Bug 248275 - SELinux Alert on Eclipse libupdate.so
SELinux Alert on Eclipse libupdate.so
Status: CLOSED NOTABUG
Product: Fedora
Classification: Fedora
Component: eclipse (Show other bugs)
7
All Linux
low Severity medium
: ---
: ---
Assigned To: Ben Konrath
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2007-07-14 19:27 EDT by Kevin Crocker
Modified: 2007-11-30 17:12 EST (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-07-14 21:38:19 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Kevin Crocker 2007-07-14 19:27:21 EDT
Description of problem:
SELinux alert blocking org.eclipse.osgi

Version-Release number of selected component (if applicable):
Eclipse Europa 3.3 (brand new install)

How reproducible:
Every single time I try to do an update

Steps to Reproduce:
1. Start Eclipse ... Software Updates ... select entries to update
  
Actual results:
SE block makes Eclipse completely unstable

Expected results:
the SE would stop doing this, or that Eclipse would put the right SE attributes



Additional info:
Appended SETroubleShoot Alert

Summary
    SELinux is preventing /eclipse.yoxos/eclipse/eclipse from loading /eclipse.y
    oxos/eclipse/configuration/org.eclipse.osgi/bundles/39/1/.cp/os/linux/x86/li
    bupdate.so which requires text relocation.

Detailed Description
    The /eclipse.yoxos/eclipse/eclipse application attempted to load /eclipse.yo
    xos/eclipse/configuration/org.eclipse.osgi/bundles/39/1/.cp/os/linux/x86/lib
    update.so which requires text relocation.  This is a potential security
    problem. Most libraries do not need this permission. Libraries are sometimes
    coded incorrectly and request this permission.  The
    http://people.redhat.com/drepper/selinux-mem.html web page explains how to
    remove this requirement.  You can configure SELinux temporarily to allow /ec
    lipse.yoxos/eclipse/configuration/org.eclipse.osgi/bundles/39/1/.cp/os/linux
    /x86/libupdate.so to use relocation as a workaround, until the library is
    fixed. Please file a http://bugzilla.redhat.com/bugzilla/enter_bug.cgi
    against this package.

Allowing Access
    If you trust /eclipse.yoxos/eclipse/configuration/org.eclipse.osgi/bundles/3
    9/1/.cp/os/linux/x86/libupdate.so to run correctly, you can change the file
    context to textrel_shlib_t. "chcon -t textrel_shlib_t /eclipse.yoxos/eclipse
    /configuration/org.eclipse.osgi/bundles/39/1/.cp/os/linux/x86/libupdate.so"

    The following command will allow this access:
    chcon -t textrel_shlib_t
/eclipse.yoxos/eclipse/configuration/org.eclipse.osgi/bundles/39/1/.cp/os/linux/x86/libupdate.so

Additional Information        

Source Context                root:system_r:unconfined_t:SystemLow-SystemHigh
Target Context                root:object_r:etc_runtime_t
Target Objects                /eclipse.yoxos/eclipse/configuration/org.eclipse.o
                              sgi/bundles/39/1/.cp/os/linux/x86/libupdate.so [
                              file ]
Affected RPM Packages         
Policy RPM                    selinux-policy-2.6.4-26.fc7
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   plugins.allow_execmod
Host Name                     desktop
Platform                      Linux desktop 2.6.21-1.3228.fc7 #1 SMP Tue Jun 12
                              15:37:31 EDT 2007 i686 athlon
Alert Count                   1
First Seen                    Sat 14 Jul 2007 06:20:37 PM CDT
Last Seen                     Sat 14 Jul 2007 06:20:37 PM CDT
Local ID                      a8c8dd24-8306-4fa7-8f70-31bd7e94d742
Line Numbers                  

Raw Audit Messages            

avc: denied { execmod } for comm="eclipse" dev=dm-0 egid=0 euid=0
exe="/eclipse.yoxos/eclipse/eclipse" exit=-13 fsgid=0 fsuid=0 gid=0 items=0
name="libupdate.so" path="/eclipse.yoxos/eclipse/configuration/org.eclipse.osgi/
bundles/39/1/.cp/os/linux/x86/libupdate.so" pid=19352
scontext=root:system_r:unconfined_t:s0-s0:c0.c1023 sgid=0
subj=root:system_r:unconfined_t:s0-s0:c0.c1023 suid=0 tclass=file
tcontext=root:object_r:etc_runtime_t:s0 tty=(none) uid=0
Comment 1 Andrew Overholt 2007-07-14 21:38:19 EDT
This doesn't happen with Fedora Eclipse, does it?  The fact that your
information shows yoxos indicates that this isn't happening with what we ship.

This has been fixed upstream for 3.3 by adding -fPIC to the libupdate.so
compilation line which we've carried for a while in Fedora Eclipse and RHDS. 
The upstream bug is https://bugs.eclipse.org/bugs/show_bug.cgi?id=170517.

I see this myself sometimes with upstream downloads but I never notice
instability as a result.

Note You need to log in before you can comment on or make changes to this bug.