Bug 2278624 - SELinux is preventing wine-preloader from using the 'execheap' accesses on a process.
Summary: SELinux is preventing wine-preloader from using the 'execheap' accesses on a ...
Keywords:
Status: CLOSED DUPLICATE of bug 2247299
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 40
Hardware: x86_64
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Zdenek Pytela
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: abrt_hash:1cb53da229f699b9195cecf3fc3...
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2024-05-02 13:07 UTC by Kamil Páral
Modified: 2024-05-03 07:24 UTC (History)
9 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2024-05-03 07:24:13 UTC
Type: ---
Embargoed:

Attachments (Terms of Use)
File: description (2.62 KB, text/plain)
2024-05-02 13:07 UTC, Kamil Páral 		no flags Details
File: os_info (734 bytes, text/plain)
2024-05-02 13:07 UTC, Kamil Páral 		no flags Details
View All

Description Kamil Páral 2024-05-02 13:07:04 UTC 
Description of problem:
This popped up after starting Steam (Flatpak version) and hitting the Download Update button inside it.
SELinux is preventing wine-preloader from using the 'execheap' accesses on a process.

*****  Plugin allow_execheap (53.1 confidence) suggests   ********************

If you do not think wine-preloader should need to map heap memory that is both writable and executable.
Then you need to report a bug. This is a potentially dangerous access.
Do
contact your security administrator and report this issue.

*****  Plugin catchall_boolean (42.6 confidence) suggests   ******************

If you want to allow selinuxuser to execheap
Then you must tell SELinux about this by enabling the 'selinuxuser_execheap' boolean.

Do
setsebool -P selinuxuser_execheap 1

*****  Plugin catchall (5.76 confidence) suggests   **************************

If you believe that wine-preloader should be allowed execheap access on processes labeled unconfined_t by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'wine-preloader' --raw | audit2allow -M my-winepreloader
# semodule -X 300 -i my-winepreloader.pp

Additional Information:
Source Context                unconfined_u:unconfined_r:unconfined_t:s0-
                              s0:c0.c1023
Target Context                unconfined_u:unconfined_r:unconfined_t:s0-
                              s0:c0.c1023
Target Objects                Unknown [ process ]
Source                        wine-preloader
Source Path                   wine-preloader
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           
Target RPM Packages           
SELinux Policy RPM            selinux-policy-targeted-40.17-1.fc40.noarch
Local Policy RPM              selinux-policy-targeted-40.17-1.fc40.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 6.8.8-300.fc40.x86_64 #1 SMP
                              PREEMPT_DYNAMIC Sat Apr 27 17:53:31 UTC 2024
                              x86_64
Alert Count                   1
First Seen                    2024-05-02 15:02:48 CEST
Last Seen                     2024-05-02 15:02:48 CEST
Local ID                      1c952af1-6b0b-4941-95b6-ebc8f156e0f6

Raw Audit Messages
type=AVC msg=audit(1714654968.610:1287): avc:  denied  { execheap } for  pid=188884 comm="wine-preloader" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process permissive=0


Hash: wine-preloader,unconfined_t,unconfined_t,process,execheap

Version-Release number of selected component:
selinux-policy-targeted-40.17-1.fc40.noarch

Additional info:
reporter:       libreport-2.17.15
reason:         SELinux is preventing wine-preloader from using the 'execheap' accesses on a process.
package:        selinux-policy-targeted-40.17-1.fc40.noarch
component:      selinux-policy
hashmarkername: setroubleshoot
type:           libreport
kernel:         6.8.8-300.fc40.x86_64
comment:        This popped up after starting Steam (Flatpak version) and hitting the Download Update button inside it.
component:      selinux-policy
Comment 1 Kamil Páral 2024-05-02 13:07:07 UTC 
Created attachment 2030871 [details]
File: description
Comment 2 Kamil Páral 2024-05-02 13:07:08 UTC 
Created attachment 2030872 [details]
File: os_info
Comment 3 Zdenek Pytela 2024-05-02 14:01:05 UTC 
The Linux implementation of mprotect (unlike POSIX) allows changing the access protection of memory on the heap, e. g. allocated using malloc. This AVC denial indicates that heap memory was supposed to be made executable. While the permission can be granted turning the selinuxuser_execheap boolean on as suggested by setroubleshoot, it should not be done without a thorough code review as in most cases it indicates a bug in the code and you should consider reporting a bug on the related component. If anonymous executable memory is needed, another method should be considered, e. g. allocating memory using mmap.

Please refer to the boolean description:

  # semanage boolean -l|grep execheap
selinuxuser_execheap           (off  ,  off)  Allow unconfined executables to make their heap memory executable.  Doing this is a really bad idea. Probably indicates a badly coded executable, but could indicate an attack. This executable should be reported in bugzilla


If there is no other information, I will close this bz.
Comment 4 Kamil Páral 2024-05-03 07:24:13 UTC 
Thanks. This seems to be a duplicate of bug 2247299, isn't it?

*** This bug has been marked as a duplicate of bug 2247299 ***
Note You need to log in before you can comment on or make changes to this bug.