Bug 493663 - /lib64/libfreebl3.so installs with the execstack flag turned on causing setroubleshoot, rpm, NetworkManager to require execstack and execmem
/lib64/libfreebl3.so installs with the execstack flag turned on causing setro...
Status: CLOSED RAWHIDE
Product: Fedora
Classification: Fedora
Component: nss (Show other bugs)
rawhide
All Linux
low Severity medium
: ---
: ---
Assigned To: Kai Engert (:kaie)
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2009-04-02 10:55 EDT by Daniel Walsh
Modified: 2013-01-10 00:08 EST (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2009-04-03 17:16:19 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Tell assembler to not mark stack as executable (590 bytes, patch)
2009-04-02 12:09 EDT, Ulrich Drepper
no flags Details | Diff


External Trackers
Tracker ID Priority Status Summary Last Updated
Mozilla Foundation 486537 None None None Never

  None (edit)
Description Daniel Walsh 2009-04-02 10:55:48 EDT
Description of problem:

----
time->Thu Apr  2 10:42:03 2009
type=SYSCALL msg=audit(1238683323.595:1332): arch=c000003e syscall=10 success=no exit=-13 a0=7fff7aa39000 a1=1000 a2=1000007 a3=7f0772835781 items=0 ppid=7811 pid=7812 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="setroubleshootd" exe="/usr/bin/python" subj=system_u:system_r:setroubleshootd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1238683323.595:1332): avc:  denied  { execstack } for  pid=7812 comm="setroubleshootd" scontext=system_u:system_r:setroubleshootd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:setroubleshootd_t:s0-s0:c0.c1023 tclass=process


time->Thu Apr  2 10:54:30 2009
type=SYSCALL msg=audit(1238684070.551:1358): arch=c000003e syscall=10 success=no exit=-13 a0=7fffed13b000 a1=1000 a2=1000007 a3=7fb0e4f36781 items=0 ppid=6871 pid=7954 auid=3267 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=2 comm="rpm" exe="/bin/rpm" subj=unconfined_u:system_r:rpm_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1238684070.551:1358): avc:  denied  { execstack } for  pid=7954 comm="rpm" scontext=unconfined_u:system_r:rpm_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:rpm_t:s0-s0:c0.c1023 tclass=process


gcc-4.4.0-0.31.x86_64
glibc-2.9.90-12.x86_64
glibc-2.9.90-12.i686
kernel-2.6.29.1-37.rc1.fc11.x86_64

Not sure which package is causing this.
Comment 1 Daniel Walsh 2009-04-02 11:04:21 EDT
X /lib64/libfreebl3.so

Looks like this library is marked execstack.
Comment 2 Ulrich Drepper 2009-04-02 12:09:34 EDT
Created attachment 337841 [details]
Tell assembler to not mark stack as executable

This problem is partly my fault.  The intel-aes.s file doesn't have the stack annotation.  The proposed patch fixes this by telling the assembler the no .s file needs an executable stack.  This better be true and it means future new .s files are automatically covered.

Kai, can you please build a new RPM with this ASAP?  This problem is causing significant pain.
Comment 3 Kai Engert (:kaie) 2009-04-02 12:31:47 EDT
ok, doing now. we should however get this landed upstream nss
Comment 4 Kai Engert (:kaie) 2009-04-02 12:44:05 EDT
reported upstream
Comment 5 Kai Engert (:kaie) 2009-04-02 13:11:56 EDT
I started this build:
https://koji.fedoraproject.org/koji/taskinfo?taskID=1273826

It already completed on i586, x86_64

For some reason the koji command line client gave me:
ProtocolError: <ProtocolError for koji.fedoraproject.org/kojihub: -1 >

and the web page reports the ppc builds are still in the "free" state.

Shall we wait, or cancel the build and retry?
Comment 6 Jesse Keating 2009-04-02 14:21:57 EDT
The build completed.  Your local watch of the build had a timeout.  That's non-fatal.
Comment 7 Daniel Walsh 2009-04-03 17:16:19 EDT
Seems to be fixed in rawhide.

Note You need to log in before you can comment on or make changes to this bug.