Bug 446184 - SELinux is preventing epiphany from changing the access protection of memory on the heap.
SELinux is preventing epiphany from changing the access protection of memory ...
Status: CLOSED UPSTREAM
Product: Fedora
Classification: Fedora
Component: epiphany (Show other bugs)
8
i386 Linux
low Severity low
: ---
: ---
Assigned To: Gecko Maintainer
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2008-05-13 07:57 EDT by Jon Dufresne
Modified: 2008-05-13 11:33 EDT (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-05-13 11:33:33 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
GNOME Desktop 532970 None None None Never

  None (edit)
Description Jon Dufresne 2008-05-13 07:57:38 EDT
Summary:

SELinux is preventing epiphany from changing the access protection of memory on
the heap.

Detailed Description:

The epiphany application attempted to change the access protection of memory on
the heap (e.g., allocated using malloc). This is a potential security problem.
Applications should not be doing this. Applications are sometimes coded
incorrectly and request this permission. The SELinux Memory Protection Tests
(http://people.redhat.com/drepper/selinux-mem.html) web page explains how to
remove this requirement. If epiphany does not work and you need it to work, you
can configure SELinux temporarily to allow this access until the application is
fixed. Please file a bug report
(http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package.

Allowing Access:

If you want epiphany to continue, you must turn on the allow_execheap boolean.
Note: This boolean will affect all applications on the system.

The following command will allow this access:

setsebool -P allow_execheap=1

Additional Information:

Source Context                unconfined_u:system_r:unconfined_t:SystemLow-
                              SystemHigh
Target Context                unconfined_u:system_r:unconfined_t:SystemLow-
                              SystemHigh
Target Objects                None [ process ]
Source                        epiphany
Source Path                   /usr/bin/epiphany
Port                          <Unknown>
Host                          thedude.lebowski
Source RPM Packages           epiphany-2.20.3-4.fc8
Target RPM Packages           
Policy RPM                    selinux-policy-3.0.8-101.fc8
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   allow_execheap
Host Name                     thedude.lebowski
Platform                      Linux thedude.lebowski 2.6.24.5-85.fc8 #1 SMP Sat
                              Apr 19 12:39:34 EDT 2008 i686 i686
Alert Count                   1
First Seen                    Wed 26 Mar 2008 03:57:20 AM EDT
Last Seen                     Tue 13 May 2008 07:48:27 AM EDT
Local ID                      6c673953-f76c-44aa-9c85-f366003a4c9a
Line Numbers                  

Raw Audit Messages            

host=thedude.lebowski type=AVC msg=audit(1210679307.749:15): avc:  denied  {
execheap } for  pid=4153 comm="epiphany"
scontext=unconfined_u:system_r:unconfined_t:s0-s0:c0.c1023
tcontext=unconfined_u:system_r:unconfined_t:s0-s0:c0.c1023 tclass=process

host=thedude.lebowski type=SYSCALL msg=audit(1210679307.749:15): arch=40000003
syscall=125 success=no exit=-13 a0=8188000 a1=370000 a2=5 a3=bf969b60 items=0
ppid=1 pid=4153 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500
sgid=500 fsgid=500 tty=(none) comm="epiphany" exe="/usr/bin/epiphany"
subj=unconfined_u:system_r:unconfined_t:s0-s0:c0.c1023 key=(null)
Comment 1 Matěj Cepl 2008-05-13 11:33:33 EDT
We found that this bug has been already registered in the upstream database
(http://bugzilla.gnome.org/show_bug.cgi?id=532970) and believe that it is more
appropriate to let it be resolved upstream.

Red Hat will continue to track the issue in the centralized upstream bug
tracker, and will review any bug fixes that become available for consideration
in future updates.

Thank you for the bug report.

Note You need to log in before you can comment on or make changes to this bug.