Bug 186108 – Not allowing execmem and execmod breaks gnome desktop

Bug 186108 - Not allowing execmem and execmod breaks gnome desktop

Summary:	Not allowing execmem and execmod breaks gnome desktop

Status:	CLOSED DUPLICATE of bug 189354

Aliases:	None

Product:	Fedora
Classification:	Fedora
Component:	selinux-policy-targeted (Show other bugs)
Sub Component:
Version:	5
Hardware:	All Linux

Priority	medium Severity low
Target Milestone:	---
Target Release:	---
Assigned To:	Russell Coker
QA Contact:
Docs Contact:

URL:
Whiteboard:
Keywords:

Depends On:
Blocks:
	Show dependency tree / graph

Reported:	2006-03-21 12:45 EST by Bruno Wolff III
Modified:	2007-11-30 17:11 EST (History)
CC List:	0 users

See Also:
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Story Points:	---
Clone Of:
Environment:
Last Closed:	2006-04-20 11:09:28 EDT
Type:	---
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
avc log extracts (5.09 KB, text/plain) 2006-04-20 10:17 EDT, Bruno Wolff III	no flags	Details
Add an attachment (proposed patch, testcase, etc.)

Groups: None (edit)

Description Bruno Wolff III 2006-03-21 12:45:06 EST

Description of problem:
I installed FC5. /home was kept from previous FC4 install, but the problem
happened as root which has home directory on the new /.
I was using the default targetted policy in enforcing mode, had both gnome and
kde installed and tried to tighten up security but not disallowing executing out
of writeable memory (which was allowed by default).
This cause some problems when signed on using a gnome desktop. When I would
run the terminal program it would appear in the far upper left corner, was not
draggable and the menu bar was different (notablably the 'X' close icon was
missing). I also couldn't get some of the gnome configuration applications
('windows') to run.


Version-Release number of selected component (if applicable):
This was the version on the FC5 DVD iso.


How reproducible:


Steps to Reproduce:
1.
2.
3.
  
Actual results:


Expected results:


Additional info:

Comment 1 Daniel Walsh 2006-04-03 12:24:15 EDT

setsebool -P allow_execmem=1 allow_execstack=1

should turn on these privs.

Comment 2 Bruno Wolff III 2006-04-07 16:03:30 EDT

I have turned off execmem and execstack checking to be able to use the system.
I reported the issue because feedback on security features has been solicited
and   I expect that at some point Gnome is supposed to work with those checks on
or policies specific to Gnome will allow them, so that they can be on by default
for other processes.

Comment 3 Daniel Walsh 2006-04-11 16:58:19 EDT

Please report the AVC messages?

Comment 4 Bruno Wolff III 2006-04-20 10:17:45 EDT

Created attachment 128038 [details]
avc log extracts

I generated this file by running
grep AVC /var/log/audit/* | grep denied > avc
and then removed entries mentioning 'ifconfig' as I believe those were old
messages and didn't apply to the current issue.

Comment 5 Daniel Walsh 2006-04-20 11:09:28 EDT


*** This bug has been marked as a duplicate of 189354 ***

Note You need to log in before you can comment on or make changes to this bug.