Bug 524806

Summary: SELinux is preventing /usr/bin/liferea "execmem" access on <Unknown>.
Product: [Fedora] Fedora Reporter: Tim Waugh <twaugh>
Component: webkitgtkAssignee: Peter Gordon <peter>
Status: CLOSED DUPLICATE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: low    
Version: 12CC: martin.sourada, maxamillion, mtasaka, peter, smparrish
Target Milestone: ---Keywords: Triaged
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2010-09-11 17:56:23 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Tim Waugh 2009-09-22 10:02:58 UTC 
Description of problem:
I'm getting SELinux AVC messages from liferea.  This only start in the last few days.

Version-Release number of selected component (if applicable):
liferea-1.6.0-0.fc12.x86_64
selinux-policy-targeted-3.6.32-6.fc12.noarch

How reproducible:
Very frequent.

Steps to Reproduce:
1.Start liferea and let it run for a bit.
  
Actual results:
setroubleshoot message.  Full report:

==>
Summary:

SELinux is preventing /usr/bin/liferea "execmem" access on <Unknown>.

Detailed Description:

[SELinux is in permissive mode. This access was not denied.]

SELinux denied access requested by liferea. The current boolean settings do not
allow this access. If you have not setup liferea to require this access this may
signal an intrusion attempt. If you do intend this access you need to change the
booleans on this system to allow the access.

Allowing Access:

One of the following booleans is set incorrectly: allow_execstack, allow_execmem

Fix Command:

Choose one of the following to allow access:
Allow unconfined executables to make their stack executable. This should never,
ever be necessary. Probably indicates a badly coded executable, but could
indicate an attack. This executable should be reported in bugzilla")
# setsebool -P allow_execstack 1
Allow unconfined executables to map a memory region as both executable and
writable, this is dangerous and the executable should be reported in bugzilla")
# setsebool -P allow_execmem 1


Additional Information:

Source Context                unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1
                              023
Target Context                unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1
                              023
Target Objects                None [ process ]
Source                        liferea
Source Path                   /usr/bin/liferea
Port                          <Unknown>
Host                          worm.elk
Source RPM Packages           liferea-1.6.0-0.fc12
Target RPM Packages           
Policy RPM                    selinux-policy-3.6.32-6.fc12
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Permissive
Plugin Name                   catchall_boolean
Host Name                     worm.elk
Platform                      Linux worm.elk 2.6.31-33.fc12.x86_64 #1 SMP Thu
                              Sep 17 15:40:43 EDT 2009 x86_64 x86_64
Alert Count                   2
First Seen                    Tue 22 Sep 2009 09:23:27 BST
Last Seen                     Tue 22 Sep 2009 10:30:53 BST
Local ID                      73a45570-46ba-4b94-a9eb-b36c1da143a5
Line Numbers                  

Raw Audit Messages            

node=worm.elk type=AVC msg=audit(1253611853.653:136): avc:  denied  { execmem } for  pid=3069 comm="liferea" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process

node=worm.elk type=SYSCALL msg=audit(1253611853.653:136): arch=c000003e syscall=10 success=yes exit=0 a0=7f2ed6084000 a1=1000 a2=5 a3=bb4958246c894ce7 items=0 ppid=1 pid=3069 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=2 comm="liferea" exe="/usr/bin/liferea" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
<==

Expected results:
No setroubleshoot message.

Additional info:
Not sure exactly when it occurs -- perhaps when fetching feeds.
Comment 1 Steven M. Parrish 2009-09-22 13:57:13 UTC 
From all the reports I have been getting this appears to be an issue in webkitgtk which is being used to render html.  Going to reassign there for the moment.
Comment 2 Bug Zapper 2009-11-16 12:45:06 UTC 
This bug appears to have been reported against 'rawhide' during the Fedora 12 development cycle.
Changing version to '12'.

More information and reason for this action is here:
http://fedoraproject.org/wiki/BugZappers/HouseKeeping
Comment 3 Steven M. Parrish 2009-11-19 20:32:51 UTC 
This bug has been triaged
Comment 4 Kevin Fenzi 2010-09-11 17:56:23 UTC 
This looks like a dup of 516057 to me.

*** This bug has been marked as a duplicate of bug 516057 ***