Bug 525583

Summary: SELinux is preventing /usr/bin/empathy "execmem" access on <Unknown>.
Product: [Fedora] Fedora Reporter: Mathieu Bridon <bochecha>
Component: empathyAssignee: Peter Gordon <peter>
Status: CLOSED DUPLICATE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: low    
Version: rawhideCC: bdpepple, peter, xan
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2009-09-25 15:03:12 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Mathieu Bridon 2009-09-24 22:05:47 UTC 
Summary:

SELinux is preventing /usr/bin/empathy "execmem" access on <Unknown>.

Detailed Description:

SELinux denied access requested by empathy. The current boolean settings do not
allow this access. If you have not setup empathy to require this access this may
signal an intrusion attempt. If you do intend this access you need to change the
booleans on this system to allow the access.

Allowing Access:

One of the following booleans is set incorrectly: allow_execstack, allow_execmem

Fix Command:

Choose one of the following to allow access:
Allow unconfined executables to make their stack executable. This should never,
ever be necessary. Probably indicates a badly coded executable, but could
indicate an attack. This executable should be reported in bugzilla")
# setsebool -P allow_execstack 1
Allow unconfined executables to map a memory region as both executable and
writable, this is dangerous and the executable should be reported in bugzilla")
# setsebool -P allow_execmem 1


Additional Information:

Source Context                unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1
                              023
Target Context                unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1
                              023
Target Objects                None [ process ]
Source                        epiphany
Source Path                   /usr/bin/epiphany
Port                          <Unknown>
Host                          localhost.localdomain
Source RPM Packages           empathy-2.28.0-1.fc12
Target RPM Packages           
Policy RPM                    selinux-policy-3.6.32-8.fc12
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   catchall_boolean
Host Name                     localhost.localdomain
Platform                      Linux localhost.localdomain 2.6.31-33.fc12.x86_64
                              #1 SMP Thu Sep 17 15:40:43 EDT 2009 x86_64 x86_64
Alert Count                   8
First Seen                    Thu 24 Sep 2009 03:16:26 PM CEST
Last Seen                     Thu 24 Sep 2009 11:42:31 PM CEST
Local ID                      5f36fe1d-1b50-4602-940c-403f44e9f1c0
Line Numbers                  

Raw Audit Messages            

node=localhost.localdomain type=AVC msg=audit(1253828551.809:35): avc:  denied  { execmem } for  pid=2218 comm="empathy" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process

node=localhost.localdomain type=SYSCALL msg=audit(1253828551.809:35): arch=c000003e syscall=9 success=no exit=-13 a0=0 a1=4000 a2=5 a3=22 items=0 ppid=1 pid=2218 auid=501 uid=501 gid=501 euid=501 suid=501 fsuid=501 egid=501 sgid=501 fsgid=501 tty=(none) ses=1 comm="empathy" exe="/usr/bin/empathy" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
Comment 1 Mathieu Bridon 2009-09-24 22:07:40 UTC 
Note that this happens consistently when using an Adium theme, so it might be an issue in WebKit.
Comment 2 Xan López 2009-09-25 14:24:33 UTC 
So, I really have no clue of what this might be, but here's one wild guess: can you compile WebKitGTK+ *without* JIT (--disable-jit) and check if that fixes it?

I'm using Fedora and can't really reproduce this though, is there any non-standard setting I should enable?
Comment 3 Mathieu Bridon 2009-09-25 14:34:45 UTC 
No non-standard setting enabled, just Fedora Rawhide with empathy 2.28, and selinux enabled (by default).
Comment 4 Xan López 2009-09-25 14:38:53 UTC 
(In reply to comment #3)
> No non-standard setting enabled, just Fedora Rawhide with empathy 2.28, and
> selinux enabled (by default).  

OK, I'm running Fedora 10 still, so it might be that. I'll upgrade to Fedora 11 (or maybe some F12 alpha/beta) before going to the Boston Summit probably, so I'll make sure to check that if we don't fix it before.

In any case, if you can test what I suggested that would be very useful.
Comment 5 Mathieu Bridon 2009-09-25 14:49:02 UTC 
I'll try that this week-end.

You won't be able to reproduce it with F11 though. It only happens when I try to use an Adium theme, so it needs 2.28.
Comment 6 Peter Gordon 2009-09-25 15:03:12 UTC 
Thanks for the bug report; However, I'm almost certain this is the same issue as seen in #516057, caused by some erroneous assembly in WebKitGTK+'s JIT support.

If this is not the case, and something else is indeed causing the problem, please re-open this bug with further details.

*** This bug has been marked as a duplicate of bug 516057 ***