denied { execmem } for pid=12729 comm="liferea" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process 

node=rawhide.tortilla.ru type=SYSCALL msg=audit(1253617043.92:245): arch=c000003e syscall=9 success=no exit=-13 a0=0 a1=4000 a2=5 a3=22 items=0 ppid=1 pid=12729 auid=502 uid=502 gid=502 euid=502 suid=502 fsuid=502 egid=502 sgid=502 fsgid=502 tty=(none) ses=1 comm="liferea" exe="/usr/bin/liferea" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
Comment 2 Daniel Walsh 2009-09-22 09:17:02 EDT
yelp should not need execmem privs.  Neither should liferea, you can open a bugzilla on that package.

Are these both clean installs.  Did you install any additional "codecs"?
Comment 3 Alexey Torkhov 2009-09-22 09:39:56 EDT
In my case this is absolutely clean install - no packages from other repositories.

Oh, and this avc for liferea is happening on display of rss item page - may be it and yelp both use same library for displaying html which should have execmem?
Comment 4 Daniel Walsh 2009-09-22 09:54:40 EDT
You mean should not need execmem :^)
Comment 5 Matthias Hölzl 2009-09-22 09:55:25 EDT
I did a clean install from the snapshot 3 Live CD and then installed additional
packages from the rawhide repository, but nothing from any third party
repository.  How do I find out the relevant codec packages?  The obvious
searches result in

[tc@raven ~]$ yum list gstreamer-plugins*
Loaded plugins: presto, refresh-packagekit
Installed Packages
gstreamer-plugins-base.i686                   0.10.24-2.fc12           
@rawhide
gstreamer-plugins-flumpegdemux.i686           0.10.15-7.fc12           
@rawhide
gstreamer-plugins-good.i686                   0.10.16-1.fc12           
@rawhide
Available Packages
gstreamer-plugins-base-devel.i686             0.10.24-2.fc12            rawhide 
gstreamer-plugins-good-devel.i686             0.10.16-1.fc12            rawhide 
gstreamer-plugins-schroedinger.i586           1.0.7-1.fc12              rawhide 
[tc@raven ~]$ yum list *codec*
Loaded plugins: presto, refresh-packagekit
Installed Packages
jakarta-commons-codec.i686                1.3-11.4.fc12                
@rawhide
Available Packages
grfcodec.i686                             0.9.11-0.4.r2177.fc12         rawhide 
jakarta-commons-codec-javadoc.i686        1.3-11.4.fc12                 rawhide 
[tc@raven ~]$ yum list *xine* *xmms*
Loaded plugins: presto, refresh-packagekit
Installed Packages
libXinerama.i686                        1.0.99.1-1.fc12                
@rawhide
libXinerama-devel.i686                  1.0.99.1-1.fc12                
@rawhide
Available Packages
[many...]

I did not reformat the home partition, so in theory yelp might access something
there.  However, I can find nothing obviously suspicious, so pointers to
"dangerous" directories would be welcome.  The .gnome2/yelp file contains only

[Geometry]
width=932
height=844
Comment 6 Alexey Torkhov 2009-09-22 09:59:31 EDT
In case of liferea this is an issue with webkitgtk - see bug 516057. This could be same issue with yelp too.
Comment 7 Matthias Hölzl 2009-09-22 10:13:43 EDT
Does fedora yelp use webkitgtk?  It doesn't look like that to me:

[tc@raven ~]$ ldd /usr/bin/yelp | grep webkit
[tc@raven ~]$
Comment 8 Alexey Torkhov 2009-09-22 12:53:45 EDT
Looking at mmaps for liferea process, seems it does:
# grep webkit /proc/17554/maps 
312fc00000-3130c7e000 r-xp 00000000 fd:04 150913                         /usr/lib64/libwebkit-1.0.so.2.10.0
3130c7e000-3130e7e000 ---p 0107e000 fd:04 150913                         /usr/lib64/libwebkit-1.0.so.2.10.0
3130e7e000-3130f96000 rw-p 0107e000 fd:04 150913                         /usr/lib64/libwebkit-1.0.so.2.10.0
7f841a545000-7f841a549000 r--p 00000000 fd:04 35585                      /usr/share/locale/ru/LC_MESSAGES/webkit.mo
Comment 9 Matthew Barnes 2009-10-27 19:42:17 EDT

*** This bug has been marked as a duplicate of bug 507023 ***