Bug 522917 - setroubleshoot: SELinux is preventing /usr/bin/liferea from changing a writable memory segment executable.
Summary: setroubleshoot: SELinux is preventing /usr/bin/liferea from changing a w...
Status: CLOSED DUPLICATE of bug 516057
Alias: None
Product: Fedora
Classification: Fedora
Component: liferea
Version: rawhide
Hardware: x86_64
OS: Linux
Target Milestone: ---
Assignee: Steven M. Parrish
QA Contact: Fedora Extras Quality Assurance
Whiteboard: setroubleshoot_trace_hash:01e33c6da95...
Depends On:
TreeView+ depends on / blocked
Reported: 2009-09-12 07:29 UTC by Nicolas Mailhot
Modified: 2009-09-21 16:20 UTC (History)
16 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2009-09-21 16:20:48 UTC

Attachments (Terms of Use)

Description Nicolas Mailhot 2009-09-12 07:29:22 UTC
The following was filed automatically by setroubleshoot:


SELinux is preventing /usr/bin/liferea from changing a writable memory segment

Description détaillée:

[liferea has a permissive type (unconfined_t). This access was not denied.]

The liferea application attempted to change the access protection of memory
(e.g., allocated using malloc). This is a potential security problem.
Applications should not be doing this. Applications are sometimes coded
incorrectly and request this permission. The SELinux Memory Protection Tests
(http://people.redhat.com/drepper/selinux-mem.html) web page explains how to
remove this requirement. If liferea does not work and you need it to work, you
can configure SELinux temporarily to allow this access until the application is
fixed. Please file a bug report against this package.

Autoriser l'accès:

If you trust liferea to run correctly, you can change the context of the
executable to execmem_exec_t. "chcon -t execmem_exec_t '/usr/bin/liferea'". You
must also change the default file context files on the system in order to
preserve them even on a full relabel. "semanage fcontext -a -t execmem_exec_t

Commande de correction:

chcon -t execmem_exec_t '/usr/bin/liferea'

Informations complémentaires:

Contexte source               unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1
Contexte cible                unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1
Objets du contexte            None [ process ]
source                        liferea
Chemin de la source           /usr/bin/liferea
Port                          <Inconnu>
Hôte                         (removed)
Paquetages RPM source         liferea-1.6.0-0.fc12
Paquetages RPM cible          
Politique RPM                 selinux-policy-3.6.31-3.fc12
Selinux activé               True
Type de politique             targeted
MLS activé                   True
Mode strict                   Enforcing
Nom du plugin                 allow_execmem
Nom de l'hôte                (removed)
Plateforme                    Linux (removed) 2.6.31-2.fc12.x86_64 #1 SMP Thu
                              Sep 10 00:25:40 EDT 2009 x86_64 x86_64
Compteur d'alertes            1
Première alerte              sam. 12 sept. 2009 09:25:47 CEST
Dernière alerte              sam. 12 sept. 2009 09:25:47 CEST
ID local                      b22c2187-df6f-4bc5-bfec-553ecfd5dff8
Numéros des lignes           

Messages d'audit bruts        

node=(removed) type=AVC msg=audit(1252740347.693:496): avc:  denied  { execmem } for  pid=2114 comm="liferea" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process

node=(removed) type=SYSCALL msg=audit(1252740347.693:496): arch=c000003e syscall=9 success=yes exit=140534071214080 a0=0 a1=4000 a2=5 a3=22 items=0 ppid=2015 pid=2114 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm="liferea" exe="/usr/bin/liferea" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)

audit2allow suggests:

#============= unconfined_t ==============
allow unconfined_t self:process execmem;

Comment 1 Daniel Walsh 2009-09-14 15:38:57 UTC
Liferea should not require execmem.

This is a dangerous permission and should be fixed.


Comment 2 Bill Nottingham 2009-09-21 16:20:48 UTC

*** This bug has been marked as a duplicate of bug 516057 ***

Note You need to log in before you can comment on or make changes to this bug.