Bug 411281 - SELinux is preventing /opt/google-earth/googleearth-bin from changing the access protection of memory on the heap.
Summary: SELinux is preventing /opt/google-earth/googleearth-bin from changing the acc...
Keywords:
Status: CLOSED WONTFIX
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 7
Hardware: i686
OS: Linux
low
low
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2007-12-04 23:42 UTC by Andy Blight
Modified: 2007-12-05 15:42 UTC (History)
0 users

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2007-12-05 15:42:59 UTC
Type: ---
Embargoed:

Attachments (Terms of Use)

Description Andy Blight 2007-12-04 23:42:01 UTC 
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.7) Gecko/20070914 Firefox/2.0.0.7

Description of problem:
The /opt/google-earth/googleearth-bin application attempted to change the
    access protection of memory on the heap (e,g., allocated using malloc).
    This is a potential security problem.  Applications should not be doing
    this. Applications are sometimes coded incorrectly and request this
    permission.  The http://people.redhat.com/drepper/selinux-mem.html web page
    explains how to remove this requirement.  If /opt/google-earth/googleearth-
    bin does not work and you need it to work, you can configure SELinux
    temporarily to allow this access until the application is fixed. 

Version-Release number of selected component (if applicable):
selinux-policy-2.6.4-57.fc7

How reproducible:
Couldn't Reproduce


Steps to Reproduce:
1. Clicked on placemark link in GoogleEarth newsletter email.
2. After file downloaded, GoogleEarth was started.
3. Selinx generated warning.

Actual Results:
Selinux generated this warning, so I'm sending it in as requested.

Expected Results:
selinx warning should not happen, but this is probably a googleearth problem, so they should fix it.

Additional info:
Source Context                user_u:system_r:unconfined_t
Target Context                user_u:system_r:unconfined_t
Target Objects                None [ process ]
Affected RPM Packages         
Policy RPM                    selinux-policy-2.6.4-57.fc7
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   plugins.allow_execheap
Host Name                     localhost.localdomain
Platform                      Linux localhost.localdomain 2.6.23.1-21.fc7 #1 SMP
                              Thu Nov 1 21:09:24 EDT 2007 i686 athlon
Alert Count                   5
First Seen                    Mon 05 Nov 2007 12:52:03 PM GMT
Last Seen                     Tue 04 Dec 2007 11:13:26 PM GMT
Local ID                      b403a634-3ae3-49af-b249-fc2ea946f7e4
Line Numbers                  

Raw Audit Messages            

avc: denied { execheap } for comm="googleearth-bin" egid=500 euid=500 exe="/opt
/google-earth/googleearth-bin" exit=-13 fsgid=500 fsuid=500 gid=500 items=0
pid=2722 scontext=user_u:system_r:unconfined_t:s0 sgid=500
subj=user_u:system_r:unconfined_t:s0 suid=500 tclass=process
tcontext=user_u:system_r:unconfined_t:s0 tty=(none) uid=500
Comment 1 Daniel Walsh 2007-12-05 15:42:59 UTC 
Yes report this to google.  I have just installed it on my Rawhide system, and I
am not seeing any avc's.

Thanks for reporting this and make sure you point them at this link

shttp://people.redhat.com/~drepper/selinux-mem.html
Note You need to log in before you can comment on or make changes to this bug.