Description of problem: The test for executable stacks should handle a binary that comes from a Fedora/RHEL RPM and allow the filing of a bug against that package. It should also detect the library that's causing the problem Version-Release number of selected component (if applicable): setroubleshoot-0.41-1 Steps to Reproduce: 1. Start epiphany Actual results: "Summary: SELinux is preventing /usr/bin/epiphany from making the program stack executable. The /usr/bin/epiphany application attempted to make the its stack executable. This is a potential security problem. This should never ever be necessary. stack memory is not executable on most OSes these days and this will not change. Executable stack memory is one of the biggest security problems. An execstack error might in fact be most likely raised by malicious code. Applications are sometimes coded incorrectly and request this permission. The SELinux Memory Protection Tests web page explains how to remove this requirement. If /usr/bin/epiphany does not work and you need it to work, you can configure SELinux temporarily to allow this access until the application is fixed." "Affected RPM Packages: (blank)" Running eu-readelf -l /usr/bin/epiphany | grep STACK shows: GNU_STACK 0x000000 0x00000000 0x00000000 0x000000 0x000000 RW 0x4 So epiphany itself doesn't need an executable stack, but one of the libraries it's pulling in does. I don't know an easy way to locate this. Suggestions welcome. Expected results: setroubleshoot should have performed an rpm -qf on the binary, determined that it's from the epiphany package. It should then look at the DSOs loaded by epiphany, and detect the library that was at fault - I don't know an easy way to implement this, though. If the library(s) is part of Fedora or RHEL it should have an easy option to file a bug against the package(s) containing them.
Based on the date this bug was created, it appears to have been reported against rawhide during the development of a Fedora release that is no longer maintained. In order to refocus our efforts as a project we are flagging all of the open bugs for releases which are no longer maintained. If this bug remains in NEEDINFO thirty (30) days from now, we will automatically close it. If you can reproduce this bug in a maintained Fedora version (7, 8, or rawhide), please change this bug to the respective version and change the status to ASSIGNED. (If you're unable to change the bug's version or status, add a comment to the bug and someone will change it for you.) Thanks for your help, and we apologize again that we haven't handled these issues to this point. The process we're following is outlined here: http://fedoraproject.org/wiki/BugZappers/F9CleanUp We will be following the process here: http://fedoraproject.org/wiki/BugZappers/HouseKeeping to ensure this doesn't happen again.
This bug has been in NEEDINFO for more than 30 days since feedback was first requested. As a result we are closing it. If you can reproduce this bug in the future against a maintained Fedora version please feel free to reopen it against that version. The process we're following is outlined here: http://fedoraproject.org/wiki/BugZappers/F9CleanUp
Reopening; did this ever get implemented?
Changing version to '9' as part of upcoming Fedora 9 GA. More information and reason for this action is here: http://fedoraproject.org/wiki/BugZappers/HouseKeeping
This issue still affects the current rawhide/koji tree including: - epiphany-2.24.0.1-3.fc10.i386 - selinux-policy-targeted-3.5.10-2.fc10.noarch - xulrunner-1.9.0.2-2.fc10.i386 Summary SELinux is preventing epiphany from making the program stack executable. Detailed Description [SELinux is in permissive mode, the operation would have been denied but was permitted due to permissive mode.] The epiphany application attempted to make its stack executable. This is a potential security problem. This should never ever be necessary. Stack memory is not executable on most OSes these days and this will not change. Executable stack memory is one of the biggest security problems. An execstack error might in fact be most likely raised by malicious code. Applications are sometimes coded incorrectly and request this permission. The SELinux Memory Protection Tests web page explains how to remove this requirement. If epiphany does not work and you need it to work, you can configure SELinux temporarily to allow this access until the application is fixed. Please file a bug report against this package. Allowing Access Sometimes a library is accidentally marked with the execstack flag, if you find a library with this flag you can clear it with the execstack -c LIBRARY_PATH. Then retry your application. If the app continues to not work, you can turn the flag back on with execstack -s LIBRARY_PATH. Otherwise, if you trust epiphany to run correctly, you can change the context of the executable to unconfined_execmem_exec_t. "chcon -t unconfined_execmem_exec_t '/usr/bin/epiphany'" You must also change the default file context files on the system in order to preserve them even on a full relabel. "semanage fcontext -a -t unconfined_execmem_exec_t '/usr/bin/epiphany'" Fix Command chcon -t unconfined_execmem_exec_t '/usr/bin/epiphany' Additional Information Source Context: unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 Target Context: unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 Target Objects: None [ process ] Source: epiphany Source Path: /usr/bin/epiphany Port: <Unknown> Host: fedora Source RPM Packages: epiphany-2.24.0.1-3.fc10 Target RPM Packages: Policy RPM: selinux-policy-3.5.10-2.fc10 Selinux Enabled: True Policy Type: targeted MLS Enabled: True Enforcing Mode: Permissive Plugin Name: allow_execstack Host Name: fedora Platform: Linux fedora 2.6.27-0.382.rc8.git4.fc10.i686 #1 SMP Thu Oct 2 21:36:18 EDT 2008 i686 i686 Alert Count: 1 First Seen: Sat 04 Oct 2008 01:26:12 PM CEST Last Seen: Sat 04 Oct 2008 01:26:12 PM CEST Local ID: c6c6e600-4815-497b-8342-95125eb61fef Line Numbers: Raw Audit Messages : node=fedora type=AVC msg=audit(1223119572.959:34): avc: denied { execstack } for pid=3405 comm="epiphany" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process node=fedora type=AVC msg=audit(1223119572.959:34): avc: denied { execmem } for pid=3405 comm="epiphany" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process node=fedora type=SYSCALL msg=audit(1223119572.959:34): arch=40000003 syscall=125 success=yes exit=0 a0=bfe6b000 a1=1000 a2=1000007 a3=fffff000 items=0 ppid=1 pid=3405 auid=501 uid=501 gid=100 euid=501 suid=501 fsuid=501 egid=100 sgid=100 fsgid=100 tty=(none) ses=1 comm="epiphany" exe="/usr/bin/epiphany" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
This message is a reminder that Fedora 9 is nearing its end of life. Approximately 30 (thirty) days from now Fedora will stop maintaining and issuing updates for Fedora 9. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as WONTFIX if it remains open with a Fedora 'version' of '9'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, simply change the 'version' to a later Fedora version prior to Fedora 9's end of life. Bug Reporter: Thank you for reporting this issue and we are sorry that we may not be able to fix it before Fedora 9 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora please change the 'version' of this bug to the applicable version. If you are unable to change the version, please add a comment here and someone will do it for you. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete. The process we are following is described here: http://fedoraproject.org/wiki/BugZappers/HouseKeeping
Bumping version from 9 to 10, based on comment #5 (and comment #6)
This message is a reminder that Fedora 10 is nearing its end of life. Approximately 30 (thirty) days from now Fedora will stop maintaining and issuing updates for Fedora 10. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as WONTFIX if it remains open with a Fedora 'version' of '10'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, simply change the 'version' to a later Fedora version prior to Fedora 10's end of life. Bug Reporter: Thank you for reporting this issue and we are sorry that we may not be able to fix it before Fedora 10 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora please change the 'version' of this bug to the applicable version. If you are unable to change the version, please add a comment here and someone will do it for you. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete. The process we are following is described here: http://fedoraproject.org/wiki/BugZappers/HouseKeeping
Fedora 10 changed to end-of-life (EOL) status on 2009-12-17. Fedora 10 is no longer maintained, which means that it will not receive any further security or bug fix updates. As a result we are closing this bug. If you can reproduce this bug against a currently maintained version of Fedora please feel free to reopen this bug against that version. Thank you for reporting this bug and we are sorry it could not be fixed.