Red Hat Bugzilla – Bug 297171
SELinux is preventing epiphany from making the program stack executable.
Last modified: 2008-03-11 09:33:43 EDT
Description of problem: Summary SELinux is preventing epiphany from making the program stack executable. Detailed Description The epiphany application attempted to make the its stack executable. This is a potential security problem. This should never ever be necessary. stack memory is not executable on most OSes these days and this will not change. Executable stack memory is one of the biggest security problems. An execstack error might in fact be most likely raised by malicious code. Applications are sometimes coded incorrectly and request this permission. The http://people.redhat.com/drepper/selinux-mem.html web page explains how to remove this requirement. If epiphany does not work and you need it to work, you can configure SELinux temporarily to allow this access until the application is fixed. Please file a http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this package. Allowing Access Sometimes a library is accidentally marked with the execstack flag, if you find a library with this flag you can clear it with the execstack -c LIBRARY_PATH. Then retry your application. If the app continues to not work, you can turn the flack back on with execstac -s LIBRARY_PATH. Otherwise, if you trust epiphany to run correctly, you can change the context of the executable to unconfined_execmem_exec_t. "chcon -t unconfined_execmem_exec_t epiphany" You must also change the default file context files on the system in order to preserve them even on a full relabel. "semanage fcontext -a -t unconfined_execmem_exec_t epiphany" The following command will allow this access: chcon -t unconfined_execmem_exec_t epiphany Additional Information Source Context system_u:system_r:unconfined_t Target Context system_u:system_r:unconfined_t Target Objects None [ process ] Affected RPM Packages Policy RPM selinux-policy-3.0.7-10.fc8 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name plugins.allow_execstack Host Name <redacted> Platform Linux <redacted> 2.6.23-0.164.rc5.fc8 #1 SMP Tue Sep 4 19:20:43 EDT 2007 i686 athlon Alert Count 31 First Seen Mon 17 Sep 2007 12:40:21 AM EDT Last Seen Wed 19 Sep 2007 08:08:47 PM EDT Local ID 49761f9d-d7b4-4d33-996a-94fdd15da8bf Line Numbers Raw Audit Messages avc: denied { execstack } for comm=epiphany pid=32488 scontext=system_u:system_r:unconfined_t:s0 tclass=process tcontext=system_u:system_r:unconfined_t:s0 Version-Release number of selected component (if applicable): epiphany-2.20.0-1.fc8 I'd think this is an upstream problem, but setroubleshoot told me to file the bug here, so here it is. I've had 31 of these same errors happen within about a five minute window, so I'd say the problem should be easily reproducible. Epiphany seems to work just fine even with the denial, so I'd say the behavior is erroneous.
Can fully reproduce on Fedora 8 with epiphany-2.20.2-1.fc8 I will have to switch on setroubleshoot on Rawhide to test with FF3
Actually, this is really Fedora 8.
Filed upstream as http://bugzilla.gnome.org/show_bug.cgi?id=521109, but still ... reporter, could you please confirm that this bug is reproducible even with the latest upgrade to your distribution? Thank you.
Unfortunately, I can neither confirm nor deny that this but is reproducible as I no longer have access to a machine running Fedora. I hope someone else may be able to test this?
Wow, I thought I proofread that before submitting, but it came out completely unintelligible. What I meant to say is that I am unable to retest this bug, because I don't have access to an up-to-date Fedora machine. Sorry for the bug spam!
Since there are insufficient details provided in this report for us to investigate the issue further, and we have not received feedback to the information we have requested above, we will assume the problem was not reproducible, or has been fixed in one of the updates we have released for the reporter's distribution. Users who have experienced this problem are encouraged to upgrade to the latest update of their distribution, and if this issue turns out to still be reproducible in the latest update, please reopen this bug with additional information. Closing as INSUFFICIENT_DATA.