Bug 904691
| Summary: | SELinux is preventing /home/dale/.local/share/Steam/SteamApps/rxguy/Team Fortress 2/hl2_linux from using the 'execheap' accesses on a process. | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Dale Turner <rxguy> |
| Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> |
| Status: | CLOSED NOTABUG | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 19 | CC: | allan.herrera777, circuitsoft, dominick.grift, dwalsh, fedyapupkin, fg83, gspurki, hx, john, marek90, mgrepl, mikhail.v.gavrilov, oasookee, sheepdestroyer, vladislav.khromov |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | x86_64 | ||
| OS: | Unspecified | ||
| Whiteboard: | abrt_hash:c210ed67bf30efcdba620f437196c92c1d4701489e177bd18032e692f6096487 | ||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2013-01-28 11:15:05 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
You can allow it using # setsebool -P selinuxuser_execheap 1 BTW execheap should almost never be needed and is often a sign of badly written code. *** Bug 904469 has been marked as a duplicate of this bug. *** URL for this bug with Valve, https://github.com/ValveSoftware/steam-for-linux/issues/43 Valve reply was: It shouldn't crash anymore. But you won't get any mp3 audio as the decoder can't JIT. Someone needs to open a bug with steam about this. This is considered a fairly dangerous access, and probably should not be required. Almost no other apps require this access. This link http://www.akkadia.org/drepper/selinux-mem.html explains the memory protections, and should be included in a steam bugzilla. *** Bug 964376 has been marked as a duplicate of this bug. *** *** Bug 979647 has been marked as a duplicate of this bug. *** *** Bug 1226045 has been marked as a duplicate of this bug. *** Description of problem: STEAM game, half life 2 Version-Release number of selected component: selinux-policy-3.13.1-128.8.fc22.noarch Additional info: reporter: libreport-2.6.2 hashmarkername: setroubleshoot kernel: 4.1.3-201.fc22.x86_64 type: libreport Description of problem: Problem occured during browsing while the game was running in the background. Version-Release number of selected component: selinux-policy-3.13.1-128.16.fc22.noarch Additional info: reporter: libreport-2.6.2 hashmarkername: setroubleshoot kernel: 4.2.3-200.fc22.x86_64 type: libreport Description of problem: Play in steam game Version-Release number of selected component: selinux-policy-3.13.1-128.16.fc22.noarch Additional info: reporter: libreport-2.6.2 hashmarkername: setroubleshoot kernel: 4.2.3-200.fc22.x86_64 type: libreport *** Bug 1387740 has been marked as a duplicate of this bug. *** *** Bug 1379164 has been marked as a duplicate of this bug. *** Description of problem: Start Counter Strike Source Version-Release number of selected component: selinux-policy-3.13.1-224.fc25.noarch Additional info: reporter: libreport-2.8.0 hashmarkername: setroubleshoot kernel: 4.8.10-300.fc25.x86_64 type: libreport Description of problem: It occurs when playing Steam games Version-Release number of selected component: selinux-policy-3.13.1-225.3.fc25.noarch Additional info: reporter: libreport-2.8.0 hashmarkername: setroubleshoot kernel: 4.8.14-300.fc25.x86_64 type: libreport Description of problem: launching game from steam Version-Release number of selected component: selinux-policy-3.13.1-225.6.fc25.noarch Additional info: reporter: libreport-2.8.0 hashmarkername: setroubleshoot kernel: 4.9.5-200.fc25.x86_64 type: libreport |
Description of problem: SELinux is preventing /home/dale/.local/share/Steam/SteamApps/rxguy/Team Fortress 2/hl2_linux from using the 'execheap' accesses on a process. ***** Plugin allow_execheap (53.1 confidence) suggests ********************* If you do not think /home/dale/.local/share/Steam/SteamApps/rxguy/Team Fortress 2/hl2_linux should need to map heap memory that is both writable and executable. Then you need to report a bug. This is a potentially dangerous access. Do contact your security administrator and report this issue. ***** Plugin catchall_boolean (42.6 confidence) suggests ******************* If you want to allow unconfined executables to make their heap memory executable. Doing this is a really bad idea. Probably indicates a badly coded executable, but could indicate an attack. This executable should be reported in bugzilla Then you must tell SELinux about this by enabling the 'selinuxuser_execheap' boolean. You can read 'unconfined_selinux' man page for more details. Do setsebool -P selinuxuser_execheap 1 ***** Plugin catchall (5.76 confidence) suggests *************************** If you believe that hl2_linux should be allowed execheap access on processes labeled unconfined_t by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep hl2_linux /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1 023 Target Context unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1 023 Target Objects [ process ] Source hl2_linux Source Path /home/dale/.local/share/Steam/SteamApps/rxguy/Team Fortress 2/hl2_linux Port <Unknown> Host (removed) Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.11.1-73.fc18.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 3.7.2-204.fc18.x86_64 #1 SMP Wed Jan 16 16:22:52 UTC 2013 x86_64 x86_64 Alert Count 3 First Seen 2013-01-19 09:31:53 AST Last Seen 2013-01-26 20:41:17 AST Local ID 71e8f3b6-749d-47bb-8db9-8270beff9728 Raw Audit Messages type=AVC msg=audit(1359247277.373:1848): avc: denied { execheap } for pid=32297 comm="hl2_linux" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process type=SYSCALL msg=audit(1359247277.373:1848): arch=i386 syscall=capget success=no exit=EACCES a0=9f36000 a1=c000 a2=7 a3=ffec15dc items=0 ppid=32292 pid=32297 auid=1000 uid=1000 gid=100 euid=1000 suid=1000 fsuid=1000 egid=100 sgid=100 fsgid=100 ses=5 tty=pts0 comm=hl2_linux exe=2F686F6D652F64616C652F2E6C6F63616C2F73686172652F537465616D2F537465616D417070732F72786775792F5465616D20466F72747265737320322F686C325F6C696E7578 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null) Hash: hl2_linux,unconfined_t,unconfined_t,process,execheap audit2allow #============= unconfined_t ============== #!!!! This avc can be allowed using the boolean 'selinuxuser_execheap' allow unconfined_t self:process execheap; audit2allow -R #============= unconfined_t ============== #!!!! This avc can be allowed using the boolean 'selinuxuser_execheap' allow unconfined_t self:process execheap; Additional info: hashmarkername: setroubleshoot kernel: 3.7.4-204.fc18.x86_64 type: libreport