Bug 530927 (yelpexecmem)

Summary: SELinux is preventing /usr/bin/yelp "execmem" access on <Unknown>.
Product: [Fedora] Fedora Reporter: Victor David M <biggest65>
Component: yelpAssignee: Matthew Barnes <mbarnes>
Status: CLOSED DUPLICATE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: low    
Version: rawhideCC: dwalsh, frodenicolaisen, mbarnes, mgrepl, virgilioj_23
Target Milestone: ---   
Target Release: ---   
Hardware: i386   
OS: Linux   
Whiteboard: setroubleshoot_trace_hash:5d904fb5e6552dbfbad3da999111c7e73e1c55084f230063162abac04d773539
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2009-10-27 19:42:50 EDT Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Description Victor David M 2009-10-26 02:01:38 EDT

SELinux is preventing /usr/bin/yelp "execmem" access on <Unknown>.

Descripción Detallada:

SELinux denied access requested by yelp. The current boolean settings do not
allow this access. If you have not setup yelp to require this access this may
signal an intrusion attempt. If you do intend this access you need to change the
booleans on this system to allow the access.

Permitiendo Acceso:

One of the following booleans is set incorrectly: allow_execstack, allow_execmem

Comando para Corregir:

Choose one of the following to allow access:
Allow unconfined executables to make their stack executable. This should never,
ever be necessary. Probably indicates a badly coded executable, but could
indicate an attack. This executable should be reported in bugzilla")
# setsebool -P allow_execstack 1
Allow unconfined executables to map a memory region as both executable and
writable, this is dangerous and the executable should be reported in bugzilla")
# setsebool -P allow_execmem 1

Información Adicional:

Contexto Fuente               unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1
Contexto Destino              unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1
Objetos Destino               None [ process ]
Fuente                        yelp
Dirección de Fuente          /usr/bin/yelp
Puerto                        <Desconocido>
Nombre de Equipo              (removed)
Paquetes RPM Fuentes          yelp-2.28.0-1.fc12
Paquetes RPM Destinos         
RPM de Políticas             selinux-policy-3.6.32-24.fc12
SELinux Activado              True
Tipo de Política             targeted
MLS Activado                  True
Modo Obediente                Enforcing
Nombre de Plugin              catchall_boolean
Nombre de Equipo              (removed)
Plataforma                    Linux (removed)
                              #1 SMP Tue Sep 29 16:32:02 EDT 2009 i686 athlon
Cantidad de Alertas           3
Visto por Primera Vez         dom 25 oct 2009 21:26:22 EDT
Visto por Última Vez         dom 25 oct 2009 21:26:22 EDT
ID Local                      e16cae7f-39d3-44ae-8a1d-69707f1d9ee1
Números de Línea            

Mensajes de Auditoría Crudos 

node=(removed) type=AVC msg=audit(1256520382.315:24181): avc:  denied  { execmem } for  pid=2470 comm="yelp" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process

node=(removed) type=SYSCALL msg=audit(1256520382.315:24181): arch=40000003 syscall=192 success=no exit=-13 a0=0 a1=1000 a2=7 a3=22 items=0 ppid=1 pid=2470 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm="yelp" exe="/usr/bin/yelp" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)

Hash String generated from  selinux-policy-3.6.32-24.fc12,catchall_boolean,yelp,unconfined_t,unconfined_t,process,execmem
audit2allow suggests:

#============= unconfined_t ==============
allow unconfined_t self:process execmem;
Comment 1 Daniel Walsh 2009-10-26 08:50:48 EDT
This is a bug in yelp or some library that it is causing.  We have changed the default for Fedora 12 to enabel allow_execmem boolean because of badly written code.  You should probably just turn on this boolean 

setsebool -P allow_execmem 1

execmem has also been caused by the nvidia device drivers.
Comment 2 Matthew Barnes 2009-10-27 19:42:50 EDT

*** This bug has been marked as a duplicate of bug 507023 ***