Résumé: SELinux is preventing /usr/local/bin/frama-c-gui from loading /usr/local/lib/frama-c/plugins/Ltl_to_acsl.cmxs which requires text relocation. Description détaillée: The frama-c-gui application attempted to load /usr/local/lib/frama-c/plugins/Ltl_to_acsl.cmxs which requires text relocation. This is a potential security problem. Most libraries do not need this permission. Libraries are sometimes coded incorrectly and request this permission. The SELinux Memory Protection Tests (http://people.redhat.com/drepper/selinux-mem.html) web page explains how to remove this requirement. You can configure SELinux temporarily to allow /usr/local/lib/frama-c/plugins/Ltl_to_acsl.cmxs to use relocation as a workaround, until the library is fixed. Please file a bug report. Autoriser l'accès: If you trust /usr/local/lib/frama-c/plugins/Ltl_to_acsl.cmxs to run correctly, you can change the file context to textrel_shlib_t. "chcon -t textrel_shlib_t '/usr/local/lib/frama-c/plugins/Ltl_to_acsl.cmxs'" You must also change the default file context files on the system in order to preserve them even on a full relabel. "semanage fcontext -a -t textrel_shlib_t '/usr/local/lib/frama-c/plugins/Ltl_to_acsl.cmxs'" Commande de correction: chcon -t textrel_shlib_t '/usr/local/lib/frama-c/plugins/Ltl_to_acsl.cmxs' Informations complémentaires: Contexte source unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1 023 Contexte cible unconfined_u:object_r:lib_t:s0 Objets du contexte /usr/local/lib/frama-c/plugins/Ltl_to_acsl.cmxs [ file ] source frama-c-gui Chemin de la source /usr/local/bin/frama-c-gui Port <Inconnu> Hôte (removed) Paquetages RPM source Paquetages RPM cible Politique RPM selinux-policy-3.6.32-110.fc12 Selinux activé True Type de politique targeted Mode strict Enforcing Nom du plugin allow_execmod Nom de l'hôte (removed) Plateforme Linux aquilaris.example.org 2.6.32.11-99.fc12.i686.PAE #1 SMP Mon Apr 5 16:15:03 EDT 2010 i686 i686 Compteur d'alertes 2 Première alerte jeu 22 avr 2010 14:33:41 CEST Dernière alerte jeu 22 avr 2010 14:34:25 CEST ID local db823f87-1e77-4555-8cc3-2c26c8da76d5 Numéros des lignes Messages d'audit bruts node=aquilaris.example.org type=AVC msg=audit(1271939665.412:65): avc: denied { execmod } for pid=26968 comm="frama-c-gui" path="/usr/local/lib/frama-c/plugins/Ltl_to_acsl.cmxs" dev=dm-1 ino=678221 scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:lib_t:s0 tclass=file node=aquilaris.example.org type=SYSCALL msg=audit(1271939665.412:65): arch=40000003 syscall=125 success=no exit=-13 a0=b0a000 a1=5c000 a2=5 a3=bfdbadd0 items=0 ppid=2160 pid=26968 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=pts0 ses=2 comm="frama-c-gui" exe="/usr/local/bin/frama-c-gui" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null) Hash String generated from allow_execmod,frama-c-gui,unconfined_t,lib_t,file,execmod audit2allow suggests: #============= unconfined_t ============== #!!!! This avc can be allowed using the boolean 'allow_execmod' allow unconfined_t lib_t:file execmod;
Execute the chcon command suggested in the alert. # chcon -t textrel_shlib_t '/usr/local/lib/frama-c/plugins/Ltl_to_acsl.cmxs' To make this permanent # semanage fcontext -a -t textrel_shlib_t '/usr/local/lib/frama-c/plugins/Ltl_to_acsl.cmxs'