The following was filed automatically by setroubleshoot: Summary: SELinux is preventing gwibber from changing a writable memory segment executable. Detailed Description: [SELinux is in permissive mode, the operation would have been denied but was permitted due to permissive mode.] The gwibber application attempted to change the access protection of memory (e.g., allocated using malloc). This is a potential security problem. Applications should not be doing this. Applications are sometimes coded incorrectly and request this permission. The SELinux Memory Protection Tests (http://people.redhat.com/drepper/selinux-mem.html) web page explains how to remove this requirement. If gwibber does not work and you need it to work, you can configure SELinux temporarily to allow this access until the application is fixed. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package. Allowing Access: If you trust gwibber to run correctly, you can change the context of the executable to execmem_exec_t. "chcon -t execmem_exec_t '/usr/bin/python'". You must also change the default file context files on the system in order to preserve them even on a full relabel. "semanage fcontext -a -t execmem_exec_t '/usr/bin/python'" Fix Command: chcon -t execmem_exec_t '/usr/bin/python' Additional Information: Source Context unconfined_u:unconfined_r:unconfined_t:s0 Target Context unconfined_u:unconfined_r:unconfined_t:s0 Target Objects None [ process ] Source gwibber Source Path /usr/bin/python Port <Unknown> Host (removed) Source RPM Packages python-2.6-10.fc12 Target RPM Packages Policy RPM selinux-policy-3.6.21-3.fc12 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Permissive Plugin Name allow_execmem Host Name (removed) Platform Linux (removed) 2.6.29.4-167.fc11.x86_64 #1 SMP Wed May 27 17:27:08 EDT 2009 x86_64 x86_64 Alert Count 141 First Seen Wed 01 Jul 2009 09:57:29 AM EDT Last Seen Wed 15 Jul 2009 11:21:53 PM EDT Local ID 1c39f514-af62-42bd-a353-7485b0de1e3b Line Numbers Raw Audit Messages node=(removed) type=AVC msg=audit(1247714513.0:1270): avc: denied { execmem } for pid=9221 comm="gwibber" scontext=unconfined_u:unconfined_r:unconfined_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0 tclass=process node=(removed) type=SYSCALL msg=audit(1247714513.0:1270): arch=c000003e syscall=9 success=no exit=-1693696040 a0=0 a1=4000 a2=7 a3=22 items=0 ppid=1 pid=9221 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm="gwibber" exe="/usr/bin/python" subj=unconfined_u:unconfined_r:unconfined_t:s0 key=(null) audit2allow suggests: #============= unconfined_t ============== allow unconfined_t self:process execmem;
Why does it need this priv? http://people.redhat.com/~drepper/selinux-mem.html
Tom, we need information.
That may be, but I have no idea why gwibber needs execmem.
(In reply to comment #3) > That may be, but I have no idea why gwibber needs execmem. Then perhaps the maintainer can enlighten us. If nobody knows the application it might not have a place in the distribution. Granting the rights is wrong in any case.
I can't really know what to do about this unless I know what exactly you did to cause this to happen. Nothing in this bug is specific at all to the usage that caused this AVC.
Actually, this looks an awful lot like bug 516057 on webkitgtk... adding Peter to CC.
Ian if qwibber uses webkitgtk, you can close this as a dup.
Which it does. CLOSED DUPLICATE 516057 *** This bug has been marked as a duplicate of bug 516057 ***