530927 – (yelpexecmem) SELinux is preventing /usr/bin/yelp "execmem" access on <Unknown>.

Bug 530927 (yelpexecmem) - SELinux is preventing /usr/bin/yelp "execmem" access on <Unknown>.

Summary: SELinux is preventing /usr/bin/yelp "execmem" access on <Unknown>.

Keywords:
Status:	CLOSED DUPLICATE of bug 507023
Alias:	yelpexecmem
Product:	Fedora
Classification:	Fedora
Component:	yelp
Sub Component:
Version:	rawhide
Hardware:	i386
OS:	Linux
Priority:	low
Severity:	medium
Target Milestone:	---
Assignee:	Matthew Barnes
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:	setroubleshoot_trace_hash:5d904fb5e65...
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2009-10-26 06:01 UTC by Victor David M
Modified:	2009-11-10 11:18 UTC (History)
CC List:	5 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2009-10-27 23:42:50 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Victor David M 2009-10-26 06:01:38 UTC

Resúmen:

SELinux is preventing /usr/bin/yelp "execmem" access on <Unknown>.

Descripción Detallada:

SELinux denied access requested by yelp. The current boolean settings do not
allow this access. If you have not setup yelp to require this access this may
signal an intrusion attempt. If you do intend this access you need to change the
booleans on this system to allow the access.

Permitiendo Acceso:

One of the following booleans is set incorrectly: allow_execstack, allow_execmem

Comando para Corregir:

Choose one of the following to allow access:
Allow unconfined executables to make their stack executable. This should never,
ever be necessary. Probably indicates a badly coded executable, but could
indicate an attack. This executable should be reported in bugzilla")
# setsebool -P allow_execstack 1
Allow unconfined executables to map a memory region as both executable and
writable, this is dangerous and the executable should be reported in bugzilla")
# setsebool -P allow_execmem 1


Información Adicional:

Contexto Fuente               unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1
                              023
Contexto Destino              unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1
                              023
Objetos Destino               None [ process ]
Fuente                        yelp
Dirección de Fuente          /usr/bin/yelp
Puerto                        <Desconocido>
Nombre de Equipo              (removed)
Paquetes RPM Fuentes          yelp-2.28.0-1.fc12
Paquetes RPM Destinos         
RPM de Políticas             selinux-policy-3.6.32-24.fc12
SELinux Activado              True
Tipo de Política             targeted
MLS Activado                  True
Modo Obediente                Enforcing
Nombre de Plugin              catchall_boolean
Nombre de Equipo              (removed)
Plataforma                    Linux (removed) 2.6.31.1-56.fc12.i686
                              #1 SMP Tue Sep 29 16:32:02 EDT 2009 i686 athlon
Cantidad de Alertas           3
Visto por Primera Vez         dom 25 oct 2009 21:26:22 EDT
Visto por Última Vez         dom 25 oct 2009 21:26:22 EDT
ID Local                      e16cae7f-39d3-44ae-8a1d-69707f1d9ee1
Números de Línea            

Mensajes de Auditoría Crudos 

node=(removed) type=AVC msg=audit(1256520382.315:24181): avc:  denied  { execmem } for  pid=2470 comm="yelp" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process

node=(removed) type=SYSCALL msg=audit(1256520382.315:24181): arch=40000003 syscall=192 success=no exit=-13 a0=0 a1=1000 a2=7 a3=22 items=0 ppid=1 pid=2470 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm="yelp" exe="/usr/bin/yelp" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)



Hash String generated from  selinux-policy-3.6.32-24.fc12,catchall_boolean,yelp,unconfined_t,unconfined_t,process,execmem
audit2allow suggests:

#============= unconfined_t ==============
allow unconfined_t self:process execmem;

Comment 1 Daniel Walsh 2009-10-26 12:50:48 UTC

This is a bug in yelp or some library that it is causing.  We have changed the default for Fedora 12 to enabel allow_execmem boolean because of badly written code.  You should probably just turn on this boolean 

setsebool -P allow_execmem 1

execmem has also been caused by the nvidia device drivers.

Comment 2 Matthew Barnes 2009-10-27 23:42:50 UTC


*** This bug has been marked as a duplicate of bug 507023 ***

Note You need to log in before you can comment on or make changes to this bug.