Bug 295351 - after a restorecon, darcs is unusable
after a restorecon, darcs is unusable
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: darcs (Show other bugs)
8
All Linux
low Severity low
: ---
: ---
Assigned To: Jens Petersen
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2007-09-18 15:17 EDT by Jim Radford
Modified: 2008-01-10 00:46 EST (History)
2 users (show)

See Also:
Fixed In Version: 1.0.9-6.fc8
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-01-10 00:46:52 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Jim Radford 2007-09-18 15:17:03 EDT
$ rpm -q darcs
darcs-1.0.9-4.fc8

$ rpm -q --scripts darcs
postinstall scriptlet (using /bin/sh):
/usr/bin/chcon -t unconfined_execmem_exec_t /usr/bin/darcs >/dev/null 2>&1 || :

This label is needed for darcs to run, but restorecon doesn't know about it and
so it will happily remove unconfined_execmem_exec_t when run.

# restorecon -v /usr/bin/darcs
restorecon reset /usr/bin/darcs context
system_u:object_r:unconfined_execmem_exec_t:s0->system_u:object_r:bin_t:s0

I'm not sure how this is supposed to work, but it seems quite fragile to not
have the selinux attributes in the rpm database or in the policy directly.

# darcs 
darcs: internal error: getMBlock: mmap: Permission denied
    (GHC version 6.6.1 for x86_64_unknown_linux)
    Please report this as a GHC bug:  http://www.haskell.org/ghc/reportabug
Aborted
Comment 1 Daniel Walsh 2007-09-18 15:36:16 EDT
If you want to add a change to the file context you can execute


semanage fcontext -a -t unconfined_execmem_exec_t /usr/bin/darcs >/dev/null 2>&1
|| :
restorecon -v /usr/bin/darcs

What does darcs need execmem?
Comment 2 Daniel Walsh 2007-09-18 15:39:50 EDT
Darcs should be fixed tonot need execmem execstack or justify it. 

If this runs as a daemon a policy should be written for it.
Comment 3 Jim Radford 2007-09-18 16:52:09 EDT
(In reply to comment #1)
> What does darcs need execmem?

Haskell programs that use the foreign import wrapper dynamically create code on
the fly and use mprotect() to make it executable.  I believe darcs uses this
facility to access libraries like libcurl and zlib as well as to call some
syscalls directly.
Comment 4 Ulrich Drepper 2007-09-18 17:15:34 EDT
(In reply to comment #3)
> Haskell programs that use the foreign import wrapper dynamically create code on
> the fly and use mprotect() to make it executable.

If it is generic functionality which needs that it is worthwhile changing it to
use the double-mapping technique described in

  http://people.redhat.com/drepper/selinux-mem.html
Comment 5 Jens Petersen 2007-09-20 04:26:35 EDT
This is a ghc runtime issue I think.

IIRC I asked the ghc developers to consider this before a while back
and they thought it was quite a lot of work or low priority
(I could dig out the thread).

(In reply to comment #1)
> If you want to add a change to the file context you can execute
> 
> semanage fcontext -a -t unconfined_execmem_exec_t /usr/bin/darcs >/dev/null 2>&1
> || :
> restorecon -v /usr/bin/darcs

Thanks, I'll try that for f8. :)

Jim, could you please test to see if 1.0.9-5.fc8 is better?
Comment 6 Jens Petersen 2007-09-20 21:34:22 EDT
Errm, please try darcs-1.0.9-6.fc8 instead - I can't cut'n'paste...
Comment 7 Jim Radford 2007-09-20 22:46:23 EDT
(In reply to comment #6)
> Errm, please try darcs-1.0.9-6.fc8 instead - I can't cut'n'paste...

Updating  : darcs                        ######################### [1/2] 
/var/tmp/rpm-tmp.29530: line 2: syntax error near unexpected token `||'
/var/tmp/rpm-tmp.29530: line 2: `|| :'
error: %post(darcs-1.0.9-5.fc8.x86_64) scriptlet failed, exit status 2
Comment 8 Jens Petersen 2007-09-21 02:15:04 EDT
Just to clarify my comment: darcs-1.0.9-6.fc8 should be in rawhide soon
and fix that error.


Note You need to log in before you can comment on or make changes to this bug.