584796 – SELinux is preventing /usr/local/bin/frama-c-gui from loading /usr/local/lib/frama-c/plugins/Ltl_to_acsl.cmxs which requires text relocation.

Bug 584796 - SELinux is preventing /usr/local/bin/frama-c-gui from loading /usr/local/lib/frama-c/plugins/Ltl_to_acsl.cmxs which requires text relocation.

Summary: SELinux is preventing /usr/local/bin/frama-c-gui from loading /usr/local/lib/...

Keywords:
Status:	CLOSED NOTABUG
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy
Sub Component:
Version:	12
Hardware:	i386
OS:	Linux
Priority:	low
Severity:	medium
Target Milestone:	---
Assignee:	Daniel Walsh
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:	setroubleshoot_trace_hash:2ae0cb5497f...
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2010-04-22 12:46 UTC by Pascal Dupuis
Modified:	2010-04-23 06:05 UTC (History)
CC List:	2 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2010-04-23 06:05:33 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Pascal Dupuis 2010-04-22 12:46:35 UTC

Résumé:

SELinux is preventing /usr/local/bin/frama-c-gui from loading
/usr/local/lib/frama-c/plugins/Ltl_to_acsl.cmxs which requires text relocation.

Description détaillée:

The frama-c-gui application attempted to load
/usr/local/lib/frama-c/plugins/Ltl_to_acsl.cmxs which requires text relocation.
This is a potential security problem. Most libraries do not need this
permission. Libraries are sometimes coded incorrectly and request this
permission. The SELinux Memory Protection Tests
(http://people.redhat.com/drepper/selinux-mem.html) web page explains how to
remove this requirement. You can configure SELinux temporarily to allow
/usr/local/lib/frama-c/plugins/Ltl_to_acsl.cmxs to use relocation as a
workaround, until the library is fixed. Please file a bug report.

Autoriser l'accès:

If you trust /usr/local/lib/frama-c/plugins/Ltl_to_acsl.cmxs to run correctly,
you can change the file context to textrel_shlib_t. "chcon -t textrel_shlib_t
'/usr/local/lib/frama-c/plugins/Ltl_to_acsl.cmxs'" You must also change the
default file context files on the system in order to preserve them even on a
full relabel. "semanage fcontext -a -t textrel_shlib_t
'/usr/local/lib/frama-c/plugins/Ltl_to_acsl.cmxs'"

Commande de correction:

chcon -t textrel_shlib_t '/usr/local/lib/frama-c/plugins/Ltl_to_acsl.cmxs'

Informations complémentaires:

Contexte source               unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1
                              023
Contexte cible                unconfined_u:object_r:lib_t:s0
Objets du contexte            /usr/local/lib/frama-c/plugins/Ltl_to_acsl.cmxs [
                              file ]
source                        frama-c-gui
Chemin de la source           /usr/local/bin/frama-c-gui
Port                          <Inconnu>
Hôte                         (removed)
Paquetages RPM source         
Paquetages RPM cible          
Politique RPM                 selinux-policy-3.6.32-110.fc12
Selinux activé               True
Type de politique             targeted
Mode strict                   Enforcing
Nom du plugin                 allow_execmod
Nom de l'hôte                (removed)
Plateforme                    Linux aquilaris.example.org
                              2.6.32.11-99.fc12.i686.PAE #1 SMP Mon Apr 5
                              16:15:03 EDT 2010 i686 i686
Compteur d'alertes            2
Première alerte              jeu 22 avr 2010 14:33:41 CEST
Dernière alerte              jeu 22 avr 2010 14:34:25 CEST
ID local                      db823f87-1e77-4555-8cc3-2c26c8da76d5
Numéros des lignes           

Messages d'audit bruts        

node=aquilaris.example.org type=AVC msg=audit(1271939665.412:65): avc:  denied  { execmod } for  pid=26968 comm="frama-c-gui" path="/usr/local/lib/frama-c/plugins/Ltl_to_acsl.cmxs" dev=dm-1 ino=678221 scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:lib_t:s0 tclass=file

node=aquilaris.example.org type=SYSCALL msg=audit(1271939665.412:65): arch=40000003 syscall=125 success=no exit=-13 a0=b0a000 a1=5c000 a2=5 a3=bfdbadd0 items=0 ppid=2160 pid=26968 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=pts0 ses=2 comm="frama-c-gui" exe="/usr/local/bin/frama-c-gui" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)



Hash String generated from  allow_execmod,frama-c-gui,unconfined_t,lib_t,file,execmod
audit2allow suggests:

#============= unconfined_t ==============
#!!!! This avc can be allowed using the boolean 'allow_execmod'

allow unconfined_t lib_t:file execmod;

Comment 1 Miroslav Grepl 2010-04-23 06:05:33 UTC

Execute the chcon command suggested in the alert.

# chcon -t textrel_shlib_t '/usr/local/lib/frama-c/plugins/Ltl_to_acsl.cmxs'

To make this permanent

# semanage fcontext -a -t textrel_shlib_t '/usr/local/lib/frama-c/plugins/Ltl_to_acsl.cmxs'

Note You need to log in before you can comment on or make changes to this bug.