Bug 562201 - SELinux is preventing swriter.bin from changing the access protection of memory on the heap.
Summary: SELinux is preventing swriter.bin from changing the access protection of ...
Keywords:
Status: CLOSED DUPLICATE of bug 538428
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 12
Hardware: i386
OS: Linux
low
medium
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: setroubleshoot_trace_hash:57d95b16c10...
: 562241 (view as bug list)
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2010-02-05 15:53 UTC by Oliver Ruebenacker
Modified: 2010-02-05 19:34 UTC (History)
3 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2010-02-05 16:07:22 UTC
Type: ---
Embargoed:

Attachments (Terms of Use)

Description Oliver Ruebenacker 2010-02-05 15:53:37 UTC 
Summary:

SELinux is preventing swriter.bin from changing the access protection of memory
on the heap.

Detailed Description:

The swriter.bin application attempted to change the access protection of memory
on the heap (e.g., allocated using malloc). This is a potential security
problem. Applications should not be doing this. Applications are sometimes coded
incorrectly and request this permission. The SELinux Memory Protection Tests
(http://people.redhat.com/drepper/selinux-mem.html) web page explains how to
remove this requirement. If swriter.bin does not work and you need it to work,
you can configure SELinux temporarily to allow this access until the application
is fixed. Please file a bug report
(http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package.

Allowing Access:

If you want swriter.bin to continue, you must turn on the allow_execheap
boolean. Note: This boolean will affect all applications on the system.

Fix Command:

setsebool -P allow_execheap=1

Additional Information:

Source Context                unconfined_u:system_r:unconfined_t:SystemLow-
                              SystemHigh
Target Context                unconfined_u:system_r:unconfined_t:SystemLow-
                              SystemHigh
Target Objects                None [ process ]
Source                        swriter.bin
Source Path                   /usr/lib/openoffice.org/program/swriter.bin
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           openoffice.org-writer-2.3.0-6.11.fc8
Target RPM Packages           
Policy RPM                    selinux-policy-3.0.8-87.fc8
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Plugin Name                   allow_execheap
Host Name                     (removed)
Platform                      Linux (removed) 2.6.24.3-12.fc8 #1 SMP Tue Feb 26
                              14:58:29 EST 2008 i686 i686
Alert Count                   1
First Seen                    Tue 11 Mar 2008 10:00:53 PM EDT
Last Seen                     Tue 11 Mar 2008 10:00:53 PM EDT
Local ID                      cbe33aa2-9475-4ec9-8dac-15939d69fe52
Line Numbers                  

Raw Audit Messages            

node=(removed) type=AVC msg=audit(1205287253.631:30): avc:  denied  { execheap } for  pid=8167 comm="swriter.bin" scontext=unconfined_u:system_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:unconfined_t:s0-s0:c0.c1023 tclass=process

node=(removed) type=SYSCALL msg=audit(1205287253.631:30): arch=40000003 syscall=125 success=no exit=-13 a0=8053000 a1=af9000 a2=5 a3=bfea8870 items=0 ppid=8157 pid=8167 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) comm="swriter.bin" exe="/usr/lib/openoffice.org/program/swriter.bin" subj=unconfined_u:system_r:unconfined_t:s0-s0:c0.c1023 key=(null)



Hash String generated from  selinux-policy-3.0.8-87.fc8,allow_execheap,swriter.bin,unconfined_t,unconfined_t,process,execheap
audit2allow suggests:

#============= unconfined_t ==============
#!!!! This avc can be allowed using the boolean 'allow_execheap'

allow unconfined_t self:process execheap;
Comment 1 Daniel Walsh 2010-02-05 16:07:22 UTC 
You have ancient policy on an F12 system

*** This bug has been marked as a duplicate of bug 538428 ***
Comment 2 Oliver Ruebenacker 2010-02-05 16:10:06 UTC 
(In reply to comment #1)
> You have ancient policy on an F12 system
> 
> *** This bug has been marked as a duplicate of bug 538428 ***    

But it's fully updated.
Comment 3 Daniel Walsh 2010-02-05 17:01:59 UTC 
Yes bug you are reporting ancient avc/sealert messages as if they happened on an F12 system.

An update to setroubleshoot is coming that will delete all messages that have been fixed.  

Policy RPM                    selinux-policy-3.0.8-87.fc8

The AVC you are reporting happened on Fc8.

First Seen                    Tue 11 Mar 2008 10:00:53 PM EDT
Last Seen                     Tue 11 Mar 2008 10:00:53 PM EDT
Comment 4 Oliver Ruebenacker 2010-02-05 17:35:13 UTC 
oh, sorry, i did not realize they were old. selinux just popped up and said i have 26 issues, so i thought they happened all right now.
Comment 5 Daniel Walsh 2010-02-05 19:32:39 UTC 
Yes this is caused by a bug in setroubleshoot.
Comment 6 Daniel Walsh 2010-02-05 19:34:27 UTC 
*** Bug 562241 has been marked as a duplicate of this bug. ***
Note You need to log in before you can comment on or make changes to this bug.