Bug 729733

Summary: SELinux is preventing /home/amulocal/linux/appl/Acrobat-9.4.2/Adobe/Reader9/Reader/intellinux/bin/acroread from using the execstack access on a process.
Product: [Fedora] Fedora Reporter: rasta
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED NOTABUG QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 14CC: dominick.grift, dwalsh, mgrepl
Target Milestone: ---   
Target Release: ---   
Hardware: i686   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-08-10 17:09:52 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description rasta 2011-08-10 17:00:03 UTC 
Description of problem: This is a reappearance of bug 630217, with the same behaviour; Adobe reader does not run because it has components that (allegedly) require an executable stack (libsccore.so and libcrypto.so) and SELinux bars them from running. Supposedly this was fixed in selinux-policy 3.9.7-12.fc14 but it reappears the policy revision below.

Version-Release number of selected component (if applicable):
selinux-policy-3.9.7-42.fc14

How reproducible:
By running Adobe Reader 9 on an selinux-enabled FC14 machine 

Steps to Reproduce:
1. Update SELinux policy to the version above
2. Enable SELinux (if not already enabled)
3. Install Adobe Reader 9
4. Run Reader 9.
  
Actual results:
SELinux prevents execution

Expected results:
Adobe Reader 9 starts.

Additional info:
SELinux is preventing /home/amulocal/linux/appl/Acrobat-9.4.2/Adobe/Reader9/Reader/intellinux/bin/acroread from using the execstack access on a process.

*****  Plugin allow_execstack (53.1 confidence) suggests  ********************

If you believe that 
None
should not require execstack
Then you should clear the execstack flag and see if /home/amulocal/linux/appl/Acrobat-9.4.2/Adobe/Reader9/Reader/intellinux/bin/acroread works correctly.
Report this as a bug on None.
You can clear the exestack flag by executing:
Do
execstack -c None

*****  Plugin catchall_boolean (42.6 confidence) suggests  *******************

If you want to allow unconfined executables to make their stack executable.  This should never, ever be necessary. Probably indicates a badly coded executable, but could indicate an attack. This executable should be reported in bugzilla
Then you must tell SELinux about this by enabling the 'allow_execstack' boolean.
Do
setsebool -P allow_execstack 1

*****  Plugin catchall (5.76 confidence) suggests  ***************************

If you believe that acroread should be allowed execstack access on processes labeled unconfined_t by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep acroread /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1
                              023
Target Context                unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1
                              023
Target Objects                Unknown [ process ]
Source                        acroread
Source Path                   /home/amulocal/linux/appl/Acrobat-9.4.2/Adobe/Read
                              er9/Reader/intellinux/bin/acroread
Port                          <Unknown>
Host                          footage.cs.man.ac.uk
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.9.7-42.fc14
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     footage.cs.man.ac.uk
Platform                      Linux footage.cs.man.ac.uk
                              2.6.35.13-92.fc14.i686.PAE #1 SMP Sat May 21
                              17:33:09 UTC 2011 i686 i686
Alert Count                   3
First Seen                    Mon 08 Aug 2011 17:19:39 BST
Last Seen                     Wed 10 Aug 2011 17:52:57 BST
Local ID                      37149a88-262d-4a83-9a5c-16c439392e52

Raw Audit Messages
type=AVC msg=audit(1312995177.219:28906): avc:  denied  { execstack } for  pid=28853 comm="acroread" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process


type=SYSCALL msg=audit(1312995177.219:28906): arch=i386 syscall=mprotect success=no exit=EACCES a0=bf8b5000 a1=1000 a2=1000007 a3=bf8b5728 items=0 ppid=1 pid=28853 auid=21490 uid=21490 gid=800 euid=21490 suid=21490 fsuid=21490 egid=800 sgid=800 fsgid=800 tty=(none) ses=197 comm=acroread exe=/home/amulocal/linux/appl/Acrobat-9.4.2/Adobe/Reader9/Reader/intellinux/bin/acroread subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)

Hash: acroread,unconfined_t,unconfined_t,process,execstack

audit2allow

#============= unconfined_t ==============
#!!!! This avc can be allowed using the boolean 'allow_execstack'

allow unconfined_t self:process execstack;

audit2allow -R

#============= unconfined_t ==============
#!!!! This avc can be allowed using the boolean 'allow_execstack'

allow unconfined_t self:process execstack;
Comment 1 Daniel Walsh 2011-08-10 17:09:52 UTC 
You do not have the file installed into the system directory where we would have a chance of fixing this.

Installed in your homedir, it is up to you to fix the label or turn off the check.

setsebool -P allow_execstack 1