1656245 – p11_virtual_wrap causing tmpfiles to be created causing SELinux violations and error logs

Bug 1656245 - p11_virtual_wrap causing tmpfiles to be created causing SELinux violations and error logs

Summary: p11_virtual_wrap causing tmpfiles to be created causing SELinux violations an...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	p11-kit
Sub Component:
Version:	29
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Daiki Ueno
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Duplicates (1):	1655619 (view as bug list)
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2018-12-05 02:39 UTC by Scott Shambarger
Modified:	2019-01-14 01:58 UTC (History)
CC List:	8 users (show)
Fixed In Version:	p11-kit-0.23.14-2.fc29
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2019-01-14 01:58:05 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)
Patch to attempt to use fixed closures before calling libffi (2.10 KB, application/mbox) 2018-12-05 02:39 UTC, Scott Shambarger	no flags	Details
View All

Description Scott Shambarger 2018-12-05 02:39:59 UTC

Created attachment 1511522 [details]
Patch to attempt to use fixed closures before calling libffi

Description of problem:
Calls to p11_virtual_wrap are creating and mmapping tmpfiles.

Many programs that link p11-kit-proxy.so (directly or not) may not have
SELinux permissions to create tmpfiles (or mmap them), leading to a
series of violation reports, and the following errors logged:

ffi_closure_alloc failed

There are lots of "auto-generated" bugs from the SELinux violations, but I logged a specific one for certwatch (bug 1655619).

Version-Release number of selected component (if applicable):
p11-kit-0.23.14-1.fc29.x86_64

How reproducible:
Whenever the function is called from a library or program that cannot
create tmpfiles (eg. certwatch in crypto-utils or upsmon in nut-monitor)

Additional info:
This bug appears to be fixed upstream... I've attached the commit
that fixes the problem (tested, does indeed fix the errors and SELinux violations)

Comment 1 Scott Shambarger 2018-12-05 02:42:13 UTC

*** Bug 1655619 has been marked as a duplicate of this bug. ***

Comment 2 Fedora Update System 2019-01-11 22:23:34 UTC

p11-kit-0.23.14-2.fc29 has been submitted as an update to Fedora 29. https://bodhi.fedoraproject.org/updates/FEDORA-2019-8d6ee591d9

Comment 3 Fedora Update System 2019-01-12 02:31:07 UTC

p11-kit-0.23.14-2.fc29 has been pushed to the Fedora 29 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-8d6ee591d9

Comment 4 Fedora Update System 2019-01-14 01:58:05 UTC

p11-kit-0.23.14-2.fc29 has been pushed to the Fedora 29 stable repository. If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.