The following was filed automatically by setroubleshoot: Summary: SELinux is preventing /usr/bin/arora from changing a writable memory segment executable. Detailed Description: The arora application attempted to change the access protection of memory (e.g., allocated using malloc). This is a potential security problem. Applications should not be doing this. Applications are sometimes coded incorrectly and request this permission. The SELinux Memory Protection Tests (http://people.redhat.com/drepper/selinux-mem.html) web page explains how to remove this requirement. If arora does not work and you need it to work, you can configure SELinux temporarily to allow this access until the application is fixed. Please file a bug report against this package. Allowing Access: If you trust arora to run correctly, you can change the context of the executable to execmem_exec_t. "chcon -t execmem_exec_t '/usr/bin/arora'". You must also change the default file context files on the system in order to preserve them even on a full relabel. "semanage fcontext -a -t execmem_exec_t '/usr/bin/arora'" Fix Command: chcon -t execmem_exec_t '/usr/bin/arora' Additional Information: Source Context unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1 023 Target Context unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1 023 Target Objects None [ process ] Source arora Source Path /usr/bin/arora Port <Unknown> Host (removed) Source RPM Packages arora-0.9.0-1.fc12 Target RPM Packages Policy RPM selinux-policy-3.6.32-1.fc12 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name allow_execmem Host Name (removed) Platform Linux (removed) 2.6.31-23.fc12.i686 #1 SMP Wed Sep 16 16:09:25 EDT 2009 i686 i686 Alert Count 108 First Seen Wed 09 Sep 2009 12:52:23 PM CEST Last Seen Wed 30 Sep 2009 10:45:07 PM CEST Local ID 65be4dbf-8588-474b-bffc-d971d4582fb5 Line Numbers Raw Audit Messages node=(removed) type=AVC msg=audit(1254343507.921:130): avc: denied { execmem } for pid=12157 comm="arora" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process node=(removed) type=SYSCALL msg=audit(1254343507.921:130): arch=40000003 syscall=192 success=no exit=-13 a0=0 a1=4000 a2=7 a3=22 items=0 ppid=1637 pid=12157 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm="arora" exe="/usr/bin/arora" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null) Hash String generated from selinux-policy-3.6.32-1.fc12,allow_execmem,arora,unconfined_t,unconfined_t,process,execmem audit2allow suggests: #============= unconfined_t ============== allow unconfined_t self:process execmem;
Arora should not need this priv.
*** Bug 527080 has been marked as a duplicate of this bug. ***
*** Bug 527081 has been marked as a duplicate of this bug. ***
Hi Dan, could you provide some hints what could I do with this issue? Thanks.
Well first what is arora written in? What does it do? This explains what execmem means. http://people.redhat.com/~drepper/selinux-mem.html
It's a Qt WebKit browser written in C++, it should not do any low level operations which are not done by Qt or WebKit itself. I've checked the link and I don't have a clue where to look. Any guide to SE Linux debugging?
Uli any ideas?
This is probably the WebKit JavaScript JIT (Squirrelfish Extreme). It got recently disabled in WebKitGtk because of this, I guess QtWebKit has the same problem.
Thanks Kevin, the bug for WebKitGtk is this one https://bugzilla.redhat.com/show_bug.cgi?id=516057 I'm reassigning this bug to Qt as we should fix it in Qt too (JIT disable workaround for now?). Not closing as duplicate as it belongs to other component but we should track WKG bug.
qt-4.5.3-4.fc11 has been submitted as an update for Fedora 11. http://admin.fedoraproject.org/updates/qt-4.5.3-4.fc11
qt-4.5.3-4.fc10 has been pushed to the Fedora 10 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update qt'. You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F10/FEDORA-2009-10447
qt-4.5.3-4.fc11 has been pushed to the Fedora 11 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update qt'. You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F11/FEDORA-2009-10462
qt-4.5.3-7.fc11 has been pushed to the Fedora 11 stable repository. If problems still persist, please make note of it in this bug report.
qt-4.5.3-7.fc10 has been pushed to the Fedora 10 stable repository. If problems still persist, please make note of it in this bug report.