Bug 710768

Summary: Gimp's help browser needs execmem
Product: [Fedora] Fedora Reporter: Göran Uddeborg <goeran>
Component: selinux-policy-targetedAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED CURRENTRELEASE QA Contact: Ben Levenson <benl>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 15CC: dwalsh
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-10-07 14:21:57 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Göran Uddeborg 2011-06-04 16:57:31 UTC 
When using the help function in gimp, a window flashes briefly but disappears,
and the message
  /usr/lib64/gimp/2.0/plug-ins/help-browser: fatal error: Segmenteringsfel
is written on the console.

I previously reported this problem in bug 668162, and that was closed with updates to F13.  I'm not sure if it ever was fixed for F14, but it seems to have reappeared in F15.

The fix I believe was to set the default context for /usr/lib(64)?/gimp/2\.0/plug-ins/help-browser to execmem_exec_t.  But doing

semanage fcontext -l | grep /gimp/

only returns

/usr/lib(64)?/gimp/.*/plug-ins(/.*)?  all files  system_u:object_r:bin_t:s0 

So that particular fix does at least not seem to be part of F15.

Version-Release number of selected component (if applicable):
selinux-policy-targeted-3.9.16-24.fc15.noarch
Comment 1 Miroslav Grepl 2011-06-06 10:06:59 UTC 
so 

# chcon -t execmem_exec_t /usr/lib64/gimp/2.0/plug-ins/help-browser

works for you?
Comment 2 Göran Uddeborg 2011-06-06 14:59:11 UTC 
Yes it does.  It is something like that I thought would be in the default file contexts.
Comment 3 Göran Uddeborg 2011-10-07 18:52:21 UTC 
In which version of selinux-policy is this fixed?  Only for F15, and not F16?  If so, do you want me to open a separate case to have it fixed in F16 too?

I tried on my F16 machine, and it still the same crash as before.

Packages:
selinux-policy-targeted-3.10.0-38.fc16.noarch
gimp-help-browser-2.6.11-22.fc16.x86_64

The AVC alert:
type=SYSCALL msg=audit(1318013321.421:1825): arch=c000003e syscall=9 success=no exit=-13 a0=0 a1=80000000 a2=7 a3=22 items=0 ppid=26164 pid=26354 auid=503 uid=503 gid=503 euid=503 suid=503 fsuid=503 egid=503 sgid=503 fsgid=503 tty=pts0 ses=262 comm="help-browser" exe="/usr/lib64/gimp/2.0/plug-ins/help-browser" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1318013321.421:1825): avc:  denied  { execmem } for  pid=26354 comm="help-browser" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process
Comment 4 Miroslav Grepl 2011-10-10 10:46:18 UTC 
Yeap, you are right. This is not fixed in F16. Could you open a new bug for F16. Thank you.
Comment 5 Göran Uddeborg 2011-10-11 10:17:32 UTC 
I've opened bug 710768 for the same problem in F16.
Comment 6 Göran Uddeborg 2011-10-11 10:18:26 UTC 
Sorry, copied the wrong number!  I mean I've opened 745057.