Bug 527079 - setroubleshoot: SELinux is preventing /usr/bin/arora from changing a writable memory segment executable.
setroubleshoot: SELinux is preventing /usr/bin/arora from changing a wri...
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: qt (Show other bugs)
rawhide
i386 Linux
medium Severity medium
: ---
: ---
Assigned To: Ngo Than
Fedora Extras Quality Assurance
setroubleshoot_trace_hash:c7c5f41d476...
:
: 527080 527081 (view as bug list)
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2009-10-04 03:57 EDT by Jaroslav Reznik
Modified: 2009-11-04 07:36 EST (History)
8 users (show)

See Also:
Fixed In Version: 4.5.3-7.fc10
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2009-11-04 07:03:59 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Jaroslav Reznik 2009-10-04 03:57:12 EDT
The following was filed automatically by setroubleshoot:

Summary:

SELinux is preventing /usr/bin/arora from changing a writable memory segment
executable.

Detailed Description:

The arora application attempted to change the access protection of memory (e.g.,
allocated using malloc). This is a potential security problem. Applications
should not be doing this. Applications are sometimes coded incorrectly and
request this permission. The SELinux Memory Protection Tests
(http://people.redhat.com/drepper/selinux-mem.html) web page explains how to
remove this requirement. If arora does not work and you need it to work, you can
configure SELinux temporarily to allow this access until the application is
fixed. Please file a bug report against this package.

Allowing Access:

If you trust arora to run correctly, you can change the context of the
executable to execmem_exec_t. "chcon -t execmem_exec_t '/usr/bin/arora'". You
must also change the default file context files on the system in order to
preserve them even on a full relabel. "semanage fcontext -a -t execmem_exec_t
'/usr/bin/arora'"

Fix Command:

chcon -t execmem_exec_t '/usr/bin/arora'

Additional Information:

Source Context                unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1
                              023
Target Context                unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1
                              023
Target Objects                None [ process ]
Source                        arora
Source Path                   /usr/bin/arora
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           arora-0.9.0-1.fc12
Target RPM Packages           
Policy RPM                    selinux-policy-3.6.32-1.fc12
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   allow_execmem
Host Name                     (removed)
Platform                      Linux (removed) 2.6.31-23.fc12.i686 #1 SMP Wed Sep 16
                              16:09:25 EDT 2009 i686 i686
Alert Count                   108
First Seen                    Wed 09 Sep 2009 12:52:23 PM CEST
Last Seen                     Wed 30 Sep 2009 10:45:07 PM CEST
Local ID                      65be4dbf-8588-474b-bffc-d971d4582fb5
Line Numbers                  

Raw Audit Messages            

node=(removed) type=AVC msg=audit(1254343507.921:130): avc:  denied  { execmem } for  pid=12157 comm="arora" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process

node=(removed) type=SYSCALL msg=audit(1254343507.921:130): arch=40000003 syscall=192 success=no exit=-13 a0=0 a1=4000 a2=7 a3=22 items=0 ppid=1637 pid=12157 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm="arora" exe="/usr/bin/arora" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)



Hash String generated from  selinux-policy-3.6.32-1.fc12,allow_execmem,arora,unconfined_t,unconfined_t,process,execmem
audit2allow suggests:

#============= unconfined_t ==============
allow unconfined_t self:process execmem;
Comment 1 Daniel Walsh 2009-10-05 09:25:18 EDT
Arora should not need this priv.
Comment 2 Daniel Walsh 2009-10-05 09:25:55 EDT
*** Bug 527080 has been marked as a duplicate of this bug. ***
Comment 3 Daniel Walsh 2009-10-05 09:28:13 EDT
*** Bug 527081 has been marked as a duplicate of this bug. ***
Comment 4 Jaroslav Reznik 2009-10-05 10:00:54 EDT
Hi Dan,
could you provide some hints what could I do with this issue? Thanks.
Comment 5 Daniel Walsh 2009-10-05 10:07:14 EDT
Well first what is arora written in?  What does it do?

This explains what execmem means.
http://people.redhat.com/~drepper/selinux-mem.html
Comment 6 Jaroslav Reznik 2009-10-05 11:17:26 EDT
It's a Qt WebKit browser written in C++, it should not do any low level operations which are not done by Qt or WebKit itself. I've checked the link and I don't have a clue where to look. Any guide to SE Linux debugging?
Comment 7 Daniel Walsh 2009-10-05 11:20:34 EDT
Uli any ideas?
Comment 8 Kevin Kofler 2009-10-06 03:20:56 EDT
This is probably the WebKit JavaScript JIT (Squirrelfish Extreme). It got recently disabled in WebKitGtk because of this, I guess QtWebKit has the same problem.
Comment 9 Jaroslav Reznik 2009-10-06 03:59:22 EDT
Thanks Kevin, 
the bug for WebKitGtk is this one https://bugzilla.redhat.com/show_bug.cgi?id=516057

I'm reassigning this bug to Qt as we should fix it in Qt too (JIT disable workaround for now?). Not closing as duplicate as it belongs to other component but we should track WKG bug.
Comment 10 Fedora Update System 2009-10-11 19:49:32 EDT
qt-4.5.3-4.fc11 has been submitted as an update for Fedora 11.
http://admin.fedoraproject.org/updates/qt-4.5.3-4.fc11
Comment 11 Fedora Update System 2009-10-13 21:44:59 EDT
qt-4.5.3-4.fc10 has been pushed to the Fedora 10 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update qt'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F10/FEDORA-2009-10447
Comment 12 Fedora Update System 2009-10-13 21:49:36 EDT
qt-4.5.3-4.fc11 has been pushed to the Fedora 11 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update qt'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F11/FEDORA-2009-10462
Comment 13 Fedora Update System 2009-11-04 07:03:32 EST
qt-4.5.3-7.fc11 has been pushed to the Fedora 11 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 14 Fedora Update System 2009-11-04 07:35:45 EST
qt-4.5.3-7.fc10 has been pushed to the Fedora 10 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.