Bug 517522 - SELinux is preventing /usr/bin/quodli (staff_t) "execstack" to <Unknown> (staff_t).
Summary: SELinux is preventing /usr/bin/quodli (staff_t) "execstack" to <Unknown> (sta...
Alias: None
Product: Fedora
Classification: Fedora
Component: quodlibet
Version: 11
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Jeffrey C. Ollie
QA Contact: Fedora Extras Quality Assurance
Depends On:
TreeView+ depends on / blocked
Reported: 2009-08-14 13:13 UTC by Matěj Cepl
Modified: 2018-04-11 09:01 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2009-08-14 20:18:30 UTC

Attachments (Terms of Use)

Description Matěj Cepl 2009-08-14 13:13:16 UTC
(quodlibet is a music player written in Python and PyGtk)

SELinux is preventing /usr/bin/quodli (staff_t) "execstack" to <Unknown>

Podrobný popis:

SELinux denied access requested by /usr/bin/quodli. The current boolean settings
do not allow this access. If you have not setup /usr/bin/quodli to require this
access this may signal an intrusion attempt. If you do intend this access you
need to change the booleans on this system to allow the access.

Povolení přístupu:

Confined processes can be configured to to run requiring different access,
SELinux provides booleans to allow you to turn on/off access as needed. The
boolean allow_execmem is set incorrectly.
Boolean Description:
Allow unconfined executables to map a memory region as both executable and
writable, this is dangerous and the executable should be reported in bugzilla")

Příkaz pro opravu:

# setsebool -P allow_execmem 1

Další informace:

Kontext zdroje                staff_u:staff_r:staff_t:s0-s0:c0.c1023
Kontext cíle                 staff_u:staff_r:staff_t:s0-s0:c0.c1023
Objekty cíle                 None [ process ]
Zdroj                         /usr/bin/quodli
Cesta zdroje                  /usr/bin/python
Port                          <Neznámé>
Počítač                    bradford
RPM balíčky zdroje          python-2.6-11.fc11
RPM balíčky cíle           
RPM politiky                  selinux-policy-3.6.12-72.fc11
Selinux povolen               True
Typ politiky                  targeted
MLS povoleno                  True
Vynucovací režim            Enforcing
Název zásuvného modulu     catchall_boolean
Název počítače            bradford
Platforma                     Linux bradford #1 SMP
                              Wed Jul 29 16:02:42 EDT 2009 x86_64 x86_64
Počet upozornění           48
Poprvé viděno               Pá 14. srpen 2009, 15:09:09 CEST
Naposledy viděno             Pá 14. srpen 2009, 15:10:42 CEST
Místní ID                   fb54fb48-b220-4ce3-8679-deea2b157fd4
Čísla řádků              

Původní zprávy auditu      

node=bradford type=AVC msg=audit(1250255442.890:63): avc:  denied  { execstack } for  pid=3094 comm="/usr/bin/quodli" scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tclass=process

node=bradford type=SYSCALL msg=audit(1250255442.890:63): arch=c000003e syscall=10 success=no exit=-13 a0=7fff3cbc5000 a1=1000 a2=1000007 a3=361aa1a141 items=0 ppid=1 pid=3094 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm="/usr/bin/quodli" exe="/usr/bin/python" subj=staff_u:staff_r:staff_t:s0-s0:c0.c1023 key=(null)

Comment 1 Jeffrey C. Ollie 2009-08-14 14:44:50 UTC
Hmm, I'm unable to reproduce this...  Since quodlibet is mostly Python, is it possible that this is being triggered by gstreamer or a plugin/library loaded by gstreamer?  What kind of files are you playing?

Comment 2 Matěj Cepl 2009-08-14 20:18:30 UTC
Cannot reproduce anymore, probably there was something screwed up with my labelling (when switching to staff_u just reloggin is not enough ... reboot at least and I did also touch /.autorelabel ; reboot).

Closing as NOTABUG, I will reopen if I meet it again.

Note You need to log in before you can comment on or make changes to this bug.