Bug 574911 - SELinux denial when OOo Writer exporting to DocBook
SELinux denial when OOo Writer exporting to DocBook
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: selinux-policy (Show other bugs)
All Linux
low Severity medium
: rc
: ---
Assigned To: Daniel Walsh
BaseOS QE Security Team
Depends On:
  Show dependency treegraph
Reported: 2010-03-18 15:53 EDT by Alexander Todorov
Modified: 2010-03-19 09:28 EDT (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2010-03-19 09:28:00 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Alexander Todorov 2010-03-18 15:53:10 EDT
Description of problem:
There are hundreds of SELinux denials when I try to export an odt document to DocBook from OpenOffice.org Writer:

SELinux is preventing swriter.bin from changing the access protection of memory on the heap. 

The swriter.bin application attempted to change the access protection of memory on the heap (e.g., allocated using malloc). This is a potential security problem. Applications should not be doing this. Applications are sometimes coded incorrectly and request this permission. The SELinux Memory Protection Tests web page explains how to remove this requirement. If swriter.bin does not work and you need it to work, you can configure SELinux temporarily to allow this access until the application is fixed. Please file a bug report against this package. 

Raw audit messages:
host=redbull type=AVC msg=audit(1268941411.430:2578): avc: denied { execheap } for pid=19796 comm="swriter.bin" scontext=user_u:system_r:unconfined_t:s0 tcontext=user_u:system_r:unconfined_t:s0 tclass=process 

host=redbull type=SYSCALL msg=audit(1268941411.430:2578): arch=40000003 syscall=125 success=no exit=-13 a0=8052000 a1=482000 a2=5 a3=bfdbed50 items=0 ppid=19786 pid=19796 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=280 comm="swriter.bin" exe="/usr/lib/openoffice.org/program/swriter.bin" subj=user_u:system_r:unconfined_t:s0 key=(null) 

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. Open this document with swriter -> http://gnome.cult.bg/usermanual/2.10/gnome2-10-book.odt This is a localized GNOME user guide.
2. After opening go to File -> Save as and select DocBook
3. Click Save
Actual results:
SELinux denial, CPU usage goes to 100%

Expected results:
No denial, file is saved as DocBook xml.

Additional info:
Putting SELinux in permissive mode let me save the file as docbook.
Comment 1 Caolan McNamara 2010-03-18 16:13:53 EDT
OOo won't be directly involved here, it follows the prescribed pattern of the double mmap for the executable memory that it needs. This'll more than likely be whatever java is in use (check tools->options->java to see which one it is), perhaps unexpectedly but legitimately being used via a dlopened libjvm.so.
Comment 2 Alexander Todorov 2010-03-19 01:23:23 EDT
Java is Sun Java 1.6.0_18
Comment 3 Daniel Walsh 2010-03-19 09:28:00 EDT
If you trust this application, you can turn off the check by turning on the allow_execheap boolean

# setsebool -P allow_execheap 1

This will allow any unconfined processes to execheap.

I think in RHEL5.5 openoffice will run as unconfined_execmem_t.  If you installed RHEL5.5 policy you could just add access to unconfined_execmem_t using audit2allow.

Suns Java should not require execheap, but we can not fix this.

Note You need to log in before you can comment on or make changes to this bug.