Bug 527079

Summary: setroubleshoot: SELinux is preventing /usr/bin/arora from changing a writable memory segment executable.
Product: [Fedora] Fedora Reporter: Jaroslav Reznik <jreznik>
Component: qtAssignee: Than Ngo <than>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: medium    
Version: rawhideCC: drepper, dwalsh, jreznik, kevin, ltinkl, mgrepl, rdieter, than
Target Milestone: ---   
Target Release: ---   
Hardware: i386   
OS: Linux   
Whiteboard: setroubleshoot_trace_hash:c7c5f41d476e195e38d5819150e64489fb40dc05bf4378c06440e7fa2feb5ff1
Fixed In Version: 4.5.3-7.fc10 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2009-11-04 12:03:59 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Jaroslav Reznik 2009-10-04 07:57:12 UTC
The following was filed automatically by setroubleshoot:

Summary:

SELinux is preventing /usr/bin/arora from changing a writable memory segment
executable.

Detailed Description:

The arora application attempted to change the access protection of memory (e.g.,
allocated using malloc). This is a potential security problem. Applications
should not be doing this. Applications are sometimes coded incorrectly and
request this permission. The SELinux Memory Protection Tests
(http://people.redhat.com/drepper/selinux-mem.html) web page explains how to
remove this requirement. If arora does not work and you need it to work, you can
configure SELinux temporarily to allow this access until the application is
fixed. Please file a bug report against this package.

Allowing Access:

If you trust arora to run correctly, you can change the context of the
executable to execmem_exec_t. "chcon -t execmem_exec_t '/usr/bin/arora'". You
must also change the default file context files on the system in order to
preserve them even on a full relabel. "semanage fcontext -a -t execmem_exec_t
'/usr/bin/arora'"

Fix Command:

chcon -t execmem_exec_t '/usr/bin/arora'

Additional Information:

Source Context                unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1
                              023
Target Context                unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1
                              023
Target Objects                None [ process ]
Source                        arora
Source Path                   /usr/bin/arora
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           arora-0.9.0-1.fc12
Target RPM Packages           
Policy RPM                    selinux-policy-3.6.32-1.fc12
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   allow_execmem
Host Name                     (removed)
Platform                      Linux (removed) 2.6.31-23.fc12.i686 #1 SMP Wed Sep 16
                              16:09:25 EDT 2009 i686 i686
Alert Count                   108
First Seen                    Wed 09 Sep 2009 12:52:23 PM CEST
Last Seen                     Wed 30 Sep 2009 10:45:07 PM CEST
Local ID                      65be4dbf-8588-474b-bffc-d971d4582fb5
Line Numbers                  

Raw Audit Messages            

node=(removed) type=AVC msg=audit(1254343507.921:130): avc:  denied  { execmem } for  pid=12157 comm="arora" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process

node=(removed) type=SYSCALL msg=audit(1254343507.921:130): arch=40000003 syscall=192 success=no exit=-13 a0=0 a1=4000 a2=7 a3=22 items=0 ppid=1637 pid=12157 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm="arora" exe="/usr/bin/arora" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)



Hash String generated from  selinux-policy-3.6.32-1.fc12,allow_execmem,arora,unconfined_t,unconfined_t,process,execmem
audit2allow suggests:

#============= unconfined_t ==============
allow unconfined_t self:process execmem;

Comment 1 Daniel Walsh 2009-10-05 13:25:18 UTC
Arora should not need this priv.

Comment 2 Daniel Walsh 2009-10-05 13:25:55 UTC
*** Bug 527080 has been marked as a duplicate of this bug. ***

Comment 3 Daniel Walsh 2009-10-05 13:28:13 UTC
*** Bug 527081 has been marked as a duplicate of this bug. ***

Comment 4 Jaroslav Reznik 2009-10-05 14:00:54 UTC
Hi Dan,
could you provide some hints what could I do with this issue? Thanks.

Comment 5 Daniel Walsh 2009-10-05 14:07:14 UTC
Well first what is arora written in?  What does it do?

This explains what execmem means.
http://people.redhat.com/~drepper/selinux-mem.html

Comment 6 Jaroslav Reznik 2009-10-05 15:17:26 UTC
It's a Qt WebKit browser written in C++, it should not do any low level operations which are not done by Qt or WebKit itself. I've checked the link and I don't have a clue where to look. Any guide to SE Linux debugging?

Comment 7 Daniel Walsh 2009-10-05 15:20:34 UTC
Uli any ideas?

Comment 8 Kevin Kofler 2009-10-06 07:20:56 UTC
This is probably the WebKit JavaScript JIT (Squirrelfish Extreme). It got recently disabled in WebKitGtk because of this, I guess QtWebKit has the same problem.

Comment 9 Jaroslav Reznik 2009-10-06 07:59:22 UTC
Thanks Kevin, 
the bug for WebKitGtk is this one https://bugzilla.redhat.com/show_bug.cgi?id=516057

I'm reassigning this bug to Qt as we should fix it in Qt too (JIT disable workaround for now?). Not closing as duplicate as it belongs to other component but we should track WKG bug.

Comment 10 Fedora Update System 2009-10-11 23:49:32 UTC
qt-4.5.3-4.fc11 has been submitted as an update for Fedora 11.
http://admin.fedoraproject.org/updates/qt-4.5.3-4.fc11

Comment 11 Fedora Update System 2009-10-14 01:44:59 UTC
qt-4.5.3-4.fc10 has been pushed to the Fedora 10 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update qt'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F10/FEDORA-2009-10447

Comment 12 Fedora Update System 2009-10-14 01:49:36 UTC
qt-4.5.3-4.fc11 has been pushed to the Fedora 11 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update qt'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F11/FEDORA-2009-10462

Comment 13 Fedora Update System 2009-11-04 12:03:32 UTC
qt-4.5.3-7.fc11 has been pushed to the Fedora 11 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 14 Fedora Update System 2009-11-04 12:35:45 UTC
qt-4.5.3-7.fc10 has been pushed to the Fedora 10 stable repository.  If problems still persist, please make note of it in this bug report.