Bug 1477462 - Needed to clear execstack on libQt5WebEngineCore.so.5 for Akregator to work
Summary: Needed to clear execstack on libQt5WebEngineCore.so.5 for Akregator to work
Keywords:
Status: CLOSED WORKSFORME
Alias: None
Product: Fedora
Classification: Fedora
Component: qt5-qtwebengine
Version: 26
Hardware: Unspecified
OS: Linux
unspecified
low
Target Milestone: ---
Assignee: Kevin Kofler
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2017-08-02 07:44 UTC by Troels Arvin
Modified: 2018-02-03 17:04 UTC (History)
4 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2018-02-03 17:04:15 UTC
Type: Bug
Embargoed:

Attachments (Terms of Use)

Description Troels Arvin 2017-08-02 07:44:45 UTC 
Description of problem:
After upgrading from Fedora 25 to Fedora 26, akregator would no longer start:

$ akregator
akregator: error while loading shared libraries: libQt5WebEngineCore.so.5: cannot enable executable stack as shared object requires: Permission denied

Meanwhile, in /var/log/audit/audit.log:

type=AVC msg=audit(1501659590.197:793): avc:  denied  { execstack } for  pid=20267 comm="akregator" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process permissive=0

Workaround: As root, I ran 
execstack -c /usr/lib64/libQt5WebEngineCore.so.5

After that:
# execstack -q /usr/lib64/libQt5WebEngineCore.so.5
- /usr/lib64/libQt5WebEngineCore.so.5

And now, Akregator would run. But now, my qt5-qtwebengine package is no longer unmodified:
$ rpm --verify qt5-qtwebengine
SM5....T.    /usr/lib64/libQt5WebEngineCore.so.5

I don't know if this is a problem in the qt5-qtwebengine package, or if it's a problem with Akregator.
Comment 1 Rex Dieter 2018-02-03 15:19:26 UTC 
It would appear this is due to selinux misconfiguration, is this still a problem?

(triaging to proper component)
Comment 2 Troels Arvin 2018-02-03 16:29:20 UTC 
Yes it's still a problem (verified it with qt5-qtwebengine-5.10.0-1.fc26.x86_64).
Comment 3 Kevin Kofler 2018-02-03 16:45:06 UTC 
Is execstack really set by mistake (it can happen, if assembly source files are assembled without the correct .gnu.stack note) or is it actually needed? Because if it is the latter, execstack -c is the wrong fix and we need the SELinux policy fixed.
Comment 4 Kevin Kofler 2018-02-03 16:48:02 UTC 
And also, why are you the only one seeing this? I got +4 karma and not a single negative one:
https://bodhi.fedoraproject.org/updates/FEDORA-2018-763efd6d5c
and I doubt all testers have SELinux disabled or permissive.
Comment 5 Troels Arvin 2018-02-03 16:57:30 UTC 
I see the bug by using the Akregator application which links to libQt5WebEngineCore. Maybe most other users of the library is using it via applications which for some reason do not work in a way where the SELinux issue is a problem.

As mentioned: Things used to work fine (in Fedora 25).
Comment 6 Kevin Kofler 2018-02-03 17:04:15 UTC 
Looks like selinuxuser_execstack is enabled by default in releases, so this is the fault of your configuration.
Note You need to log in before you can comment on or make changes to this bug.