Description of problem: Version-Release number of selected component (if applicable): kdebase-runtime-4.1.2-3.fc10 How reproducible: Log into KDE, selinux seatroubleshoot kicks in reports it. Steps to Reproduce: 1. log in to KDE 2. seatroubleshoot should appear with denied avc 3. click on sealert and view Actual results: Expected results: Additional info: Summary: SELinux is preventing knotify4 from making the program stack executable. Detailed Description: The knotify4 application attempted to make its stack executable. This is a potential security problem. This should never ever be necessary. Stack memory is not executable on most OSes these days and this will not change. Executable stack memory is one of the biggest security problems. An execstack error might in fact be most likely raised by malicious code. Applications are sometimes coded incorrectly and request this permission. The SELinux Memory Protection Tests (http://people.redhat.com/drepper/selinux-mem.html) web page explains how to remove this requirement. If knotify4 does not work and you need it to work, you can configure SELinux temporarily to allow this access until the application is fixed. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package. Allowing Access: Sometimes a library is accidentally marked with the execstack flag, if you find a library with this flag you can clear it with the execstack -c LIBRARY_PATH. Then retry your application. If the app continues to not work, you can turn the flag back on with execstack -s LIBRARY_PATH. Otherwise, if you trust knotify4 to run correctly, you can change the context of the executable to unconfined_execmem_exec_t. "chcon -t unconfined_execmem_exec_t '/usr/bin/knotify4'" You must also change the default file context files on the system in order to preserve them even on a full relabel. "semanage fcontext -a -t unconfined_execmem_exec_t '/usr/bin/knotify4'" Fix Command: chcon -t unconfined_execmem_exec_t '/usr/bin/knotify4' Additional Information: Source Context unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1 023 Target Context unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1 023 Target Objects None [ process ] Source knotify4 Source Path /usr/bin/knotify4 Port <Unknown> Host riohigh Source RPM Packages kdebase-runtime-4.1.2-3.fc10 Target RPM Packages Policy RPM selinux-policy-3.5.10-3.fc10 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name allow_execstack Host Name riohigh Platform Linux riohigh 2.6.27-3.fc10.i686 #1 SMP Fri Oct 10 01:26:26 EDT 2008 i686 athlon Alert Count 2 First Seen Thu 16 Oct 2008 06:33:56 AM CDT Last Seen Thu 16 Oct 2008 06:33:56 AM CDT Local ID d2171be2-9d07-43e0-83bf-95f7f3e5e666 Line Numbers Raw Audit Messages node=riohigh type=AVC msg=audit(1224156836.173:93): avc: denied { execstack } for pid=2874 comm="knotify4" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process node=riohigh type=SYSCALL msg=audit(1224156836.173:93): arch=40000003 syscall=125 success=no exit=-13 a0=bf9c9000 a1=1000 a2=1000007 a3=fffff000 items=0 ppid=1 pid=2874 auid=501 uid=501 gid=501 euid=501 suid=501 fsuid=501 egid=501 sgid=501 fsgid=501 tty=(none) ses=1 comm="knotify4" exe="/usr/bin/knotify4" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
Are you certain you don't have any 3rd party software installed... say like an X driver or something? :)
What Rex says, plus does "ldd knotify4" show anything unusual (like libraries outside of /usr/lib)?
Oops, make that: ldd /usr/bin/knotify4
Yes. Default install no binary drivers. I can't boot to computer again. I need a fix fsck or something to get back up and running.
Odd, I can't reproduce this. I'll keep looking tho.
> I need a fix fsck or something to get back up and running. Corrupt file system? That might be what's causing this problem, too.
Definely not an SELinux bug then?
From selinux list commentary on this bug: The unix_stream_socket is a leaked file descriptor. node=localhost.localdomain type=AVC msg=audit(1224873233.717:83): avc: denied { read write } for pid=3912 comm="ip" path="socket:[11145]" dev=sockfs ino=11145 scontext=unconfined_u:system_r:ifconfig_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket These can be dontaudited or allowed using # grep ifconfig /var/log/audit/audit.log | audit2allow -m mypol # semodule -i mypol.pp Probably a bug in one of the kde routines that should be calling fcntl(fd, F_SETFD
That is a different issue though. This bug is about an executable stack, it has nothing to do with leaked file descriptors.
Here's the reference: https://www.redhat.com/archives/fedora-test-list/2008-October/msg01248.html It would appear Dan made an incorrect conclusion here, reclosing... at least until we have more evidence, receive confirmation from elsewhere, or are able to reproduce this. Antonio, we're still waiting to see output form ldd, per comment #3 , which may help id the problem.
Gone for the weekend :) Sorry for not sending it in before. [olivares@localhost ~]$ ldd /usr/bin/knotify4 linux-gate.so.1 => (0x00110000) libQtSvg.so.4 => /usr/lib/libQtSvg.so.4 (0x06a2d000) libQtCore.so.4 => /usr/lib/libQtCore.so.4 (0x04779000) libpthread.so.0 => /lib/libpthread.so.0 (0x00897000) libkdecore.so.5 => /usr/lib/libkdecore.so.5 (0x04cd1000) libSM.so.6 => /usr/lib/libSM.so.6 (0x00de0000) libICE.so.6 => /usr/lib/libICE.so.6 (0x00144000) libX11.so.6 => /usr/lib/libX11.so.6 (0x00a03000) libXext.so.6 => /usr/lib/libXext.so.6 (0x00b0a000) libXft.so.2 => /usr/lib/libXft.so.2 (0x06ead000) libXau.so.6 => /usr/lib/libXau.so.6 (0x009f6000) libXdmcp.so.6 => /usr/lib/libXdmcp.so.6 (0x009fb000) libXpm.so.4 => /usr/lib/libXpm.so.4 (0x06ec3000) libQtGui.so.4 => /usr/lib/libQtGui.so.4 (0x076fa000) libQtXml.so.4 => /usr/lib/libQtXml.so.4 (0x00555000) libXtst.so.6 => /usr/lib/libXtst.so.6 (0x06ed6000) libXcursor.so.1 => /usr/lib/libXcursor.so.1 (0x00c63000) libXfixes.so.3 => /usr/lib/libXfixes.so.3 (0x00c47000) libXrender.so.1 => /usr/lib/libXrender.so.1 (0x00c3c000) libkdeui.so.5 => /usr/lib/libkdeui.so.5 (0x06ede000) libphonon.so.4 => /usr/lib/libphonon.so.4 (0x02650000) libQtNetwork.so.4 => /usr/lib/libQtNetwork.so.4 (0x049a0000) libQtDBus.so.4 => /usr/lib/libQtDBus.so.4 (0x005dc000) libz.so.1 => /lib/libz.so.1 (0x008b3000) libbz2.so.1 => /lib/libbz2.so.1 (0x04c41000) libresolv.so.2 => /lib/libresolv.so.2 (0x00dc1000) libstdc++.so.6 => /usr/lib/libstdc++.so.6 (0x00c83000) libm.so.6 => /lib/libm.so.6 (0x00865000) libgcc_s.so.1 => /lib/libgcc_s.so.1 (0x00c53000) libc.so.6 => /lib/libc.so.6 (0x006ef000) libpng12.so.0 => /usr/lib/libpng12.so.0 (0x00be1000) libXi.so.6 => /usr/lib/libXi.so.6 (0x00c6f000) libXrandr.so.2 => /usr/lib/libXrandr.so.2 (0x00c7a000) libXinerama.so.1 => /usr/lib/libXinerama.so.1 (0x00c4e000) libfreetype.so.6 => /usr/lib/libfreetype.so.6 (0x00b4c000) libfontconfig.so.1 => /usr/lib/libfontconfig.so.1 (0x00c0b000) libgthread-2.0.so.0 => /lib/libgthread-2.0.so.0 (0x00111000) librt.so.1 => /lib/librt.so.1 (0x009cc000) libglib-2.0.so.0 => /lib/libglib-2.0.so.0 (0x0015e000) libdl.so.2 => /lib/libdl.so.2 (0x00890000) /lib/ld-linux.so.2 (0x006ca000) libuuid.so.1 => /lib/libuuid.so.1 (0x00dda000) libxcb-xlib.so.0 => /usr/lib/libxcb-xlib.so.0 (0x00b06000) libxcb.so.1 => /usr/lib/libxcb.so.1 (0x009d8000) libssl.so.7 => /lib/libssl.so.7 (0x003b5000) libcrypto.so.7 => /lib/libcrypto.so.7 (0x00241000) libdbus-1.so.3 => /lib/libdbus-1.so.3 (0x00d7e000) libexpat.so.1 => /lib/libexpat.so.1 (0x00b23000) libgssapi_krb5.so.2 => /usr/lib/libgssapi_krb5.so.2 (0x00400000) libkrb5.so.3 => /usr/lib/libkrb5.so.3 (0x0042f000) libcom_err.so.2 => /lib/libcom_err.so.2 (0x00dea000) libk5crypto.so.3 => /usr/lib/libk5crypto.so.3 (0x00116000) libcap.so.2 => /lib/libcap.so.2 (0x00d77000) libkrb5support.so.0 => /usr/lib/libkrb5support.so.0 (0x003a9000) libkeyutils.so.1 => /lib/libkeyutils.so.1 (0x00df5000) libselinux.so.1 => /lib/libselinux.so.1 (0x008c9000) [olivares@localhost ~]$