Summary: SELinux is preventing /usr/bin/empathy "execmem" access on <Unknown>. Detailed Description: SELinux denied access requested by empathy. The current boolean settings do not allow this access. If you have not setup empathy to require this access this may signal an intrusion attempt. If you do intend this access you need to change the booleans on this system to allow the access. Allowing Access: One of the following booleans is set incorrectly: allow_execstack, allow_execmem Fix Command: Choose one of the following to allow access: Allow unconfined executables to make their stack executable. This should never, ever be necessary. Probably indicates a badly coded executable, but could indicate an attack. This executable should be reported in bugzilla") # setsebool -P allow_execstack 1 Allow unconfined executables to map a memory region as both executable and writable, this is dangerous and the executable should be reported in bugzilla") # setsebool -P allow_execmem 1 Additional Information: Source Context unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1 023 Target Context unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1 023 Target Objects None [ process ] Source epiphany Source Path /usr/bin/epiphany Port <Unknown> Host localhost.localdomain Source RPM Packages empathy-2.28.0-1.fc12 Target RPM Packages Policy RPM selinux-policy-3.6.32-8.fc12 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name catchall_boolean Host Name localhost.localdomain Platform Linux localhost.localdomain 2.6.31-33.fc12.x86_64 #1 SMP Thu Sep 17 15:40:43 EDT 2009 x86_64 x86_64 Alert Count 8 First Seen Thu 24 Sep 2009 03:16:26 PM CEST Last Seen Thu 24 Sep 2009 11:42:31 PM CEST Local ID 5f36fe1d-1b50-4602-940c-403f44e9f1c0 Line Numbers Raw Audit Messages node=localhost.localdomain type=AVC msg=audit(1253828551.809:35): avc: denied { execmem } for pid=2218 comm="empathy" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process node=localhost.localdomain type=SYSCALL msg=audit(1253828551.809:35): arch=c000003e syscall=9 success=no exit=-13 a0=0 a1=4000 a2=5 a3=22 items=0 ppid=1 pid=2218 auid=501 uid=501 gid=501 euid=501 suid=501 fsuid=501 egid=501 sgid=501 fsgid=501 tty=(none) ses=1 comm="empathy" exe="/usr/bin/empathy" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
Note that this happens consistently when using an Adium theme, so it might be an issue in WebKit.
So, I really have no clue of what this might be, but here's one wild guess: can you compile WebKitGTK+ *without* JIT (--disable-jit) and check if that fixes it? I'm using Fedora and can't really reproduce this though, is there any non-standard setting I should enable?
No non-standard setting enabled, just Fedora Rawhide with empathy 2.28, and selinux enabled (by default).
(In reply to comment #3) > No non-standard setting enabled, just Fedora Rawhide with empathy 2.28, and > selinux enabled (by default). OK, I'm running Fedora 10 still, so it might be that. I'll upgrade to Fedora 11 (or maybe some F12 alpha/beta) before going to the Boston Summit probably, so I'll make sure to check that if we don't fix it before. In any case, if you can test what I suggested that would be very useful.
I'll try that this week-end. You won't be able to reproduce it with F11 though. It only happens when I try to use an Adium theme, so it needs 2.28.
Thanks for the bug report; However, I'm almost certain this is the same issue as seen in #516057, caused by some erroneous assembly in WebKitGTK+'s JIT support. If this is not the case, and something else is indeed causing the problem, please re-open this bug with further details. *** This bug has been marked as a duplicate of bug 516057 ***