Souhrn: SELinux is preventing liferea-bin from making the program stack executable. Podrobný popis: The liferea-bin application attempted to make its stack executable. This is a potential security problem. This should never ever be necessary. Stack memory is not executable on most OSes these days and this will not change. Executable stack memory is one of the biggest security problems. An execstack error might in fact be most likely raised by malicious code. Applications are sometimes coded incorrectly and request this permission. The SELinux Memory Protection Tests (http://people.redhat.com/drepper/selinux-mem.html) web page explains how to remove this requirement. If liferea-bin does not work and you need it to work, you can configure SELinux temporarily to allow this access until the application is fixed. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package. Povolení přístupu: Sometimes a library is accidentally marked with the execstack flag, if you find a library with this flag you can clear it with the execstack -c LIBRARY_PATH. Then retry your application. If the app continues to not work, you can turn the flag back on with execstack -s LIBRARY_PATH. Otherwise, if you trust liferea-bin to run correctly, you can change the context of the executable to unconfined_execmem_exec_t. "chcon -t unconfined_execmem_exec_t '/usr/bin/liferea-bin'" You must also change the default file context files on the system in order to preserve them even on a full relabel. "semanage fcontext -a -t unconfined_execmem_exec_t '/usr/bin/liferea-bin'" Příkaz pro opravu: chcon -t unconfined_execmem_exec_t '/usr/bin/liferea-bin' Další informace: Kontext zdroje unconfined_u:unconfined_r:unconfined_t:SystemLow- SystemHigh Kontext cíle unconfined_u:unconfined_r:unconfined_t:SystemLow- SystemHigh Objekty cíle None [ process ] Zdroj liferea-bin Cesta zdroje /usr/bin/liferea-bin Port <Neznámé> Počítač viklef RPM balíčky zdroje liferea-1.4.20-4.fc10 RPM balíčky cíle RPM politiky selinux-policy-3.5.13-8.fc10 Selinux povolen True Typ politiky targeted MLS povoleno True Vynucovací režim Enforcing Název zásuvného modulu allow_execstack Název počítače viklef Platforma Linux viklef 2.6.27.4-58.fc10.i686 #1 SMP Mon Oct 27 18:21:44 EDT 2008 i686 i686 Počet upozornění 2 Poprvé viděno Pá 31. říjen 2008, 09:54:36 CET Naposledy viděno Pá 31. říjen 2008, 09:55:04 CET Místní ID 96e11b51-7763-4082-ba7b-eac24d0d6ad7 Čísla řádků Původní zprávy auditu node=viklef type=AVC msg=audit(1225443304.317:1330): avc: denied { execstack } for pid=23838 comm="liferea-bin" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process node=viklef type=SYSCALL msg=audit(1225443304.317:1330): arch=40000003 syscall=125 success=no exit=-13 a0=bff23000 a1=1000 a2=1000007 a3=fffff000 items=0 ppid=19597 pid=23838 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=pts4 ses=2 comm="liferea-bin" exe="/usr/bin/liferea-bin" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
Are you sure this is not caused by nvidia blob being installed?
(In reply to comment #1) > Are you sure this is not caused by nvidia blob being installed? WHAT??? Are you accusing me of using THAT thing? Ajax would kill just if I mentioned that as a joke. No, this is good to honest all-intel notebook (both intel graphics card and intel wifi).
Ok, then /usr/bin/liferea-bin has to be fixed or explain why it needs execstack
Will forward this to the upstream devs.
And just to add AVC denial report when staff_u user runs it: Souhrn: SELinux is preventing liferea-bin (staff_t) "execstack" to <Unknown> (staff_t). Podrobný popis: [SELinux je v uvolněném režimu, operace by byla odmítnuta, ale byla povolena kvůli uvolněnému režimu.] SELinux denied access requested by liferea-bin. The current boolean settings do not allow this access. If you have not setup liferea-bin to require this access this may signal an intrusion attempt. If you do intend this access you need to change the booleans on this system to allow the access. Povolení přístupu: Confined processes can be configured to to run requiring different access, SELinux provides booleans to allow you to turn on/off access as needed. The boolean allow_execmem is set incorrectly. Boolean Description: Allow unconfined executables to map a memory region as both executable and writable, this is dangerous and the executable should be reported in bugzilla") Příkaz pro opravu: # setsebool -P allow_execmem 1 Další informace: Kontext zdroje staff_u:staff_r:staff_t:SystemLow-SystemHigh Kontext cíle staff_u:staff_r:staff_t:SystemLow-SystemHigh Objekty cíle None [ process ] Zdroj liferea-bin Cesta zdroje /usr/bin/liferea-bin Port <Neznámé> Počítač viklef RPM balíčky zdroje liferea-1.4.20-4.fc10 RPM balíčky cíle RPM politiky selinux-policy-3.5.13-20.fc10 Selinux povolen True Typ politiky targeted MLS povoleno True Vynucovací režim Permissive Název zásuvného modulu catchall_boolean Název počítače viklef Platforma Linux viklef 2.6.27.5-120.fc10.i686 #1 SMP Tue Nov 18 20:12:41 EST 2008 i686 i686 Počet upozornění 1 Poprvé viděno Út 25. listopad 2008, 02:29:33 CET Naposledy viděno Út 25. listopad 2008, 02:29:33 CET Místní ID 2d69b19e-3a85-483a-8319-63321e89a983 Čísla řádků Původní zprávy auditu node=viklef type=AVC msg=audit(1227576573.727:372): avc: denied { execstack } for pid=7640 comm="liferea-bin" scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tclass=process node=viklef type=AVC msg=audit(1227576573.727:372): avc: denied { execmem } for pid=7640 comm="liferea-bin" scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tclass=process node=viklef type=SYSCALL msg=audit(1227576573.727:372): arch=40000003 syscall=125 success=yes exit=0 a0=bf8d5000 a1=1000 a2=1000007 a3=fffff000 items=0 ppid=1 pid=7640 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm="liferea-bin" exe="/usr/bin/liferea-bin" subj=staff_u:staff_r:staff_t:s0-s0:c0.c1023 key=(null)
Just use the execstack program to modify the binary to set the bit in the binary. If the code still works the omission is likely accidental.
liferea-1.4.22d-1.fc10 has been submitted as an update for Fedora 10. http://admin.fedoraproject.org/updates/liferea-1.4.22d-1.fc10
liferea-1.4.22d-1.fc9 has been submitted as an update for Fedora 9. http://admin.fedoraproject.org/updates/liferea-1.4.22d-1.fc9
This bug appears to have been reported against 'rawhide' during the Fedora 10 development cycle. Changing version to '10'. More information and reason for this action is here: http://fedoraproject.org/wiki/BugZappers/HouseKeeping
Not good. Using liferea-1.4.22d-1.fc10.i386 I got this. I don't think that setsebool is a right solution. Or is it? SELinux is preventing liferea-bin (staff_t) "execstack" to <Unknown> (staff_t). Podrobný popis: SELinux denied access requested by liferea-bin. The current boolean settings do not allow this access. If you have not setup liferea-bin to require this access this may signal an intrusion attempt. If you do intend this access you need to change the booleans on this system to allow the access. Povolení přístupu: Confined processes can be configured to to run requiring different access, SELinux provides booleans to allow you to turn on/off access as needed. The boolean allow_execmem is set incorrectly. Boolean Description: Allow unconfined executables to map a memory region as both executable and writable, this is dangerous and the executable should be reported in bugzilla") Příkaz pro opravu: # setsebool -P allow_execmem 1 Další informace: Kontext zdroje staff_u:staff_r:staff_t:SystemLow-SystemHigh Kontext cíle staff_u:staff_r:staff_t:SystemLow-SystemHigh Objekty cíle None [ process ] Zdroj liferea-bin Cesta zdroje /usr/bin/liferea-bin Port <Neznámé> Počítač viklef RPM balíčky zdroje liferea-1.4.22d-1.fc10 RPM balíčky cíle RPM politiky selinux-policy-3.5.13-26.fc10 Selinux povolen True Typ politiky targeted MLS povoleno True Vynucovací režim Enforcing Název zásuvného modulu catchall_boolean Název počítače viklef Platforma Linux viklef 2.6.27.5-120.fc10.i686 #1 SMP Tue Nov 18 20:12:41 EST 2008 i686 i686 Počet upozornění 1 Poprvé viděno St 26. listopad 2008, 09:47:54 CET Naposledy viděno St 26. listopad 2008, 09:47:54 CET Místní ID 52296ccc-d0f9-4802-b1d2-d3124da07286 Čísla řádků Původní zprávy auditu node=viklef type=AVC msg=audit(1227689274.687:58): avc: denied { execstack } for pid=6403 comm="liferea-bin" scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tclass=process node=viklef type=SYSCALL msg=audit(1227689274.687:58): arch=40000003 syscall=125 success=no exit=-13 a0=bf918000 a1=1000 a2=1000007 a3=fffff000 items=0 ppid=1 pid=6403 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm="liferea-bin" exe="/usr/bin/liferea-bin" subj=staff_u:staff_r:staff_t:s0-s0:c0.c1023 key=(null)
liferea-1.4.22d-1.fc10 has been pushed to the Fedora 10 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update liferea'. You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F10/FEDORA-2008-10445
liferea-1.4.22d-1.fc9 has been pushed to the Fedora 9 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing-newkey update liferea'. You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F9/FEDORA-2008-10478
Nothing has changed for me. Still the same AVC Denial.
Well then bug should be reopened. Not an SELinux issue.
I can not recreate this on my system. I'm running x86_64 and looks like you have i386. Anyone able to recreate this on x86_64? Also upstream devs have been informed but don't believe liferea could cause this error. Not sure when or if it will be addressed. Steven Parrish
SELinux has to be in the Enforcing mode and I am using staff_u user (as per http://danwalsh.livejournal.com/18312.html).
Steven getsebool -a | grep execstack
liferea-1.4.22d-1.fc9 has been pushed to the Fedora 9 stable repository. If problems still persist, please make note of it in this bug report.
liferea-1.4.22d-1.fc10 has been pushed to the Fedora 10 stable repository. If problems still persist, please make note of it in this bug report.
Damn, maintainer, could you please get this bug out of bodhi, when your fixes have absolutely nothing to do with SELinux?
Upstream has no interest in resolving this, unless the SELinux gurus can come up with a solution its a WONTFIX.