Description of problem: After upgrading from U1 to RHEL5.2-Client-20080313.0 When I open a document I get and SELinux alert. Version-Release number of selected component (if applicable): libselinux-devel-1.33.4-5.el5 libselinux-1.33.4-5.el5 libselinux-python-1.33.4-5.el5 selinux-policy-2.4.6-125.el5 selinux-policy-targeted-2.4.6-125.el5 How reproducible: Always Actual results: Mar 17 09:37:56 barron setroubleshoot: SELinux is preventing soffice.bin from changing the access protection of memory on the heap. For complete SELinux messages. run sealert -l 11ee2cf0-5b4f-46ac-8221-a8cb5a312362 sealert -l 11ee2cf0-5b4f-46ac-8221-a8cb5a312362 Summary: SELinux is preventing soffice.bin from changing the access protection of memory on the heap. Detailed Description: The soffice.bin application attempted to change the access protection of memory on the heap (e.g., allocated using malloc). This is a potential security problem. Applications should not be doing this. Applications are sometimes coded incorrectly and request this permission. The SELinux Memory Protection Tests (http://people.redhat.com/drepper/selinux-mem.html) web page explains how to remove this requirement. If soffice.bin does not work and you need it to work, you can configure SELinux temporarily to allow this access until the application is fixed. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package. Allowing Access: If you want soffice.bin to continue, you must turn on the allow_execheap boolean. Note: This boolean will affect all applications on the system. The following command will allow this access: setsebool -P allow_execheap=1 Additional Information: Source Context user_u:system_r:unconfined_t Target Context user_u:system_r:unconfined_t Target Objects None [ process ] Source soffice.bin Source Path /usr/lib/openoffice.org/program/soffice.bin Port <Unknown> Host barron.boston.redhat.com Source RPM Packages openoffice.org-core-2.3.0-6.4.el5 Target RPM Packages Policy RPM selinux-policy-2.4.6-125.el5 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name allow_execheap Host Name barron.boston.redhat.com Platform Linux barron.boston.redhat.com 2.6.18-85.el5 #1 SMP Tue Mar 11 18:50:56 EDT 2008 i686 i686 Alert Count 1 First Seen Mon Mar 17 09:37:54 2008 Last Seen Mon Mar 17 09:37:54 2008 Local ID 11ee2cf0-5b4f-46ac-8221-a8cb5a312362 Line Numbers Raw Audit Messages host=barron.boston.redhat.com type=AVC msg=audit(1205761074.818:47): avc: denied { execheap } for pid=4020 comm="soffice.bin" scontext=user_u:system_r:unconfined_t:s0 tcontext=user_u:system_r:unconfined_t:s0 tclass=process host=barron.boston.redhat.com type=SYSCALL msg=audit(1205761074.818:47): arch=40000003 syscall=125 success=no exit=-13 a0=804a000 a1=ad4000 a2=5 a3=bffc7ed0 items=0 ppid=4010 pid=4020 auid=4401 uid=4401 gid=4401 euid=4401 suid=4401 fsuid=4401 egid=4401 sgid=4401 fsgid=4401 tty=(none) ses=1 comm="soffice.bin" exe="/usr/lib/openoffice.org/program/soffice.bin" subj=user_u:system_r:unconfined_t:s0 key=(null) Expected results: Additional info:
FIxed labeling in selinux-policy-2.4.6-128.el5
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on the solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHBA-2008-0465.html