Bug 1477462 - Needed to clear execstack on libQt5WebEngineCore.so.5 for Akregator to work
Needed to clear execstack on libQt5WebEngineCore.so.5 for Akregator to work
Status: CLOSED WORKSFORME
Product: Fedora
Classification: Fedora
Component: qt5-qtwebengine (Show other bugs)
26
Unspecified Linux
unspecified Severity low
: ---
: ---
Assigned To: Kevin Kofler
Fedora Extras Quality Assurance
: Triaged
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2017-08-02 03:44 EDT by Troels Arvin
Modified: 2018-02-03 12:04 EST (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2018-02-03 12:04:15 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Troels Arvin 2017-08-02 03:44:45 EDT
Description of problem:
After upgrading from Fedora 25 to Fedora 26, akregator would no longer start:

$ akregator
akregator: error while loading shared libraries: libQt5WebEngineCore.so.5: cannot enable executable stack as shared object requires: Permission denied

Meanwhile, in /var/log/audit/audit.log:

type=AVC msg=audit(1501659590.197:793): avc:  denied  { execstack } for  pid=20267 comm="akregator" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process permissive=0

Workaround: As root, I ran 
execstack -c /usr/lib64/libQt5WebEngineCore.so.5

After that:
# execstack -q /usr/lib64/libQt5WebEngineCore.so.5
- /usr/lib64/libQt5WebEngineCore.so.5

And now, Akregator would run. But now, my qt5-qtwebengine package is no longer unmodified:
$ rpm --verify qt5-qtwebengine
SM5....T.    /usr/lib64/libQt5WebEngineCore.so.5

I don't know if this is a problem in the qt5-qtwebengine package, or if it's a problem with Akregator.
Comment 1 Rex Dieter 2018-02-03 10:19:26 EST
It would appear this is due to selinux misconfiguration, is this still a problem?

(triaging to proper component)
Comment 2 Troels Arvin 2018-02-03 11:29:20 EST
Yes it's still a problem (verified it with qt5-qtwebengine-5.10.0-1.fc26.x86_64).
Comment 3 Kevin Kofler 2018-02-03 11:45:06 EST
Is execstack really set by mistake (it can happen, if assembly source files are assembled without the correct .gnu.stack note) or is it actually needed? Because if it is the latter, execstack -c is the wrong fix and we need the SELinux policy fixed.
Comment 4 Kevin Kofler 2018-02-03 11:48:02 EST
And also, why are you the only one seeing this? I got +4 karma and not a single negative one:
https://bodhi.fedoraproject.org/updates/FEDORA-2018-763efd6d5c
and I doubt all testers have SELinux disabled or permissive.
Comment 5 Troels Arvin 2018-02-03 11:57:30 EST
I see the bug by using the Akregator application which links to libQt5WebEngineCore. Maybe most other users of the library is using it via applications which for some reason do not work in a way where the SELinux issue is a problem.

As mentioned: Things used to work fine (in Fedora 25).
Comment 6 Kevin Kofler 2018-02-03 12:04:15 EST
Looks like selinuxuser_execstack is enabled by default in releases, so this is the fault of your configuration.

Note You need to log in before you can comment on or make changes to this bug.