Bug 246763 - SELinux problems with amarok
SELinux problems with amarok
Status: CLOSED INSUFFICIENT_DATA
Product: Fedora
Classification: Fedora
Component: amarok (Show other bugs)
7
All Linux
low Severity medium
: ---
: ---
Assigned To: Aurelien Bompard
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2007-07-04 13:40 EDT by Christian Sturm
Modified: 2008-08-02 19:40 EDT (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-04-25 00:15:26 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Christian Sturm 2007-07-04 13:40:19 EDT
I have been told to write a bug report

Summary
    SELinux is preventing /usr/bin/amarokapp from changing a writable memory
    segment executable.

Detailed Description
    The /usr/bin/amarokapp application attempted to change the access protection
    of memory (e,g., allocated using malloc).  This is a potential security
    problem.  Applications should not be doing this. Applications are sometimes
    coded incorrectly and request this permission.  The
    http://people.redhat.com/drepper/selinux-mem.html web page explains how to
    remove this requirement.  If /usr/bin/amarokapp does not work and you need
    it to work, you can configure SELinux temporarily to allow this access until
    the application is fixed. Please file a
    http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this package.

Allowing Access
    If you trust /usr/bin/amarokapp to run correctly, you can change the context
    of the executable to unconfined_execmem_exec_t. "chcon -t
    unconfined_execmem_exec_t /usr/bin/amarokapp".

    The following command will allow this access:
    chcon -t unconfined_execmem_exec_t /usr/bin/amarokapp

Additional Information        

Source Context                user_u:system_r:unconfined_t
Target Context                user_u:system_r:unconfined_t
Target Objects                None [ process ]
Affected RPM Packages         amarok-1.4.5-4.fc7 [application]
Policy RPM                    selinux-policy-2.6.4-23.fc7
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Permissive
Plugin Name                   plugins.allow_execmem
Host Name                     localhost.localdomain
Platform                      Linux localhost.localdomain 2.6.21-1.3228.fc7 #1
                              SMP Tue Jun 12 15:37:31 EDT 2007 i686 i686
Alert Count                   1
First Seen                    Mi 04 Jul 2007 19:36:09 CEST
Last Seen                     Mi 04 Jul 2007 19:36:09 CEST
Local ID                      4d9c24f5-e055-466c-b14a-1978a0840a0a
Line Numbers                  

Raw Audit Messages            

avc: denied { execmem } for comm="amarokapp" egid=500 euid=500
exe="/usr/bin/amarokapp" exit=-1248854016 fsgid=500 fsuid=500 gid=500 items=0
pid=7646 scontext=user_u:system_r:unconfined_t:s0 sgid=500
subj=user_u:system_r:unconfined_t:s0 suid=500 tclass=process
tcontext=user_u:system_r:unconfined_t:s0 tty=(none) uid=500
Comment 1 Christian Sturm 2007-07-04 13:41:53 EDT
Here an other one:

Summary
    SELinux is preventing /usr/bin/amarokcollectionscanner from making the
    program stack executable.

Detailed Description
    The /usr/bin/amarokcollectionscanner application attempted to make the its
    stack executable.  This is a potential security problem.  This should never
    ever be necessary. stack memory is not executable on most OSes these days
    and this will not change. Executable stack memory is one of the biggest
    security problems. An execstack error might in fact be most likely raised by
    malicious code. Applications are sometimes coded incorrectly and request
    this permission.  The http://people.redhat.com/drepper/selinux-mem.html web
    page explains how to remove this requirement.  If
    /usr/bin/amarokcollectionscanner does not work and you need it to work, you
    can configure SELinux temporarily to allow this access until the application
    is fixed. Please file a http://bugzilla.redhat.com/bugzilla/enter_bug.cgi
    against this package.

Allowing Access
    Sometimes a library is accidentally marked with the execstack flag, if you
    find a library with this flag you can clear it with the execstack -c
    LIBRARY_PATH.  Then retry your application.  If the app continues to not
    work, you can turn the flack back on with execstac -s LIBRARY_PATH.
    Otherwise, if you trust /usr/bin/amarokcollectionscanner to run correctly,
    you can change the context of the executable to unconfined_execmem_exec_t.
    "chcon -t unconfined_execmem_exec_t /usr/bin/amarokcollectionscanner"

    The following command will allow this access:
    chcon -t unconfined_execmem_exec_t /usr/bin/amarokcollectionscanner

Additional Information        

Source Context                user_u:system_r:unconfined_t
Target Context                user_u:system_r:unconfined_t
Target Objects                None [ process ]
Affected RPM Packages         amarok-1.4.5-4.fc7 [application]
Policy RPM                    selinux-policy-2.6.4-23.fc7
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Permissive
Plugin Name                   plugins.allow_execstack
Host Name                     localhost.localdomain
Platform                      Linux localhost.localdomain 2.6.21-1.3228.fc7 #1
                              SMP Tue Jun 12 15:37:31 EDT 2007 i686 i686
Alert Count                   1
First Seen                    Mi 04 Jul 2007 19:40:43 CEST
Last Seen                     Mi 04 Jul 2007 19:40:43 CEST
Local ID                      39eba00c-4aee-4c4a-af0f-d21904b65490
Line Numbers                  

Raw Audit Messages            

avc: denied { execstack } for comm="amarokcollectio" egid=500 euid=500
exe="/usr/bin/amarokcollectionscanner" exit=0 fsgid=500 fsuid=500 gid=500
items=0 pid=12898 scontext=user_u:system_r:unconfined_t:s0 sgid=500
subj=user_u:system_r:unconfined_t:s0 suid=500 tclass=process
tcontext=user_u:system_r:unconfined_t:s0 tty=(none) uid=500

Comment 2 Aurelien Bompard 2007-07-14 05:00:26 EDT
Please update to the latest versions of amarok and selinux-policy-targeted, and
post here if it happens again.
I am running amarok here with selinux enabled in the targeted policy, and I have
no such errors.
Comment 3 Marcela Mašláňová 2007-10-02 08:56:43 EDT
I have amarok-1.4.7-4.fc8 and selinux-policy-3.0.8-14.fc8 (running rawhide).

The amarokapp application attempted to make its stack executable. 
The following command will allow this access:chcon -t unconfined_execmem_exec_t
amarokapp

The following command will allow this access:chcon -t unconfined_execmem_exec_t
amarokapp
Additional InformationSource Context:  system_u:system_r:unconfined_tTarget
Context:  system_u:system_r:unconfined_t
Target Objects:  None [ process ]
Affected RPM Packages:  
Policy RPM:  selinux-policy-3.0.8-14.fc8
Selinux Enabled:  TruePolicy 
Type:  targetedMLS 
Enabled:  TrueEnforcing 
Mode:  Enforcing
Plugin Name:  plugins.allow_execstack
Host Name:  dhcp-lab-135.englab.brq.redhat.com
Platform:  Linux somehost.com 2.6.23-0.214.rc8.git2.fc8 #1 SMP Fri Sep 28
17:38:00 EDT 2007 i686 i686
Alert Count:  2
First Seen:  Tue 25 Sep 2007 01:31:41 PM CEST
Last Seen:  Tue 02 Oct 2007 07:20:36 AM CEST
Local ID:  cc822903-1fb9-471e-884f-ab148e79228f

Raw Audit Messages :
avc: denied { execstack } for comm=amarokapp pid=3226
scontext=system_u:system_r:unconfined_t:s0 tclass=process
tcontext=system_u:system_r:unconfined_t:s0 
Comment 4 Brian Powell 2008-04-25 00:15:26 EDT
The information we've requested above is required in order
to review this problem report further and diagnose/fix the
issue if it is still present.  Since there have not been any
updates to the report since thirty (30) days or more since we
requested additional information, we're assuming the problem
is either no longer present in the current Fedora release, or
that there is no longer any interest in tracking the problem.

Setting status to "CLOSED INSUFFICIENT_DATA".  If you still
experience this problem after updating to our latest Fedora
release and can provide the information previously requested, 
please feel free to reopen the bug report.

Thank you in advance.

Note that maintenance for Fedora 7 will end 30 days after the GA of Fedora 9.

Note You need to log in before you can comment on or make changes to this bug.