Description of problem: SELinux alert blocking org.eclipse.osgi Version-Release number of selected component (if applicable): Eclipse Europa 3.3 (brand new install) How reproducible: Every single time I try to do an update Steps to Reproduce: 1. Start Eclipse ... Software Updates ... select entries to update Actual results: SE block makes Eclipse completely unstable Expected results: the SE would stop doing this, or that Eclipse would put the right SE attributes Additional info: Appended SETroubleShoot Alert Summary SELinux is preventing /eclipse.yoxos/eclipse/eclipse from loading /eclipse.y oxos/eclipse/configuration/org.eclipse.osgi/bundles/39/1/.cp/os/linux/x86/li bupdate.so which requires text relocation. Detailed Description The /eclipse.yoxos/eclipse/eclipse application attempted to load /eclipse.yo xos/eclipse/configuration/org.eclipse.osgi/bundles/39/1/.cp/os/linux/x86/lib update.so which requires text relocation. This is a potential security problem. Most libraries do not need this permission. Libraries are sometimes coded incorrectly and request this permission. The http://people.redhat.com/drepper/selinux-mem.html web page explains how to remove this requirement. You can configure SELinux temporarily to allow /ec lipse.yoxos/eclipse/configuration/org.eclipse.osgi/bundles/39/1/.cp/os/linux /x86/libupdate.so to use relocation as a workaround, until the library is fixed. Please file a http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this package. Allowing Access If you trust /eclipse.yoxos/eclipse/configuration/org.eclipse.osgi/bundles/3 9/1/.cp/os/linux/x86/libupdate.so to run correctly, you can change the file context to textrel_shlib_t. "chcon -t textrel_shlib_t /eclipse.yoxos/eclipse /configuration/org.eclipse.osgi/bundles/39/1/.cp/os/linux/x86/libupdate.so" The following command will allow this access: chcon -t textrel_shlib_t /eclipse.yoxos/eclipse/configuration/org.eclipse.osgi/bundles/39/1/.cp/os/linux/x86/libupdate.so Additional Information Source Context root:system_r:unconfined_t:SystemLow-SystemHigh Target Context root:object_r:etc_runtime_t Target Objects /eclipse.yoxos/eclipse/configuration/org.eclipse.o sgi/bundles/39/1/.cp/os/linux/x86/libupdate.so [ file ] Affected RPM Packages Policy RPM selinux-policy-2.6.4-26.fc7 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name plugins.allow_execmod Host Name desktop Platform Linux desktop 2.6.21-1.3228.fc7 #1 SMP Tue Jun 12 15:37:31 EDT 2007 i686 athlon Alert Count 1 First Seen Sat 14 Jul 2007 06:20:37 PM CDT Last Seen Sat 14 Jul 2007 06:20:37 PM CDT Local ID a8c8dd24-8306-4fa7-8f70-31bd7e94d742 Line Numbers Raw Audit Messages avc: denied { execmod } for comm="eclipse" dev=dm-0 egid=0 euid=0 exe="/eclipse.yoxos/eclipse/eclipse" exit=-13 fsgid=0 fsuid=0 gid=0 items=0 name="libupdate.so" path="/eclipse.yoxos/eclipse/configuration/org.eclipse.osgi/ bundles/39/1/.cp/os/linux/x86/libupdate.so" pid=19352 scontext=root:system_r:unconfined_t:s0-s0:c0.c1023 sgid=0 subj=root:system_r:unconfined_t:s0-s0:c0.c1023 suid=0 tclass=file tcontext=root:object_r:etc_runtime_t:s0 tty=(none) uid=0
This doesn't happen with Fedora Eclipse, does it? The fact that your information shows yoxos indicates that this isn't happening with what we ship. This has been fixed upstream for 3.3 by adding -fPIC to the libupdate.so compilation line which we've carried for a while in Fedora Eclipse and RHDS. The upstream bug is https://bugs.eclipse.org/bugs/show_bug.cgi?id=170517. I see this myself sometimes with upstream downloads but I never notice instability as a result.