448052 – updated system on 5-22-08. kernel and openoffice updated fc7

Bug 448052 - updated system on 5-22-08. kernel and openoffice updated fc7

Summary: updated system on 5-22-08. kernel and openoffice updated fc7

Keywords:
Status:	CLOSED DUPLICATE of bug 364871
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	openoffice.org
Sub Component:
Version:	7
Hardware:	All
OS:	Linux
Priority:	low
Severity:	low
Target Milestone:	---
Assignee:	Caolan McNamara
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2008-05-23 06:43 UTC by Jeff Smith
Modified:	2008-05-30 12:07 UTC (History)
CC List:	4 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:	2008-05-30 12:07:09 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Jeff Smith 2008-05-23 06:43:41 UTC

Description of problem:
updated did a full update one month after last update and it updated the kernel
and openoffice on fc7 AMD system

Version-Release number of selected component (if applicable):
openoffice.org-impress - 1:2.3.0-6.8.fc7.i386 
kernel - 2.6.23.17-88.fc7.i686 
kernel-devel - 2.6.23.17-88.fc7.i686
kernel-headers - 2.6.23.17-88.fc7.i386
plus others

How reproducible:
everytime

Steps to Reproduce:
1. starting ooo.org presentation 
2.
3.
  
Actual results:
blocked by SELinux

Expected results:
ooo.org software not to access the memory heap.

Additional info:
Source Context:  user_u:system_r:unconfined_execmem_t
Target Context:  user_u:system_r:unconfined_execmem_t
Target Objects:  None [ process ]
Affected RPM Packages:  openoffice.org-impress-2.3.0-6.8.fc7 [application]
Policy RPM:  selinux-policy-2.6.4-70.fc7
Selinux Enabled:  True
Policy Type:  targeted
MLS Enabled:  True
Enforcing Mode:  Enforcing
Plugin Name:  plugins.allow_execheap
Host Name:  localhost.localdomain
Platform:  Linux localhost.localdomain 2.6.23.17-88.fc7 #1 SMP Thu May 15
00:35:10 EDT 2008 i686 athlon
Alert Count:  1
First Seen:  Thu 22 May 2008 11:22:33 PM PDT
Last Seen:  Thu 22 May 2008 11:27:04 PM PDT
Local ID:  73d8dc12-f9c1-4b19-a63a-388539a4b6f9
Line Numbers:  


Raw Audit Messages :
avc: denied { execheap } for comm="simpress.bin" egid=500 euid=500
exe="/usr/lib/openoffice.org/program/simpress.bin" exit=-13 fsgid=500 fsuid=500
gid=500 items=0 pid=2958 scontext=user_u:system_r:unconfined_execmem_t:s0
sgid=500 subj=user_u:system_r:unconfined_execmem_t:s0 suid=500 tclass=process
tcontext=user_u:system_r:unconfined_execmem_t:s0 tty=(none) uid=500

Comment 1 Tomas Hoger 2008-05-23 07:04:32 UTC

Situations when SELinux policy prevents application from correct operation are
not security vulnerabilities, but rather bug in policy or application.

There does not seem to be any recent change in F7 selinux policy packages. 
Possibly some regression in kernel execmem handling code?  Have you tried
booting to previous kernel?

Comment 2 Daniel Walsh 2008-05-23 19:36:58 UTC

execheap is an unusual thing to do and is probably a bug in open office.  You
can allow this via allow_execheap boolean.

Comment 3 Caolan McNamara 2008-05-23 19:55:12 UTC

The number 1 reason to see this is having a 3rd party X driver which comes
bundled with some opengl libraries where it is *those* libraries that cause the
problem rather than a bug in openoffice.org. 

Do you have a nvidia binary driver, or something of that nature ?

Comment 4 Caolan McNamara 2008-05-24 13:50:59 UTC

So what X driver are you using ? i.e. I suspect this is a duplicate of bug 364871

Comment 5 Caolan McNamara 2008-05-30 12:07:09 UTC

I'm extraordinarily confident that this is related to some replacement opengl
libraries installed when e.g. a nvidia propitiatory driver was installed. And is
is those libraries that cause the selinux error.

*** This bug has been marked as a duplicate of 364871 ***

Note You need to log in before you can comment on or make changes to this bug.