Bug 186108 - Not allowing execmem and execmod breaks gnome desktop
Summary: Not allowing execmem and execmod breaks gnome desktop
Status: CLOSED DUPLICATE of bug 189354
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted
Version: 5
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Russell Coker
QA Contact:
Depends On:
TreeView+ depends on / blocked
Reported: 2006-03-21 17:45 UTC by Bruno Wolff III
Modified: 2007-11-30 22:11 UTC (History)
0 users

Clone Of:
Last Closed: 2006-04-20 15:09:28 UTC

Attachments (Terms of Use)
avc log extracts (5.09 KB, text/plain)
2006-04-20 14:17 UTC, Bruno Wolff III
no flags Details

Description Bruno Wolff III 2006-03-21 17:45:06 UTC
Description of problem:
I installed FC5. /home was kept from previous FC4 install, but the problem
happened as root which has home directory on the new /.
I was using the default targetted policy in enforcing mode, had both gnome and
kde installed and tried to tighten up security but not disallowing executing out
of writeable memory (which was allowed by default).
This cause some problems when signed on using a gnome desktop. When I would
run the terminal program it would appear in the far upper left corner, was not
draggable and the menu bar was different (notablably the 'X' close icon was
missing). I also couldn't get some of the gnome configuration applications
('windows') to run.

Version-Release number of selected component (if applicable):
This was the version on the FC5 DVD iso.

How reproducible:

Steps to Reproduce:
Actual results:

Expected results:

Additional info:

Comment 1 Daniel Walsh 2006-04-03 16:24:15 UTC
setsebool -P allow_execmem=1 allow_execstack=1

should turn on these privs. 

Comment 2 Bruno Wolff III 2006-04-07 20:03:30 UTC
I have turned off execmem and execstack checking to be able to use the system.
I reported the issue because feedback on security features has been solicited
and   I expect that at some point Gnome is supposed to work with those checks on
or policies specific to Gnome will allow them, so that they can be on by default
for other processes.

Comment 3 Daniel Walsh 2006-04-11 20:58:19 UTC
Please report the AVC messages?

Comment 4 Bruno Wolff III 2006-04-20 14:17:45 UTC
Created attachment 128038 [details]
avc log extracts

I generated this file by running
grep AVC /var/log/audit/* | grep denied > avc
and then removed entries mentioning 'ifconfig' as I believe those were old
messages and didn't apply to the current issue.

Comment 5 Daniel Walsh 2006-04-20 15:09:28 UTC

*** This bug has been marked as a duplicate of 189354 ***

Note You need to log in before you can comment on or make changes to this bug.