Bug 650279

Summary: SELinux is preventing /usr/lib64/maxima/5.22.1/binary-gcl/maxima from changing the access protection of memory on the heap.
Product: [Fedora] Fedora Reporter: Rex Dieter <rdieter>
Component: gclAssignee: Jerry James <loganjerry>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: medium    
Version: rawhideCC: dwalsh, green, loganjerry, mgrepl
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard: setroubleshoot_trace_hash:b6f935610f91c725a2c016f30ee8f80916f9c4e5e7c71fd7b7aaa0224d1e53c3
Fixed In Version: gcl-2.6.8-0.8.20110516cvs.fc14 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-06-07 04:38:40 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Rex Dieter 2010-11-05 16:45:11 UTC 
Summary:

SELinux is preventing /usr/lib64/maxima/5.22.1/binary-gcl/maxima from changing
the access protection of memory on the heap.

Detailed Description:

The maxima application attempted to change the access protection of memory on
the heap (e.g., allocated using malloc). This is a potential security problem.
Applications should not be doing this. Applications are sometimes coded
incorrectly and request this permission. The SELinux Memory Protection Tests
(http://www.akkadia.org/drepper/selinux-mem.html) web page explains how to
remove this requirement. If maxima does not work and you need it to work, you
can configure SELinux temporarily to allow this access until the application is
fixed. Please file a bug report against this package.

Allowing Access:

If you want maxima to continue, you must turn on the allow_execheap boolean.
Note: This boolean will affect all applications on the system.

Fix Command:

setsebool -P allow_execheap=1

Additional Information:

Source Context                unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1
                              023
Target Context                unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1
                              023
Target Objects                None [ process ]
Source                        maxima
Source Path                   /usr/lib64/maxima/5.22.1/binary-gcl/maxima
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           maxima-runtime-gcl-5.22.1-5.fc13
Target RPM Packages           
Policy RPM                    selinux-policy-3.7.19-69.fc13
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Plugin Name                   allow_execheap
Host Name                     (removed)
Platform                      Linux (removed)
                              2.6.34.7-61.fc13.x86_64 #1 SMP Tue Oct 19 04:06:30
                              UTC 2010 x86_64 x86_64
Alert Count                   3
First Seen                    Fri 05 Nov 2010 11:41:12 AM CDT
Last Seen                     Fri 05 Nov 2010 11:43:17 AM CDT
Local ID                      bb9210cc-ff7e-4105-a03d-eef2e87baab7
Line Numbers                  

Raw Audit Messages            

node=(removed) type=AVC msg=audit(1288975397.737:23588): avc:  denied  { execheap } for  pid=7229 comm="maxima" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process

node=(removed) type=SYSCALL msg=audit(1288975397.737:23588): arch=c000003e syscall=10 per=40000 success=no exit=-13 a0=3674000 a1=8f5a000 a2=7 a3=7fffffffd840 items=0 ppid=2179 pid=7229 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=pts0 ses=1 comm="maxima" exe="/usr/lib64/maxima/5.22.1/binary-gcl/maxima" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)



Hash String generated from  allow_execheap,maxima,unconfined_t,unconfined_t,process,execheap
audit2allow suggests:

#============= unconfined_t ==============
#!!!! This avc can be allowed using the boolean 'allow_execheap'

allow unconfined_t self:process execheap;
Comment 1 Rex Dieter 2010-11-05 16:50:29 UTC 
Hrm, tried installing gcl-selinux which is supposed to contain policy to correct this, but it doesn't seem to help. ??
Comment 2 Rex Dieter 2010-11-05 16:50:56 UTC 
Fwiw, original bug about this was awhile back in bug #496124
Comment 3 Rex Dieter 2010-11-05 18:28:50 UTC 
It would appear the policy needs apply to

/usr/lib/maxima/[^/]+/binary-gcl/maxima
/usr/lib64/maxima/[^/]+/binary-gcl/maxima

not just
/usr/lib/maxima/[^/]+/binary-gcl
/usr/lib64/maxima/[^/]+/binary-gcl
which is a directory (unless these policies can be made to be recursive?).

Though, after making that change, I encounter this,

/usr/sbin/semodule -i /usr/share/selinux/packages/gcl/gcl.pp
/etc/selinux/targeted/contexts/files/file_contexts: Multiple different specifications for /usr/lib/maxima/[^/]+/binary-gcl/maxima  (system_u:object_r:gcl_exec_t:s0 and system_u:object_r:textrel_shlib_t:s0).
/etc/selinux/targeted/contexts/files/file_contexts: Multiple different specifications for /usr/lib64/maxima/[^/]+/binary-gcl/maxima  (system_u:object_r:gcl_exec_t:s0 and system_u:object_r:textrel_shlib_t:s0).
/etc/selinux/targeted/contexts/files/file_contexts: Invalid argument
Comment 4 Daniel Walsh 2010-11-05 18:33:43 UTC 
We have those defined as textrel_shlib_t, should I remove.
Comment 5 Jerry James 2010-11-11 02:17:59 UTC 
Yes, those need to be gcl_exec_t.  With respect to comment 3, my understanding is that I'm specifying a regular expression, so the existing regexps:

/usr/lib/maxima/[^/]+/binary-gcl
/usr/lib64/maxima/[^/]+/binary-gcl

DO match these already:

/usr/lib/maxima/[^/]+/binary-gcl/maxima
/usr/lib64/maxima/[^/]+/binary-gcl/maxima

Is that correct?  If so, I should probably just combine those into one rule:

/usr/lib(64)?/maxima/[^/]+/binary-gcl
Comment 6 Daniel Walsh 2010-11-11 14:34:07 UTC 
/usr/lib(64)?/maxima/[^/]+/binary-gcl

Will not match an executable that ends with maxima.
Comment 7 Daniel Walsh 2010-11-11 14:35:03 UTC 
Miroslav, remove the maxima lines from our policy.

/usr/lib/maxima/[^/]+/binary-gcl/maxima	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib64/maxima/[^/]+/binary-gcl/maxima --	gen_context(system_u:object_r:textrel_shlib_t,s0)
Comment 8 Miroslav Grepl 2010-11-11 15:35:27 UTC 
Ok, removed.
Comment 9 Bug Zapper 2011-05-30 14:09:02 UTC 
This message is a reminder that Fedora 13 is nearing its end of life.
Approximately 30 (thirty) days from now Fedora will stop maintaining
and issuing updates for Fedora 13.  It is Fedora's policy to close all
bug reports from releases that are no longer maintained.  At that time
this bug will be closed as WONTFIX if it remains open with a Fedora 
'version' of '13'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version prior to Fedora 13's end of life.

Bug Reporter: Thank you for reporting this issue and we are sorry that 
we may not be able to fix it before Fedora 13 is end of life.  If you 
would still like to see this bug fixed and are able to reproduce it 
against a later version of Fedora please change the 'version' of this 
bug to the applicable version.  If you are unable to change the version, 
please add a comment here and someone will do it for you.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events.  Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.

The process we are following is described here: 
http://fedoraproject.org/wiki/BugZappers/HouseKeeping
Comment 10 Jerry James 2011-06-01 22:17:12 UTC 
Oops, sorry Rex.  I let this fall off my radar.  I've got the trivial fix to the SELinux policy and a few more fixes checked into git and a build is on the way once the builders are back online.
Comment 11 Fedora Update System 2011-06-02 02:14:52 UTC 
gcl-2.6.8-0.8.20110516cvs.fc15 has been submitted as an update for Fedora 15.
https://admin.fedoraproject.org/updates/gcl-2.6.8-0.8.20110516cvs.fc15
Comment 12 Fedora Update System 2011-06-02 02:15:01 UTC 
gcl-2.6.8-0.8.20110516cvs.fc14 has been submitted as an update for Fedora 14.
https://admin.fedoraproject.org/updates/gcl-2.6.8-0.8.20110516cvs.fc14
Comment 13 Fedora Update System 2011-06-02 11:00:37 UTC 
Package gcl-2.6.8-0.8.20110516cvs.fc15:
* should fix your issue,
* was pushed to the Fedora 15 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing gcl-2.6.8-0.8.20110516cvs.fc15'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/gcl-2.6.8-0.8.20110516cvs.fc15
then log in and leave karma (feedback).
Comment 14 Fedora Update System 2011-06-07 04:38:33 UTC 
gcl-2.6.8-0.8.20110516cvs.fc15 has been pushed to the Fedora 15 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 15 Fedora Update System 2011-06-11 04:25:37 UTC 
gcl-2.6.8-0.8.20110516cvs.fc14 has been pushed to the Fedora 14 stable repository.  If problems still persist, please make note of it in this bug report.