437794 – [RHEL5 U2] SELinux AVC Denied message when opening a document

Bug 437794 - [RHEL5 U2] SELinux AVC Denied message when opening a document

Summary: [RHEL5 U2] SELinux AVC Denied message when opening a document

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 5
Classification:	Red Hat
Component:	selinux-policy
Sub Component:
Version:	5.2
Hardware:	All
OS:	Linux
Priority:	low
Severity:	high
Target Milestone:	rc
Target Release:	---
Assignee:	Daniel Walsh
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2008-03-17 14:21 UTC by Jeff Burke
Modified:	2008-05-21 16:07 UTC (History)
CC List:	0 users
Fixed In Version:	RHBA-2008-0465
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2008-05-21 16:07:29 UTC
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2008:0465	0	normal	SHIPPED_LIVE	selinux-policy bug fix update	2008-05-20 14:36:31 UTC

Description Jeff Burke 2008-03-17 14:21:51 UTC

Description of problem:
 After upgrading from U1 to RHEL5.2-Client-20080313.0 When I open a document I
get and SELinux alert.

Version-Release number of selected component (if applicable):
 libselinux-devel-1.33.4-5.el5
 libselinux-1.33.4-5.el5
 libselinux-python-1.33.4-5.el5
 selinux-policy-2.4.6-125.el5
 selinux-policy-targeted-2.4.6-125.el5

How reproducible:
 Always

Actual results:
Mar 17 09:37:56 barron setroubleshoot: SELinux is preventing soffice.bin from
changing the access protection of memory on the heap. For complete SELinux
messages. run sealert -l 11ee2cf0-5b4f-46ac-8221-a8cb5a312362

sealert -l 11ee2cf0-5b4f-46ac-8221-a8cb5a312362

Summary:

SELinux is preventing soffice.bin from changing the access protection of memory
on the heap.

Detailed Description:

The soffice.bin application attempted to change the access protection of memory
on the heap (e.g., allocated using malloc). This is a potential security
problem. Applications should not be doing this. Applications are sometimes coded
incorrectly and request this permission. The SELinux Memory Protection Tests
(http://people.redhat.com/drepper/selinux-mem.html) web page explains how to
remove this requirement. If soffice.bin does not work and you need it to work,
you can configure SELinux temporarily to allow this access until the application
is fixed. Please file a bug report
(http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package.

Allowing Access:

If you want soffice.bin to continue, you must turn on the allow_execheap
boolean. Note: This boolean will affect all applications on the system.

The following command will allow this access:

setsebool -P allow_execheap=1

Additional Information:

Source Context                user_u:system_r:unconfined_t
Target Context                user_u:system_r:unconfined_t
Target Objects                None [ process ]
Source                        soffice.bin
Source Path                   /usr/lib/openoffice.org/program/soffice.bin
Port                          <Unknown>
Host                          barron.boston.redhat.com
Source RPM Packages           openoffice.org-core-2.3.0-6.4.el5
Target RPM Packages           
Policy RPM                    selinux-policy-2.4.6-125.el5
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   allow_execheap
Host Name                     barron.boston.redhat.com
Platform                      Linux barron.boston.redhat.com 2.6.18-85.el5 #1
                              SMP Tue Mar 11 18:50:56 EDT 2008 i686 i686
Alert Count                   1
First Seen                    Mon Mar 17 09:37:54 2008
Last Seen                     Mon Mar 17 09:37:54 2008
Local ID                      11ee2cf0-5b4f-46ac-8221-a8cb5a312362
Line Numbers                  

Raw Audit Messages            

host=barron.boston.redhat.com type=AVC msg=audit(1205761074.818:47): avc: 
denied  { execheap } for  pid=4020 comm="soffice.bin"
scontext=user_u:system_r:unconfined_t:s0
tcontext=user_u:system_r:unconfined_t:s0 tclass=process

host=barron.boston.redhat.com type=SYSCALL msg=audit(1205761074.818:47):
arch=40000003 syscall=125 success=no exit=-13 a0=804a000 a1=ad4000 a2=5
a3=bffc7ed0 items=0 ppid=4010 pid=4020 auid=4401 uid=4401 gid=4401 euid=4401
suid=4401 fsuid=4401 egid=4401 sgid=4401 fsgid=4401 tty=(none) ses=1
comm="soffice.bin" exe="/usr/lib/openoffice.org/program/soffice.bin"
subj=user_u:system_r:unconfined_t:s0 key=(null)

Expected results:


Additional info:

Comment 1 Daniel Walsh 2008-04-08 02:03:40 UTC

FIxed labeling in selinux-policy-2.4.6-128.el5

Comment 7 errata-xmlrpc 2008-05-21 16:07:29 UTC

An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2008-0465.html

Note You need to log in before you can comment on or make changes to this bug.