Bug 297171 - SELinux is preventing epiphany from making the program stack executable.
SELinux is preventing epiphany from making the program stack executable.
Product: Fedora
Classification: Fedora
Component: epiphany (Show other bugs)
i386 Linux
low Severity medium
: ---
: ---
Assigned To: Christopher Aillon
Fedora Extras Quality Assurance
: SELinux
Depends On:
  Show dependency treegraph
Reported: 2007-09-19 20:19 EDT by Stephen R. Saucier
Modified: 2008-03-11 09:33 EDT (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2008-03-11 09:33:43 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

External Trackers
Tracker ID Priority Status Summary Last Updated
Mozilla Foundation 521109 None None None Never

  None (edit)
Description Stephen R. Saucier 2007-09-19 20:19:24 EDT
Description of problem:
    SELinux is preventing epiphany from making the program stack executable.

Detailed Description
    The epiphany application attempted to make the its stack executable.  This
    is a potential security problem.  This should never ever be necessary. stack
    memory is not executable on most OSes these days and this will not change.
    Executable stack memory is one of the biggest security problems. An
    execstack error might in fact be most likely raised by malicious code.
    Applications are sometimes coded incorrectly and request this permission.
    The http://people.redhat.com/drepper/selinux-mem.html web page explains how
    to remove this requirement.  If epiphany does not work and you need it to
    work, you can configure SELinux temporarily to allow this access until the
    application is fixed. Please file a
    http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this package.

Allowing Access
    Sometimes a library is accidentally marked with the execstack flag, if you
    find a library with this flag you can clear it with the execstack -c
    LIBRARY_PATH.  Then retry your application.  If the app continues to not
    work, you can turn the flack back on with execstac -s LIBRARY_PATH.
    Otherwise, if you trust epiphany to run correctly, you can change the
    context of the executable to unconfined_execmem_exec_t. "chcon -t
    unconfined_execmem_exec_t epiphany" You must also change the default file
    context files on the system in order to preserve them even on a full
    relabel.  "semanage fcontext -a -t unconfined_execmem_exec_t epiphany"

    The following command will allow this access:
    chcon -t unconfined_execmem_exec_t epiphany

Additional Information        

Source Context                system_u:system_r:unconfined_t
Target Context                system_u:system_r:unconfined_t
Target Objects                None [ process ]
Affected RPM Packages         
Policy RPM                    selinux-policy-3.0.7-10.fc8
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   plugins.allow_execstack
Host Name                     <redacted>
Platform                      Linux <redacted> 2.6.23-0.164.rc5.fc8 #1 SMP Tue Sep
                              4 19:20:43 EDT 2007 i686 athlon
Alert Count                   31
First Seen                    Mon 17 Sep 2007 12:40:21 AM EDT
Last Seen                     Wed 19 Sep 2007 08:08:47 PM EDT
Local ID                      49761f9d-d7b4-4d33-996a-94fdd15da8bf
Line Numbers                  

Raw Audit Messages            

avc: denied { execstack } for comm=epiphany pid=32488
scontext=system_u:system_r:unconfined_t:s0 tclass=process

Version-Release number of selected component (if applicable):

I'd think this is an upstream problem, but setroubleshoot told me to file the
bug here, so here it is. I've had 31 of these same errors happen within about a
five minute window, so I'd say the problem should be easily reproducible.
Epiphany seems to work just fine even with the denial, so I'd say the behavior
is erroneous.
Comment 1 Matěj Cepl 2008-01-28 04:16:47 EST
Can fully reproduce on Fedora 8 with epiphany-2.20.2-1.fc8 I will have to switch
on setroubleshoot on Rawhide to test with FF3
Comment 2 Matěj Cepl 2008-01-28 17:01:25 EST
Actually, this is really Fedora 8.
Comment 3 Matěj Cepl 2008-03-07 17:59:55 EST
Filed upstream as http://bugzilla.gnome.org/show_bug.cgi?id=521109, but still
... reporter, could you please confirm that this bug is reproducible even with
the latest upgrade to your distribution?

Thank you.
Comment 4 Stephen R. Saucier 2008-03-11 01:07:42 EDT
Unfortunately, I can neither confirm nor deny that this but is reproducible as I no longer have access to a 
machine running Fedora. I hope someone else may be able to test this?
Comment 5 Stephen R. Saucier 2008-03-11 01:09:54 EDT
Wow, I thought I proofread that before submitting, but it came out completely unintelligible. What I meant 
to say is that I am unable to retest this bug, because I don't have access to an up-to-date Fedora 
machine. Sorry for the bug spam!
Comment 6 Matěj Cepl 2008-03-11 09:33:43 EDT
Since there are insufficient details provided in this report for us to
investigate the issue further, and we have not received feedback to the
information we have requested above, we will assume the problem was not
reproducible, or has been fixed in one of the updates we have released for the
reporter's distribution.

Users who have experienced this problem are encouraged to upgrade to the latest
update of their distribution, and if this issue turns out to still be
reproducible in the latest update, please reopen this bug with additional


Note You need to log in before you can comment on or make changes to this bug.