Bug 812041

libreport version: 2.0.8
executable:     /usr/bin/python
hashmarkername: setroubleshoot
kernel:         3.3.1-3.fc16.x86_64
reason:         SELinux is preventing /usr/bin/gnome-shell from using the 'execmem' accesses on a process.
time:           Thu 12 Apr 2012 11:31:02 AM EDT

description:
:SELinux is preventing /usr/bin/gnome-shell from using the 'execmem' accesses on a process.
:
:*****  Plugin catchall_boolean (47.5 confidence) suggests  *******************
:
:If you want to allow unconfined executables to make their stack executable.  This should never, ever be necessary. Probably indicates a badly coded executable, but could indicate an attack. This executable should be reported in bugzilla
:Then you must tell SELinux about this by enabling the 'allow_execstack'boolean.
:Do
:setsebool -P allow_execstack 1
:
:*****  Plugin catchall_boolean (47.5 confidence) suggests  *******************
:
:If you want to allow unconfined executables to map a memory region as both executable and writable, this is dangerous and the executable should be reported in bugzilla
:Then you must tell SELinux about this by enabling the 'allow_execmem'boolean.
:Do
:setsebool -P allow_execmem 1
:
:*****  Plugin catchall (6.38 confidence) suggests  ***************************
:
:If you believe that gnome-shell should be allowed execmem access on processes labeled unconfined_t by default.
:Then you should report this as a bug.
:You can generate a local policy module to allow this access.
:Do
:allow this access for now by executing:
:# grep gnome-shell /var/log/audit/audit.log | audit2allow -M mypol
:# semodule -i mypol.pp
:
:Additional Information:
:Source Context                unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1
:                              023
:Target Context                unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1
:                              023
:Target Objects                 [ process ]
:Source                        gnome-shell
:Source Path                   /usr/bin/gnome-shell
:Port                          <Unknown>
:Host                          (removed)
:Source RPM Packages           nautilus-3.2.1-2.fc16.x86_64
:Target RPM Packages           
:Policy RPM                    selinux-policy-3.10.0-80.fc16.noarch
:Selinux Enabled               True
:Policy Type                   targeted
:Enforcing Mode                Permissive
:Host Name                     (removed)
:Platform                      Linux (removed) 3.3.1-3.fc16.x86_64 #1 SMP
:                              Wed Apr 4 18:08:51 UTC 2012 x86_64 x86_64
:Alert Count                   103
:First Seen                    Tue 10 Apr 2012 02:15:55 PM EDT
:Last Seen                     Thu 12 Apr 2012 11:29:51 AM EDT
:Local ID                      80299778-72e2-4343-8ea8-cd0ce5f3db36
:
:Raw Audit Messages
:type=AVC msg=audit(1334244591.264:1052): avc:  denied  { execmem } for  pid=4669 comm="nautilus" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process
:
:
:type=SYSCALL msg=audit(1334244591.264:1052): arch=x86_64 syscall=mmap success=yes exit=226184941568 a0=34a9ac5000 a1=3c000 a2=7 a3=812 items=0 ppid=3046 pid=4669 auid=1000 uid=1000 gid=1001 euid=1000 suid=1000 fsuid=1000 egid=1001 sgid=1001 fsgid=1001 tty=(none) ses=128 comm=nautilus exe=/usr/bin/nautilus subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
:
:Hash: gnome-shell,unconfined_t,unconfined_t,process,execmem
:
:audit2allow
:
:#============= unconfined_t ==============
:#!!!! This avc can be allowed using one of the these booleans:
:#     allow_execstack, allow_execmem
:
:allow unconfined_t self:process execmem;
:
:audit2allow -R
:
:#============= unconfined_t ==============
:#!!!! This avc can be allowed using one of the these booleans:
:#     allow_execstack, allow_execmem
:
:allow unconfined_t self:process execmem;
: