Bug 521918 - SELinux is preventing knotify4 from making the program stack executable
Summary: SELinux is preventing knotify4 from making the program stack executable
Keywords:
Status: CLOSED DUPLICATE of bug 506126
Alias: None
Product: Fedora
Classification: Fedora
Component: kdebase-runtime
Version: rawhide
Hardware: All
OS: Linux
low
medium
Target Milestone: ---
Assignee: Ngo Than
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2009-09-08 17:40 UTC by Jaroslaw Gorny
Modified: 2009-09-08 17:47 UTC (History)
8 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2009-09-08 17:47:42 UTC


Attachments (Terms of Use)

Description Jaroslaw Gorny 2009-09-08 17:40:05 UTC
Description of problem:
SELinux is preventing knotify4 from making the program stack executable

Version-Release number of selected component (if applicable):

[root@moonstone ~]# rpm -qf $(which knotify4)
kdebase-runtime-4.3.1-1.fc12.i686


How reproducible:
ALWAYS

Steps to Reproduce:
1. start KDE session
  
Actual results:
AVC denial appears


Expected results:
No AVC denial - knotify4 should not try to make stack executable

Additional info:

(detailed output from SELinux Security Alerts):

Summary:

SELinux is preventing knotify4 from making the program stack executable.

Detailed description:

[knotify4 has a permissive type (unconfined_t). This access was not denied.]

The knotify4 application attempted to make its stack executable. This is a
potential security problem. This should never ever be necessary. Stack memory is
not executable on most OSes these days and this will not change. Executable
stack memory is one of the biggest security problems. An execstack error might
in fact be most likely raised by malicious code. Applications are sometimes
coded incorrectly and request this permission. The SELinux Memory Protection
Tests (http://people.redhat.com/drepper/selinux-mem.html) web page explains how
to remove this requirement. If knotify4 does not work and you need it to work,
you can configure SELinux temporarily to allow this access until the application
is fixed. Please file a bug report
(http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package.

Allow access:

Sometimes a library is accidentally marked with the execstack flag, if you find
a library with this flag you can clear it with the execstack -c LIBRARY_PATH.
Then retry your application. If the app continues to not work, you can turn the
flag back on with execstack -s LIBRARY_PATH. Otherwise, if you trust knotify4 to
run correctly, you can change the context of the executable to execmem_exec_t.
"chcon -t execmem_exec_t '/usr/bin/knotify4'" You must also change the default
file context files on the system in order to preserve them even on a full
relabel. "semanage fcontext -a -t execmem_exec_t '/usr/bin/knotify4'"

Fix command:

chcon -t execmem_exec_t '/usr/bin/knotify4'

Additional info:

Source context          unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1
                              023
Target context             unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1
                              023
Target Object              None [ process ]
Source                     knotify4
Source Path         /usr/bin/knotify4
Port                          <Nieznane>
Computer                      moonstone.foo.org
Source RPM       kdebase-runtime-4.3.1-1.fc12
Target RPM          
policy RPM                  selinux-policy-3.6.30-4.fc12
SELinux turned on       True
Policy type                  targeted
MLS turned on           True
Enforcing type               Enforcing
Plugin name                 allow_execstack
Computer name               moonstone.foo.org
Platform                     Linux moonstone.foo.org
                              2.6.31-0.204.rc9.fc12.i686 #1 SMP Sat Sep 5
                              21:01:10 EDT 2009 i686 i686
Alarm Counter              4
First time               pon, 7 wrz 2009, 21:07:08
Last time                wto, 8 wrz 2009, 19:07:26
local identifier         027c9baa-685a-4538-92af-937228fb5003
                

Raw audit log:

node=moonstone.mos.gov.pl type=AVC msg=audit(1252429646.537:17): avc:  denied  { execstack } for  pid=1324 comm="knotify4" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process

node=moonstone.mos.gov.pl type=AVC msg=audit(1252429646.537:17): avc:  denied  { execmem } for  pid=1324 comm="knotify4" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process

node=moonstone.mos.gov.pl type=SYSCALL msg=audit(1252429646.537:17): arch=40000003 syscall=125 success=yes exit=0 a0=bfdc9000 a1=1000 a2=1000007 a3=bfdc727c items=0 ppid=1 pid=1324 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm="knotify4" exe="/usr/bin/knotify4" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)

Comment 1 Kevin Kofler 2009-09-08 17:47:42 UTC

*** This bug has been marked as a duplicate of bug 506126 ***


Note You need to log in before you can comment on or make changes to this bug.