Bug 469351 - SELinux is preventing liferea-bin from making the program stack executable.
SELinux is preventing liferea-bin from making the program stack executable.
Status: CLOSED WONTFIX
Product: Fedora
Classification: Fedora
Component: liferea (Show other bugs)
10
All Linux
medium Severity medium
: ---
: ---
Assigned To: Steven M. Parrish
Fedora Extras Quality Assurance
: Reopened, SELinux
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2008-10-31 09:44 EDT by Matěj Cepl
Modified: 2009-02-04 08:07 EST (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2009-02-04 08:07:00 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Matěj Cepl 2008-10-31 09:44:17 EDT
Souhrn:

SELinux is preventing liferea-bin from making the program stack executable.

Podrobný popis:

The liferea-bin application attempted to make its stack executable. This is a
potential security problem. This should never ever be necessary. Stack memory is
not executable on most OSes these days and this will not change. Executable
stack memory is one of the biggest security problems. An execstack error might
in fact be most likely raised by malicious code. Applications are sometimes
coded incorrectly and request this permission. The SELinux Memory Protection
Tests (http://people.redhat.com/drepper/selinux-mem.html) web page explains how
to remove this requirement. If liferea-bin does not work and you need it to
work, you can configure SELinux temporarily to allow this access until the
application is fixed. Please file a bug report
(http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package.

Povolení přístupu:

Sometimes a library is accidentally marked with the execstack flag, if you find
a library with this flag you can clear it with the execstack -c LIBRARY_PATH.
Then retry your application. If the app continues to not work, you can turn the
flag back on with execstack -s LIBRARY_PATH. Otherwise, if you trust liferea-bin
to run correctly, you can change the context of the executable to
unconfined_execmem_exec_t. "chcon -t unconfined_execmem_exec_t
'/usr/bin/liferea-bin'" You must also change the default file context files on
the system in order to preserve them even on a full relabel. "semanage fcontext
-a -t unconfined_execmem_exec_t '/usr/bin/liferea-bin'"

Příkaz pro opravu:

chcon -t unconfined_execmem_exec_t '/usr/bin/liferea-bin'

Další informace:

Kontext zdroje                unconfined_u:unconfined_r:unconfined_t:SystemLow-
                              SystemHigh
Kontext cíle                 unconfined_u:unconfined_r:unconfined_t:SystemLow-
                              SystemHigh
Objekty cíle                 None [ process ]
Zdroj                         liferea-bin
Cesta zdroje                  /usr/bin/liferea-bin
Port                          <Neznámé>
Počítač                    viklef
RPM balíčky zdroje          liferea-1.4.20-4.fc10
RPM balíčky cíle           
RPM politiky                  selinux-policy-3.5.13-8.fc10
Selinux povolen               True
Typ politiky                  targeted
MLS povoleno                  True
Vynucovací režim            Enforcing
Název zásuvného modulu     allow_execstack
Název počítače            viklef
Platforma                     Linux viklef 2.6.27.4-58.fc10.i686 #1 SMP Mon Oct
                              27 18:21:44 EDT 2008 i686 i686
Počet upozornění           2
Poprvé viděno               Pá 31. říjen 2008, 09:54:36 CET
Naposledy viděno             Pá 31. říjen 2008, 09:55:04 CET
Místní ID                   96e11b51-7763-4082-ba7b-eac24d0d6ad7
Čísla řádků              

Původní zprávy auditu      

node=viklef type=AVC msg=audit(1225443304.317:1330): avc:  denied  { execstack } for  pid=23838 comm="liferea-bin" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process

node=viklef type=SYSCALL msg=audit(1225443304.317:1330): arch=40000003 syscall=125 success=no exit=-13 a0=bff23000 a1=1000 a2=1000007 a3=fffff000 items=0 ppid=19597 pid=23838 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=pts4 ses=2 comm="liferea-bin" exe="/usr/bin/liferea-bin" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
Comment 1 Daniel Walsh 2008-10-31 10:24:57 EDT
Are you sure this is not caused by nvidia blob being installed?
Comment 2 Matěj Cepl 2008-11-01 10:42:45 EDT
(In reply to comment #1)
> Are you sure this is not caused by nvidia blob being installed?

WHAT??? Are you accusing me of using THAT thing? Ajax would kill just if I mentioned that as a joke. No, this is good to honest all-intel notebook (both intel graphics card and intel wifi).
Comment 3 Daniel Walsh 2008-11-03 14:51:47 EST
Ok, then /usr/bin/liferea-bin has to be fixed or explain why it needs execstack
Comment 4 Steven M. Parrish 2008-11-03 16:08:31 EST
Will forward this to the upstream devs.
Comment 5 Matěj Cepl 2008-11-24 20:31:35 EST
And just to add AVC denial report when staff_u user runs it:


Souhrn:

SELinux is preventing liferea-bin (staff_t) "execstack" to <Unknown> (staff_t).

Podrobný popis:

[SELinux je v uvolněném režimu, operace by byla odmítnuta, ale byla povolena
kvůli uvolněnému režimu.]

SELinux denied access requested by liferea-bin. The current boolean settings do
not allow this access. If you have not setup liferea-bin to require this access
this may signal an intrusion attempt. If you do intend this access you need to
change the booleans on this system to allow the access.

Povolení přístupu:

Confined processes can be configured to to run requiring different access,
SELinux provides booleans to allow you to turn on/off access as needed. The
boolean allow_execmem is set incorrectly.
Boolean Description:
Allow unconfined executables to map a memory region as both executable and
writable, this is dangerous and the executable should be reported in bugzilla")


Příkaz pro opravu:

# setsebool -P allow_execmem 1

Další informace:

Kontext zdroje                staff_u:staff_r:staff_t:SystemLow-SystemHigh
Kontext cíle                 staff_u:staff_r:staff_t:SystemLow-SystemHigh
Objekty cíle                 None [ process ]
Zdroj                         liferea-bin
Cesta zdroje                  /usr/bin/liferea-bin
Port                          <Neznámé>
Počítač                    viklef
RPM balíčky zdroje          liferea-1.4.20-4.fc10
RPM balíčky cíle           
RPM politiky                  selinux-policy-3.5.13-20.fc10
Selinux povolen               True
Typ politiky                  targeted
MLS povoleno                  True
Vynucovací režim            Permissive
Název zásuvného modulu     catchall_boolean
Název počítače            viklef
Platforma                     Linux viklef 2.6.27.5-120.fc10.i686 #1 SMP Tue Nov
                              18 20:12:41 EST 2008 i686 i686
Počet upozornění           1
Poprvé viděno               Út 25. listopad 2008, 02:29:33 CET
Naposledy viděno             Út 25. listopad 2008, 02:29:33 CET
Místní ID                   2d69b19e-3a85-483a-8319-63321e89a983
Čísla řádků              

Původní zprávy auditu      

node=viklef type=AVC msg=audit(1227576573.727:372): avc:  denied  { execstack } for  pid=7640 comm="liferea-bin" scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tclass=process

node=viklef type=AVC msg=audit(1227576573.727:372): avc:  denied  { execmem } for  pid=7640 comm="liferea-bin" scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tclass=process

node=viklef type=SYSCALL msg=audit(1227576573.727:372): arch=40000003 syscall=125 success=yes exit=0 a0=bf8d5000 a1=1000 a2=1000007 a3=fffff000 items=0 ppid=1 pid=7640 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm="liferea-bin" exe="/usr/bin/liferea-bin" subj=staff_u:staff_r:staff_t:s0-s0:c0.c1023 key=(null)
Comment 6 Ulrich Drepper 2008-11-25 09:54:59 EST
Just use the execstack program to modify the binary to set the bit in the binary.  If the code still works the omission is likely accidental.
Comment 7 Fedora Update System 2008-11-25 20:35:46 EST
liferea-1.4.22d-1.fc10 has been submitted as an update for Fedora 10.
http://admin.fedoraproject.org/updates/liferea-1.4.22d-1.fc10
Comment 8 Fedora Update System 2008-11-25 20:36:08 EST
liferea-1.4.22d-1.fc9 has been submitted as an update for Fedora 9.
http://admin.fedoraproject.org/updates/liferea-1.4.22d-1.fc9
Comment 9 Bug Zapper 2008-11-25 23:32:42 EST
This bug appears to have been reported against 'rawhide' during the Fedora 10 development cycle.
Changing version to '10'.

More information and reason for this action is here:
http://fedoraproject.org/wiki/BugZappers/HouseKeeping
Comment 10 Matěj Cepl 2008-11-26 03:49:32 EST
Not good. Using liferea-1.4.22d-1.fc10.i386 I got this. I don't think that setsebool is a right solution. Or is it?

SELinux is preventing liferea-bin (staff_t) "execstack" to <Unknown> (staff_t).

Podrobný popis:

SELinux denied access requested by liferea-bin. The current boolean settings do
not allow this access. If you have not setup liferea-bin to require this access
this may signal an intrusion attempt. If you do intend this access you need to
change the booleans on this system to allow the access.

Povolení přístupu:

Confined processes can be configured to to run requiring different access,
SELinux provides booleans to allow you to turn on/off access as needed. The
boolean allow_execmem is set incorrectly.
Boolean Description:
Allow unconfined executables to map a memory region as both executable and
writable, this is dangerous and the executable should be reported in bugzilla")


Příkaz pro opravu:

# setsebool -P allow_execmem 1

Další informace:

Kontext zdroje                staff_u:staff_r:staff_t:SystemLow-SystemHigh
Kontext cíle                 staff_u:staff_r:staff_t:SystemLow-SystemHigh
Objekty cíle                 None [ process ]
Zdroj                         liferea-bin
Cesta zdroje                  /usr/bin/liferea-bin
Port                          <Neznámé>
Počítač                    viklef
RPM balíčky zdroje          liferea-1.4.22d-1.fc10
RPM balíčky cíle           
RPM politiky                  selinux-policy-3.5.13-26.fc10
Selinux povolen               True
Typ politiky                  targeted
MLS povoleno                  True
Vynucovací režim            Enforcing
Název zásuvného modulu     catchall_boolean
Název počítače            viklef
Platforma                     Linux viklef 2.6.27.5-120.fc10.i686 #1 SMP Tue Nov
                              18 20:12:41 EST 2008 i686 i686
Počet upozornění           1
Poprvé viděno               St 26. listopad 2008, 09:47:54 CET
Naposledy viděno             St 26. listopad 2008, 09:47:54 CET
Místní ID                   52296ccc-d0f9-4802-b1d2-d3124da07286
Čísla řádků              

Původní zprávy auditu      

node=viklef type=AVC msg=audit(1227689274.687:58): avc:  denied  { execstack } for  pid=6403 comm="liferea-bin" scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tclass=process

node=viklef type=SYSCALL msg=audit(1227689274.687:58): arch=40000003 syscall=125 success=no exit=-13 a0=bf918000 a1=1000 a2=1000007 a3=fffff000 items=0 ppid=1 pid=6403 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm="liferea-bin" exe="/usr/bin/liferea-bin" subj=staff_u:staff_r:staff_t:s0-s0:c0.c1023 key=(null)
Comment 11 Fedora Update System 2008-11-26 21:09:37 EST
liferea-1.4.22d-1.fc10 has been pushed to the Fedora 10 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update liferea'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F10/FEDORA-2008-10445
Comment 12 Fedora Update System 2008-11-26 21:12:52 EST
liferea-1.4.22d-1.fc9 has been pushed to the Fedora 9 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing-newkey update liferea'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F9/FEDORA-2008-10478
Comment 13 Matěj Cepl 2008-11-27 03:55:59 EST
Nothing has changed for me. Still the same AVC Denial.
Comment 14 Daniel Walsh 2008-11-27 07:31:39 EST
Well then bug should be reopened.  Not an SELinux issue.
Comment 15 Steven M. Parrish 2008-11-27 22:20:02 EST
I can not recreate this on my system.  I'm running x86_64 and looks like you have i386.  Anyone able to recreate this on x86_64?  Also upstream devs have been informed but don't believe liferea could cause this error.  Not sure when or if it will be addressed.

Steven Parrish
Comment 16 Matěj Cepl 2008-11-28 03:05:41 EST
SELinux has to be in the Enforcing mode and I am using staff_u user (as per http://danwalsh.livejournal.com/18312.html).
Comment 17 Daniel Walsh 2008-12-01 14:50:16 EST
Steven

getsebool -a | grep execstack
Comment 18 Fedora Update System 2008-12-08 08:00:41 EST
liferea-1.4.22d-1.fc9 has been pushed to the Fedora 9 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 19 Fedora Update System 2008-12-08 08:01:54 EST
liferea-1.4.22d-1.fc10 has been pushed to the Fedora 10 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 20 Matěj Cepl 2008-12-09 05:33:59 EST
Damn, maintainer, could you please get this bug out of bodhi, when your fixes have absolutely nothing to do with SELinux?
Comment 21 Steven M. Parrish 2009-02-04 08:07:00 EST
Upstream has no interest in resolving this, unless the SELinux gurus can come up with a solution its a WONTFIX.

Note You need to log in before you can comment on or make changes to this bug.