Bug 364871 – [NVIDIA] SELinux is preventing /usr/lib/openoffice.org/program/scalc.bin from changing the access protection of memory on the heap

Bug 364871 - [NVIDIA] SELinux is preventing /usr/lib/openoffice.org/program/scalc.bin from changing the access protection of memory on the heap

Summary:	[NVIDIA] SELinux is preventing /usr/lib/openoffice.org/program/scalc.bin from...

Status:	CLOSED CANTFIX

Aliases:	None

Product:	Fedora
Classification:	Fedora
Component:	openoffice.org (Show other bugs)
Sub Component:
Version:	8
Hardware:	All Linux

Priority	low Severity low
Target Milestone:	---
Target Release:	---
Assigned To:	Caolan McNamara
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:

URL:
Whiteboard:
Keywords:	Reopened

Duplicates:	448052 (view as bug list)
Depends On:
Blocks:
	Show dependency tree / graph

Reported:	2007-11-02 19:42 EDT by Martin Jürgens
Modified:	2008-05-30 08:07 EDT (History)
CC List:	3 users (show)

See Also:
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Story Points:	---
Clone Of:
Environment:
Last Closed:	2007-11-27 10:13:26 EST
Type:	---
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Groups: None (edit)

Description Martin Jürgens 2007-11-02 19:42:14 EDT

Description of problem:
When starting OOo calc, I get a SELinux alert.

Version-Release number of selected component (if applicable):
1:2.3.0-6.4.fc7

How reproducible:
Always

Steps to Reproduce:
1. Open OpenOffice.Org Calc

Actual results:
SELinux alert

Expected results:
No SELinux alert

Additional info:


Summary
    SELinux is preventing /usr/lib/openoffice.org/program/scalc.bin from
    changing the access protection of memory on the heap.

Detailed Description
    The /usr/lib/openoffice.org/program/scalc.bin application attempted to
    change the access protection of memory on the heap (e,g., allocated using
    malloc).  This is a potential security problem.  Applications should not be
    doing this. Applications are sometimes coded incorrectly and request this
    permission.  The http://people.redhat.com/drepper/selinux-mem.html web page
    explains how to remove this requirement.  If
    /usr/lib/openoffice.org/program/scalc.bin does not work and you need it to
    work, you can configure SELinux temporarily to allow this access until the
    application is fixed. Please file a
    http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this package.

Allowing Access
    If you want /usr/lib/openoffice.org/program/scalc.bin to continue, you must
    turn on the allow_execheap boolean.  Note: This boolean will affect all
    applications on the system.

    The following command will allow this access:
    setsebool -P allow_execheap=1

Additional Information        

Source Context                user_u:system_r:unconfined_execmem_t
Target Context                user_u:system_r:unconfined_execmem_t
Target Objects                None [ process ]
Affected RPM Packages         openoffice.org-calc-2.3.0-6.4.fc7 [application]
Policy RPM                    selinux-policy-2.6.4-49.fc7
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   plugins.allow_execheap
Host Name                     medora-desktop
Platform                      Linux medora-desktop 2.6.23.1-10.fc7 #1 SMP Fri
                              Oct 19 15:39:08 EDT 2007 i686 athlon
Alert Count                   1
First Seen                    Sa 03 Nov 2007 00:39:35 CET
Last Seen                     Sa 03 Nov 2007 00:39:35 CET
Local ID                      2d3c3908-5fd6-433b-8be7-37f73470c225
Line Numbers                  

Raw Audit Messages            

avc: denied { execheap } for comm="scalc.bin" egid=502 euid=502
exe="/usr/lib/openoffice.org/program/scalc.bin" exit=-13 fsgid=502 fsuid=502
gid=502 items=0 pid=25264 scontext=user_u:system_r:unconfined_execmem_t:s0
sgid=502 subj=user_u:system_r:unconfined_execmem_t:s0 suid=502 tclass=process
tcontext=user_u:system_r:unconfined_execmem_t:s0 tty=(none) uid=502

Comment 1 Martin Jürgens 2007-11-03 07:29:07 EDT

Also happens with writer..

Comment 2 Caolan McNamara 2007-11-03 08:23:21 EDT

But we *do* follow ulrichs suggestions for getting anonymous executable memory. 

And it launches just for for me on enforcing mode on an up to date F-7 box. And
there's no use of mprotect by OOo directly by itself. Have you anything *else*
going on, e.g. can you launch glxgears (from glx-utils) ?

Comment 3 Martin Jürgens 2007-11-03 09:05:37 EDT

> And it launches just for for me on enforcing mode on an up to date F-7 box.

It launches for me, also. But I get that SELinux warning.

Now closed everything (Evolution, Rhythmbox, Update notifier application) and I
did not get any warning.

Comment 4 Caolan McNamara 2007-11-03 10:18:11 EDT

I mean, it launches for me and there are no selinux warnings at all.

Comment 5 Martin Jürgens 2007-11-03 10:21:37 EDT

weird, now i do not get them anymore.. i'll reopen when i re-experience the bug.

Comment 6 Chris Ricker 2007-11-26 09:32:45 EST

I'm reopening, since I'm getting this now on a fully updated F-8 box

openoffice.org-calc-2.3.0-6.6.fc8, i386 architecture

Comment 7 Caolan McNamara 2007-11-26 09:50:37 EST

And I have a fully up to date F-8 box with selinux enabled in targeted mode on
i386 and no problems with OOo. So what's the output of ...
grep drivers /var/log/Xorg.0.log

Comment 8 Chris Ricker 2007-11-26 10:03:03 EST

Using the nvidia driver - 

/usr/lib/xorg/modules//drivers/nvidia_drv.so

Is this is "you're using proprietary crud, you get what you asked for" issue?

BTW, I also get that on swriter now

Comment 9 Caolan McNamara 2007-11-26 10:41:36 EST

Well, the deadly finger of suspicion points to it, or to the replacement libGL*
libraries that I believe comes with the nvidia X driver. If this can be
reproduced *without* the nvidia driver then that's another story of course.

Nevertheless, what's the source and version of your nvidia driver, some specific
rpm from livna.org or directly from nvidia as some tarball/alternative rpm ?

Comment 10 Chris Ricker 2007-11-26 15:00:40 EST

xorg-x11-drv-nvidia-100.14.19-4.lvn8 from livna

I'll switch back to mesa tonight and see

Comment 11 Martin Jürgens 2007-11-26 16:30:05 EST

I also used the NVIDIA driver from Livna.

Comment 12 Chris Ricker 2007-11-27 10:13:26 EST

switching from nvidia gets rid of the messages, and then switching back brought
them back again

Thanks, sorry for the misleading bug report

Comment 13 Mathieu Bridon 2008-02-19 09:59:11 EST

I'm experiencing the same problem with the ATI proprietary driver from Livna, so
it's not NVidia specific.

Could it be that ATI and NVidia are doing the same mistakes ? o_O

Comment 14 Caolan McNamara 2008-05-30 08:07:10 EDT

*** Bug 448052 has been marked as a duplicate of this bug. ***

Note You need to log in before you can comment on or make changes to this bug.