(this is a copy-and-paste report as the 'report to bugzilla' button in sealert seems to be mysteriously missing). What I did to trigger this was try to run Doom 2 - the old-skool doom2.exe - in dosbox. It causes dosbox to crash. If I go to Permissive mode, I can run the game happily. SELinux denied access requested by dosbox. The current boolean settings do not allow this access. If you have not setup dosbox to require this access this may signal an intrusion attempt. If you do intend this access you need to change the booleans on this system to allow the access. Allowing Access: One of the following booleans is set incorrectly: allow_execstack, allow_execmem Fix Command: Choose one of the following to allow access: Allow unconfined executables to make their stack executable. This should never, ever be necessary. Probably indicates a badly coded executable, but could indicate an attack. This executable should be reported in bugzilla") # setsebool -P allow_execstack 1 Allow unconfined executables to map a memory region as both executable and writable, this is dangerous and the executable should be reported in bugzilla") # setsebool -P allow_execmem 1 Additional Information: Source Context unconfined_u:unconfined_r:unconfined_t:s0 Target Context unconfined_u:unconfined_r:unconfined_t:s0 Target Objects None [ process ] Source dosbox Source Path /usr/bin/dosbox Port <Unknown> Host adam.local.net Source RPM Packages dosbox-0.74-1.fc14 Target RPM Packages Policy RPM selinux-policy-3.8.7-2.fc14 Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Plugin Name catchall_boolean Host Name adam.local.net Platform Linux adam.local.net 2.6.35-0.41.rc5.git1.fc14.x86_64 #1 SMP Fri Jul 16 21:29:45 UTC 2010 x86_64 x86_64 Alert Count 2 First Seen Wed 21 Jul 2010 05:29:56 PM PDT Last Seen Wed 21 Jul 2010 05:30:36 PM PDT Local ID 92367b73-a447-4950-beb6-dde4fab1fe2d Line Numbers Raw Audit Messages node=adam.local.net type=AVC msg=audit(1279758636.896:3549): avc: denied { execmem } for pid=19998 comm="dosbox" scontext=unconfined_u:unconfined_r:unconfined_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0 tclass=process node=adam.local.net type=SYSCALL msg=audit(1279758636.896:3549): arch=c000003e syscall=10 success=yes exit=0 a0=7f2e550fa000 a1=803000 a2=7 a3=22 items=0 ppid=3188 pid=19998 auid=501 uid=501 gid=501 euid=501 suid=501 fsuid=501 egid=501 sgid=501 fsgid=501 tty=pts1 ses=1 comm="dosbox" exe="/usr/bin/dosbox" subj=unconfined_u:unconfined_r:unconfined_t:s0 key=(null)
DOSBox dumps the message "Setting excute permission on the code cache has failed" to the console. I can provide the dosbox backtrace if it'd help with anything, too. -- Fedora Bugzappers volunteer triage team https://fedoraproject.org/wiki/BugZappers
chcon -t execmem_exec_t /usr/bin/dosbox Should fix. What does dosbox do?
It's a DOS emulator, rather like DOSEmu. Almost a single-purpose virtual machine, really. It's used to run old DOS software, and games. Running Doom in it would be a pretty typical usage. -- Fedora Bugzappers volunteer triage team https://fedoraproject.org/wiki/BugZappers
Kind of what I thought. Miroslav the execmem_exec_t labeling is required.
Fixed in selinux-policy-3.7.19-41.fc13
did you fix this in rawhide too? I didn't file it against rawhide by accident =) -- Fedora Bugzappers volunteer triage team https://fedoraproject.org/wiki/BugZappers
We fix it in all distributions that we support. F13, F14, RHEL6.
selinux-policy-3.7.19-41.fc13 has been submitted as an update for Fedora 13. http://admin.fedoraproject.org/updates/selinux-policy-3.7.19-41.fc13
selinux-policy-3.7.19-41.fc13 has been pushed to the Fedora 13 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update selinux-policy'. You can provide feedback for this update here: http://admin.fedoraproject.org/updates/selinux-policy-3.7.19-41.fc13
selinux-policy-3.7.19-41.fc13 has been pushed to the Fedora 13 stable repository. If problems still persist, please make note of it in this bug report.
issue is back
just to add this issue happens when the dosbox display output on its config is opengl / openglnb