Bug 493663 - /lib64/libfreebl3.so installs with the execstack flag turned on causing setroubleshoot, rpm, NetworkManager to require execstack and execmem
Summary: /lib64/libfreebl3.so installs with the execstack flag turned on causing setro...
Keywords:
Status: CLOSED RAWHIDE
Alias: None
Product: Fedora
Classification: Fedora
Component: nss
Version: rawhide
Hardware: All
OS: Linux
low
medium
Target Milestone: ---
Assignee: Kai Engert (:kaie) (inactive account)
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2009-04-02 14:55 UTC by Daniel Walsh
Modified: 2013-01-10 05:08 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2009-04-03 21:16:19 UTC
Type: ---
Embargoed:

Attachments (Terms of Use)
Tell assembler to not mark stack as executable (590 bytes, patch)
2009-04-02 16:09 UTC, Ulrich Drepper 		no flags Details | Diff
View All


Links
System ID Private Priority Status Summary Last Updated
Mozilla Foundation 486537 0 None None None Never

Description Daniel Walsh 2009-04-02 14:55:48 UTC 
Description of problem:

----
time->Thu Apr  2 10:42:03 2009
type=SYSCALL msg=audit(1238683323.595:1332): arch=c000003e syscall=10 success=no exit=-13 a0=7fff7aa39000 a1=1000 a2=1000007 a3=7f0772835781 items=0 ppid=7811 pid=7812 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="setroubleshootd" exe="/usr/bin/python" subj=system_u:system_r:setroubleshootd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1238683323.595:1332): avc:  denied  { execstack } for  pid=7812 comm="setroubleshootd" scontext=system_u:system_r:setroubleshootd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:setroubleshootd_t:s0-s0:c0.c1023 tclass=process


time->Thu Apr  2 10:54:30 2009
type=SYSCALL msg=audit(1238684070.551:1358): arch=c000003e syscall=10 success=no exit=-13 a0=7fffed13b000 a1=1000 a2=1000007 a3=7fb0e4f36781 items=0 ppid=6871 pid=7954 auid=3267 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=2 comm="rpm" exe="/bin/rpm" subj=unconfined_u:system_r:rpm_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1238684070.551:1358): avc:  denied  { execstack } for  pid=7954 comm="rpm" scontext=unconfined_u:system_r:rpm_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:rpm_t:s0-s0:c0.c1023 tclass=process


gcc-4.4.0-0.31.x86_64
glibc-2.9.90-12.x86_64
glibc-2.9.90-12.i686
kernel-2.6.29.1-37.rc1.fc11.x86_64

Not sure which package is causing this.
Comment 1 Daniel Walsh 2009-04-02 15:04:21 UTC 
X /lib64/libfreebl3.so

Looks like this library is marked execstack.
Comment 2 Ulrich Drepper 2009-04-02 16:09:34 UTC 
Created attachment 337841 [details]
Tell assembler to not mark stack as executable

This problem is partly my fault.  The intel-aes.s file doesn't have the stack annotation.  The proposed patch fixes this by telling the assembler the no .s file needs an executable stack.  This better be true and it means future new .s files are automatically covered.

Kai, can you please build a new RPM with this ASAP?  This problem is causing significant pain.
Comment 3 Kai Engert (:kaie) (inactive account) 2009-04-02 16:31:47 UTC 
ok, doing now. we should however get this landed upstream nss
Comment 4 Kai Engert (:kaie) (inactive account) 2009-04-02 16:44:05 UTC 
reported upstream
Comment 5 Kai Engert (:kaie) (inactive account) 2009-04-02 17:11:56 UTC 
I started this build:
https://koji.fedoraproject.org/koji/taskinfo?taskID=1273826

It already completed on i586, x86_64

For some reason the koji command line client gave me:
ProtocolError: <ProtocolError for koji.fedoraproject.org/kojihub: -1 >

and the web page reports the ppc builds are still in the "free" state.

Shall we wait, or cancel the build and retry?
Comment 6 Jesse Keating 2009-04-02 18:21:57 UTC 
The build completed.  Your local watch of the build had a timeout.  That's non-fatal.
Comment 7 Daniel Walsh 2009-04-03 21:16:19 UTC 
Seems to be fixed in rawhide.
Note You need to log in before you can comment on or make changes to this bug.