Description of problem: SELinux is preventing knotify4 from changing a writable memory segment executable. Version-Release number of selected component (if applicable): Source RPM Packages: kdebase-runtime-4.2.90-1.fc12 Policy RPM: selinux-policy-3.6.15-1.fc12 How reproducible: always Steps to Reproduce: 1.logout of kde 2. 3. Actual results: avc Expected results: no avc Additional info: Summary: SELinux is preventing knotify4 from changing a writable memory segment executable. Detailed Description: [SELinux is in permissive mode, the operation would have been denied but was permitted due to permissive mode.] The knotify4 application attempted to change the access protection of memory (e.g., allocated using malloc). This is a potential security problem. Applications should not be doing this. Applications are sometimes coded incorrectly and request this permission. The SELinux Memory Protection Tests (http://people.redhat.com/drepper/selinux-mem.html) web page explains how to remove this requirement. If knotify4 does not work and you need it to work, you can configure SELinux temporarily to allow this access until the application is fixed. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package. Allowing Access: If you trust knotify4 to run correctly, you can change the context of the executable to execmem_exec_t. "chcon -t execmem_exec_t '2F7573722F62696E2F6B6E6F7469667934202864656C6574656429'". You must also change the default file context files on the system in order to preserve them even on a full relabel. "semanage fcontext -a -t execmem_exec_t '2F7573722F62696E2F6B6E6F7469667934202864656C6574656429'" Fix Command: chcon -t execmem_exec_t '2F7573722F62696E2F6B6E6F7469667934202864656C6574656429' Additional Information: Source Context unconfined_u:unconfined_r:unconfined_t:s0 Target Context unconfined_u:unconfined_r:unconfined_t:s0 Target Objects None [ process ] Source knotify4 Source Path 2F7573722F62696E2F6B6E6F7469667934202864656C657465 6429 Port <Unknown> Host jerry-opti755 Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.6.15-1.fc12 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Permissive Plugin Name allow_execmem Host Name jerry-opti755 Platform Linux jerry-opti755 2.6.30-0.1.2.32.rc8.xendom0.fc12.x86_64 #1 SMP Thu Jun 4 17:46:39 EDT 2009 x86_64 x86_64 Alert Count 1 First Seen Mon 15 Jun 2009 11:10:06 AM CDT Last Seen Mon 15 Jun 2009 11:10:06 AM CDT Local ID c69d7546-500c-4733-b98f-2d91a9942e15 Line Numbers Raw Audit Messages node=jerry-opti755 type=AVC msg=audit(1245082206.110:606): avc: denied { execmem } for pid=3443 comm="knotify4" scontext=unconfined_u:unconfined_r:unconfined_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0 tclass=process node=jerry-opti755 type=SYSCALL msg=audit(1245082206.110:606): arch=c000003e syscall=9 success=yes exit=140594919673856 a0=0 a1=a01000 a2=7 a3=20022 items=0 ppid=1 pid=3443 auid=2355 uid=2355 gid=100 euid=2355 suid=2355 fsuid=2355 egid=100 sgid=100 fsgid=100 tty=(none) ses=1 comm="knotify4" exe=2F7573722F62696E2F6B6E6F7469667934202864656C6574656429 subj=unconfined_u:unconfined_r:unconfined_t:s0 key=(null)
Please post the output of: ldd /usr/bin/knotify4 (to see if you have any strange libraries getting loaded instead of the standard ones).
$ ldd /usr/bin/knotify4 linux-vdso.so.1 => (0x00007ffffd758000) libkdeui.so.5 => /usr/lib64/libkdeui.so.5 (0x0000003219200000) libphonon.so.4 => /usr/lib64/libphonon.so.4 (0x000000321dc00000) libkdecore.so.5 => /usr/lib64/libkdecore.so.5 (0x0000003218c00000) libQtDBus.so.4 => /usr/lib64/libQtDBus.so.4 (0x0000003217c00000) libQtCore.so.4 => /usr/lib64/libQtCore.so.4 (0x0000003216e00000) libpthread.so.0 => /lib64/libpthread.so.0 (0x0000003617200000) libQtSvg.so.4 => /usr/lib64/libQtSvg.so.4 (0x0000003219a00000) libQtGui.so.4 => /usr/lib64/libQtGui.so.4 (0x0000003218000000) libstdc++.so.6 => /usr/lib64/libstdc++.so.6 (0x00007fa19dc6a000) libm.so.6 => /lib64/libm.so.6 (0x0000003616a00000) libgcc_s.so.1 => /lib64/libgcc_s.so.1 (0x00007fa19da50000) libc.so.6 => /lib64/libc.so.6 (0x0000003616600000) libSM.so.6 => /usr/lib64/libSM.so.6 (0x0000003215600000) libICE.so.6 => /usr/lib64/libICE.so.6 (0x000000361c200000) libX11.so.6 => /usr/lib64/libX11.so.6 (0x0000003618e00000) libXext.so.6 => /usr/lib64/libXext.so.6 (0x000000361a200000) libXft.so.2 => /usr/lib64/libXft.so.2 (0x0000003216a00000) libXau.so.6 => /usr/lib64/libXau.so.6 (0x0000003618a00000) libXdmcp.so.6 => /usr/lib64/libXdmcp.so.6 (0x0000003623e00000) libXpm.so.4 => /usr/lib64/libXpm.so.4 (0x0000003623a00000) libQtXml.so.4 => /usr/lib64/libQtXml.so.4 (0x0000003217400000) libXtst.so.6 => /usr/lib64/libXtst.so.6 (0x0000003624c00000) libXcursor.so.1 => /usr/lib64/libXcursor.so.1 (0x000000361c600000) libXfixes.so.3 => /usr/lib64/libXfixes.so.3 (0x000000361ce00000) libXrender.so.1 => /usr/lib64/libXrender.so.1 (0x000000361b600000) libdbus-1.so.3 => /lib64/libdbus-1.so.3 (0x000000361ec00000) libpng12.so.0 => /usr/lib64/libpng12.so.0 (0x00007fa19d824000) libfreetype.so.6 => /usr/lib64/libfreetype.so.6 (0x0000003214200000) libgobject-2.0.so.0 => /lib64/libgobject-2.0.so.0 (0x0000003213600000) libXi.so.6 => /usr/lib64/libXi.so.6 (0x000000361ca00000) libXrandr.so.2 => /usr/lib64/libXrandr.so.2 (0x000000361d600000) libXinerama.so.1 => /usr/lib64/libXinerama.so.1 (0x000000361d200000) libfontconfig.so.1 => /usr/lib64/libfontconfig.so.1 (0x0000003214a00000) libz.so.1 => /lib64/libz.so.1 (0x0000003617600000) libgthread-2.0.so.0 => /lib64/libgthread-2.0.so.0 (0x0000003213e00000) librt.so.1 => /lib64/librt.so.1 (0x0000003617a00000) libglib-2.0.so.0 => /lib64/libglib-2.0.so.0 (0x0000003212e00000) libdl.so.2 => /lib64/libdl.so.2 (0x0000003616e00000) libQtNetwork.so.4 => /usr/lib64/libQtNetwork.so.4 (0x0000003217800000) libbz2.so.1 => /lib64/libbz2.so.1 (0x0000003622c00000) libresolv.so.2 => /lib64/libresolv.so.2 (0x000000361de00000) /lib64/ld-linux-x86-64.so.2 (0x0000003616200000) libuuid.so.1 => /lib64/libuuid.so.1 (0x00007fa19d61a000) libxcb.so.1 => /usr/lib64/libxcb.so.1 (0x0000003619200000) libcap.so.2 => /lib64/libcap.so.2 (0x000000361e200000) libexpat.so.1 => /lib64/libexpat.so.1 (0x0000003619600000) libssl.so.8 => /usr/lib64/libssl.so.8 (0x0000003216600000) libcrypto.so.8 => /usr/lib64/libcrypto.so.8 (0x0000003216200000) libattr.so.1 => /lib64/libattr.so.1 (0x000000361da00000) libgssapi_krb5.so.2 => /lib64/libgssapi_krb5.so.2 (0x0000003215a00000) libkrb5.so.3 => /lib64/libkrb5.so.3 (0x0000003214e00000) libcom_err.so.2 => /lib64/libcom_err.so.2 (0x00007fa19d414000) libk5crypto.so.3 => /lib64/libk5crypto.so.3 (0x0000003215200000) libkrb5support.so.0 => /lib64/libkrb5support.so.0 (0x0000003215e00000) libkeyutils.so.1 => /lib64/libkeyutils.so.1 (0x0000003620800000) libselinux.so.1 => /lib64/libselinux.so.1 (0x0000003212600000)
Nothing suspicious there. However, Phonon loads some more stuff dynamically. Do you have any: * proprietary graphics drivers? * third-party codecs (e.g. Fluendo GStreamer codecs)? * other third-party libraries which may find their way into Phonon?
Ah, now you're onto something - rpmfusion : # rpm -qa --qf '%{NAME} %{VENDOR}\n' | grep RPM | awk '{ print $1 }' | xargs rpm -q xvidcore-1.2.1-2.fc11.x86_64 libtunepimp-extras-freeworld-0.5.3-7.fc11.x86_64 x264-libs-0.0.0-0.24.20090319gitc109c8.fc11.x86_64 rpmfusion-free-release-11.90-1.noarch libmpeg2-0.5.1-7.fc11.1.x86_64 lame-libs-3.98.2-3.fc11.x86_64 twolame-libs-0.3.12-4.fc11.x86_64 vcdimager-libs-0.7.23-10.fc11.x86_64 xine-lib-extras-freeworld-1.1.16.3-1.fc11.x86_64 gstreamer-plugins-ugly-0.10.11-1.fc11.x86_64 k3b-extras-freeworld-1.0.5-6.fc11.x86_64 a52dec-0.7.4-15.fc11.x86_64 vcdimager-0.7.23-10.fc11.x86_64 libdca-0.0.5-4.fc11.x86_64 faad2-libs-2.7-1.fc11.x86_64 gstreamer-ffmpeg-0.10.7-1.fc11.x86_64 madplay-0.15.2b-6.fc11.x86_64 libmad-0.15.1b-11.fc11.x86_64 faac-1.28-1.fc11.1.x86_64 ffmpeg-libs-0.5-2.fc11.x86_64
RPM Fusion's codecs are supposed to either not require execstack/execmem at all or have the relevant SELinux context set. If that's all the non-Fedora stuff you have, there must be a bug somewhere.
Ping dwalsh: Any idea how we can figure out which shared object is actually at fault here? Short of manually running readelf on every single shared library on the system?
Uli is much better at this stuff then I am.
Uli do you have any ideas on this? -- Steven M. Parrish - KDE Triage Master - PackageKit Triager Fedora Bugzappers volunteer triage team https://fedoraproject.org/wiki/BugZappers
It's not a text relocation, I assume. In that case it's either an mmap() or mprotect() call. Use strace to track all syscalls, locate the offenders, check what memory region they are modifying (in case of mprotect). strace doesn't tell you where the call comes from, you need to deduce this from the context.
Rex, Kevin what do we want to do with this and other selinux issues? -- Steven M. Parrish - KDE Triage Master - PackageKit Triager Fedora Bugzappers volunteer triage team https://fedoraproject.org/wiki/BugZappers
For this one, I suggest 1. punt to rpmfusion (or ask reporter to reproduce free of rpmfusion bits). or 2. wait, until someone can investigate further to reproduce or find the ultimate culprit Personally, I'd lean toward 1.
punt to rpmfusion it is. closing->cantfix (it's caused by software outside our control).
*** Bug 506126 has been marked as a duplicate of this bug. ***
I reported this to RPM Fusion: https://bugzilla.rpmfusion.org/show_bug.cgi?id=1381