Bug 160331 - update to selinux-policy-targeted breaks 3rd party apps (like wine + Lotus Notes, IBM db2, etc)
update to selinux-policy-targeted breaks 3rd party apps (like wine + Lotus No...
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted (Show other bugs)
3
All Linux
medium Severity medium
: ---
: ---
Assigned To: Daniel Walsh
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2005-06-14 10:55 EDT by James Hunt
Modified: 2007-11-30 17:11 EST (History)
3 users (show)

See Also:
Fixed In Version: 1.25.2-4
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2005-07-21 15:16:10 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description James Hunt 2005-06-14 10:55:38 EDT
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.8) Gecko/20050513 Fedora/1.0.4-1.3.1 Firefox/1.0.4

Description of problem:
The udpate to selinux-policy-targeted-1.17.30-3.2 that I received on June 10, 2005 has broken Wine / Lotus Notes. Here are the log messages I get when I attempt to start Notes:

audit(1118735600.902:0): avc:  denied  { execmod } for  pid=7102 comm=wine-preloader path=/usr/ibm/c4eb/nul6/program/Lotus/Notes/nnotesws.dll dev=dm-5 ino=672289 scontext=user_u:system_r:unconfined_t tcontext=system_u:object_r:usr_t tclass=file

This worked with selinux-policy-targeted-1.17.30-2.96.

Version-Release number of selected component (if applicable):
selinux-policy-targeted-1.17.30-3.2 

How reproducible:
Always

Steps to Reproduce:
1. start notes under wine
2. watch the splash screen appear and then disappear
3. observe the error in the ring buffer by typing 'dmesg'.
  

Actual Results:  Application (Lotus Notes) did not start, and this message appeared in the ring buffer:

audit(1118735600.902:0): avc:  denied  { execmod } for  pid=7102 comm=wine-preloader path=/usr/ibm/c4eb/nul6/program/Lotus/Notes/nnotesws.dll dev=dm-5 ino=672289 scontext=user_u:system_r:unconfined_t tcontext=system_u:object_r:usr_t tclass=file

Expected Results:  I expected no error, and for Notes to start, as it did when I was running with
selinux-policy-targeted-1.17.30-2.96.


Additional info:

I have very similar errors ("avc: denied { execmod }") for IBM's DB2 and eclipse (haven't had a chance to check running all the other 3rd party apps I've got installed). Here is a DB2 example:

audit(1118735088.338:0): avc:  denied  { execmod } for  pid=5997 comm=db2dasstm path=/usr/IBM/db2/V8.1/das/function/db2mdfile dev=dm-5 ino=720934 scontext=user_u:system_r:unconfined_
t tcontext=system_u:object_r:usr_t tclass=file

I'm not a SELinux guru, but it appears that the major change introduced by selinux-policy-targeted-1.17.30-3.2 was all the boolean stuff:

sdiff /etc/selinux/targeted/booleans /tmp/old/selinux/etc/selinux/targeted/
allow_execmem=1                                               <
allow_execmod=1                                               <
allow_execstack=1                                             <
allow_kerberos=1                                              <
allow_ypbind=1                                                <
dhcpd_disable_trans=0                                         <
httpd_builtin_scripting=0                                     <
httpd_can_network_connect=0                                   <
httpd_disable_trans=0                                         <
httpd_enable_cgi=1                                              httpd_enable_cgi=1
httpd_enable_homedirs=1                                         httpd_enable_homedirs=1
httpd_ssi_exec=1                                                httpd_ssi_exec=1
httpd_tty_comm=0                                              <
httpd_unified=1                                               <
mysqld_disable_trans=0                                        <
named_disable_trans=0                                         <
named_write_master_zones=0                                      named_write_master_zones=0
nscd_disable_trans=0                                          | httpd_unified=1
ntpd_disable_trans=0                                          | httpd_tty_comm=0
portmap_disable_trans=0                                       <
postgresql_disable_trans=0                                    <
snmpd_disable_trans=0                                         <
squid_disable_trans=0                                         <
syslogd_disable_trans=0                                       <
use_nfs_home_dirs=0                                           <
use_samba_home_dirs=0                                         <
use_syslogng=0                                                <
winbind_disable_trans=0                                       <
ypbind_disable_trans=0                                        <

I tried to change allow_execmod to "0", but got my fingers singed as I couldn't even run '/bin/clear' after that!! The "fix" for me was to run system-config-securitylevel, select the "SELinux" tab, and then uncheck "Enforcing Current" box, which I believe (a complete guess, due to lack of documentation) puts the system in "permissive" mode.

Please consider reverting these changes as they appear to be breaking lots of non-Fedora packaged applications. Maybe some actual documentation would be kind of useful too: try googling on these sets of keywords:

  selinux allow_execmod
  linux allow_execmod
  fc3 allow_execmod

I rest my case...
Comment 1 Jose Pedro Oliveira 2005-06-14 12:12:46 EDT
Related ticket

* selinux-policy-targeted 1.17.30-3.2 breaks Adobe AcroRead 7.0.0-2
  https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=160106
Comment 2 Jose Pedro Oliveira 2005-06-14 12:14:17 EDT
Also breaks the cisco vpnclient package:

Jun 14 16:12:20 localhost kernel: audit(1118761940.276:0): avc:  denied  {
execmod } for pid=5447 comm=vpnclient path=/opt/cisco-vpnclient/lib/libvpnapi.so
dev=hda9 ino=827502 scontext=root:system_r:unconfined_t
tcontext=root:object_r:usr_t tclass=file
Comment 3 Daniel Walsh 2005-06-15 14:54:13 EDT
fixed in selinux-policy-targeted 1.17.30-3.9
Comment 4 James Hunt 2005-06-17 05:35:23 EDT
Daniel,

Unfortunately, it is not fixed in 1.17.30-3.9; I get exactly the same errors,
and have had to revert to permissive mode again.

Regards,

James.
Comment 5 Daniel Walsh 2005-06-17 06:41:06 EDT
James, Do you have allow_execmod set?

setsebool -P allow_execmod=1

Dan
Comment 6 James Hunt 2005-06-17 08:29:39 EDT
Hi Da,

I believe so...

cat /selinux/booleans/allow_execmod
1 1

Here's the output of "sestatus -v":

SELinux status:         enabled
SELinuxfs mount:        /selinux
Current mode:           enforcing
Mode from config file:  enforcing
Policy version:         18
Policy from config file:targeted

Policy booleans:
allow_execmem           active
allow_execmod           active
allow_execstack         active
allow_kerberos          active
allow_ypbind            active
dhcpd_disable_trans     inactive
httpd_builtin_scripting inactive
httpd_can_network_connectinactive
httpd_disable_trans     inactive
httpd_enable_cgi        active
httpd_enable_homedirs   active
httpd_ssi_exec          active
httpd_tty_comm          inactive
httpd_unified           active
mysqld_disable_trans    inactive
named_disable_trans     inactive
named_write_master_zonesinactive
nscd_disable_trans      inactive
ntpd_disable_trans      inactive
portmap_disable_trans   inactive
postgresql_disable_transinactive
snmpd_disable_trans     inactive
squid_disable_trans     inactive
syslogd_disable_trans   inactive
use_nfs_home_dirs       inactive
use_samba_home_dirs     inactive
use_syslogng            inactive
winbind_disable_trans   inactive
ypbind_disable_trans    inactive

Process contexts:
Current context:        root:system_r:unconfined_t
Init context:           user_u:system_r:unconfined_t
/sbin/mingetty          user_u:system_r:unconfined_t
/usr/sbin/sshd          user_u:system_r:unconfined_t

File contexts:
Controlling term:       root:object_r:devpts_t
/etc/passwd             system_u:object_r:etc_t
/etc/shadow             system_u:object_r:shadow_t
/bin/bash               system_u:object_r:shell_exec_t
/bin/login              system_u:object_r:bin_t
/bin/sh                 system_u:object_r:bin_t -> system_u:object_r:shell_exec_t
/sbin/agetty            system_u:object_r:sbin_t
/sbin/init              system_u:object_r:init_exec_t
/sbin/mingetty          system_u:object_r:sbin_t
/usr/sbin/sshd          system_u:object_r:sbin_t
/lib/libc.so.6          system_u:object_r:lib_t -> system_u:object_r:shlib_t
/lib/ld-linux.so.2      system_u:object_r:lib_t -> system_u:object_r:ld_so_t


Here's one of the many errors I get in dmesg when I attempt to start Notes under
Wine:

audit(1119011237.629:0): avc:  denied  { execmod } for  pid=26379
comm=wine-preloader path=/usr/ibm/c4eb/nul6/program/Lotus/Notes/nnotesws.dll
dev=dm-5 ino=672253 scontext=user_u:system_r:unconfined_t
tcontext=system_u:object_r:usr_t tclass=file
Comment 7 Doug Maxey 2005-06-28 16:43:24 EDT
(In reply to comment #3)
> fixed in selinux-policy-targeted 1.17.30-3.9

Works For Me (tm) with crossover office 4.2. 
Comment 8 Joachim Selke 2005-06-29 06:00:13 EDT
I now have a problem with the current Java SDK from Sun. With
selinux-policy-targeted-1.17.30-3.9 everything was working fine. But then I
updated to 1.17.30-3.13 and get errors when executing java or javac.

Even the Java installer doesn't work. When executing
jdk-1_5_0_04-linux-amd64.bin (the installer's binary) I get the following error:

./install.sfx.19637: error while loading shared libraries: /lib64/tls/libc.so.6:
cannot apply additional memory protection after relocation: Permission denied


/var/var/messages says:

kernel: audit(1120039055.765:0): avc:  denied  { execmod } for  pid=19648
comm=install.sfx.196 path=/lib64/tls/libc-2.3.5.so dev=dm-0 ino=24281097
scontext=root:system_r:unconfined_t tcontext=system_u:object_r:lib_t tclass=file


The output of "sestatus -v" is:

SELinux status:         enabled
SELinuxfs mount:        /selinux
Current mode:           enforcing
Mode from config file:  enforcing
Policy version:         18
Policy from config file:targeted

Policy booleans:
allow_execmem           active
allow_execmod           active
allow_execstack         active
allow_kerberos          active
allow_ypbind            active
dhcpd_disable_trans     inactive
httpd_builtin_scripting inactive
httpd_can_network_connectinactive
httpd_disable_trans     inactive
httpd_enable_cgi        active
httpd_enable_homedirs   active
httpd_ssi_exec          active
httpd_tty_comm          inactive
httpd_unified           active
mysqld_disable_trans    inactive
named_disable_trans     inactive
named_write_master_zonesinactive
nscd_disable_trans      inactive
ntpd_disable_trans      inactive
portmap_disable_trans   inactive
postgresql_disable_transinactive
read_default_t          active
snmpd_disable_trans     inactive
squid_connect_any       inactive
squid_disable_trans     inactive
syslogd_disable_trans   inactive
use_nfs_home_dirs       inactive
use_samba_home_dirs     inactive
winbind_disable_trans   inactive
ypbind_disable_trans    inactive

Process contexts:
Current context:        root:system_r:unconfined_t
Init context:           user_u:system_r:unconfined_t
/sbin/mingetty          user_u:system_r:unconfined_t
/usr/sbin/sshd          root:system_r:unconfined_t

File contexts:
Controlling term:       root:object_r:devpts_t
/etc/passwd             system_u:object_r:etc_t
/etc/shadow             system_u:object_r:shadow_t
/bin/bash               system_u:object_r:shell_exec_t
/bin/login              system_u:object_r:bin_t
/bin/sh                 system_u:object_r:bin_t -> system_u:object_r:shell_exec_t
/sbin/agetty            system_u:object_r:sbin_t
/sbin/init              system_u:object_r:init_exec_t
/sbin/mingetty          system_u:object_r:sbin_t
/usr/sbin/sshd          system_u:object_r:sbin_t
/lib/libc.so.6          system_u:object_r:lib_t -> system_u:object_r:shlib_t
/lib/ld-linux.so.2      system_u:object_r:lib_t -> system_u:object_r:ld_so_t
Comment 9 Joachim Selke 2005-06-29 12:45:40 EDT
Addition to comment #8:

If I set "setenforce 0" everything is working as expected, but I think this is a
workaround and not a solution.
Comment 10 James Hunt 2005-07-21 05:48:32 EDT
Sorry - forgot to update bug. I'm now running with
selinux-policy-targeted-1.25.2-4, and it is also fixed for me; I'm now running
back in enforcing mode.

Note You need to log in before you can comment on or make changes to this bug.