Bug 647252 – SELinux is preventing /opt/libreoffice3/program/soffice.bin from loading /opt/libreoffice3/basis3.3/program/libooxli.so which requires text relocation.

Bug 647252 - SELinux is preventing /opt/libreoffice3/program/soffice.bin from loading /opt/libreoffice3/basis3.3/program/libooxli.so which requires text relocation.

Summary:	SELinux is preventing /opt/libreoffice3/program/soffice.bin from loading /opt...

Status:	CLOSED CANTFIX

Aliases:	None

Product:	Fedora
Classification:	Fedora
Component:	libreoffice (Show other bugs)
Sub Component:
Version:	13
Hardware:	i386 Linux

Priority	low Severity medium
Target Milestone:	---
Target Release:	---
Assigned To:	Caolan McNamara
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:

URL:
Whiteboard:	setroubleshoot_trace_hash:6af80c38a0b...
Keywords:

Duplicates:	647250 (view as bug list)
Depends On:
Blocks:
	Show dependency tree / graph

Reported:	2010-10-27 13:22 EDT by Justin O'Brien
Modified:	2010-11-03 14:07 EDT (History)
CC List:	5 users (show)

See Also:
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Story Points:	---
Clone Of:
Environment:
Last Closed:	2010-10-28 10:56:03 EDT
Type:	---
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Groups: None (edit)

Description Justin O'Brien 2010-10-27 13:22:57 EDT

Summary:

SELinux is preventing /opt/libreoffice3/program/soffice.bin from loading
/opt/libreoffice3/basis3.3/program/libooxli.so which requires text relocation.

Detailed Description:

The soffice.bin application attempted to load
/opt/libreoffice3/basis3.3/program/libooxli.so which requires text relocation.
This is a potential security problem. Most libraries do not need this
permission. Libraries are sometimes coded incorrectly and request this
permission. The SELinux Memory Protection Tests
(http://www.akkadia.org/drepper/selinux-mem.html) web page explains how to
remove this requirement. You can configure SELinux temporarily to allow
/opt/libreoffice3/basis3.3/program/libooxli.so to use relocation as a
workaround, until the library is fixed. Please file a bug report.

Allowing Access:

If you trust /opt/libreoffice3/basis3.3/program/libooxli.so to run correctly,
you can change the file context to textrel_shlib_t. "chcon -t textrel_shlib_t
'/opt/libreoffice3/basis3.3/program/libooxli.so'" You must also change the
default file context files on the system in order to preserve them even on a
full relabel. "semanage fcontext -a -t textrel_shlib_t
'/opt/libreoffice3/basis3.3/program/libooxli.so'"

Fix Command:

chcon -t textrel_shlib_t '/opt/libreoffice3/basis3.3/program/libooxli.so'

Additional Information:

Source Context                unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1
                              023
Target Context                system_u:object_r:lib_t:s0
Target Objects                /opt/libreoffice3/basis3.3/program/libooxli.so [
                              file ]
Source                        gnome-help
Source Path                   /usr/bin/yelp
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           libreoffice3-3.3.0-9526
Target RPM Packages           lobasis3.3-core04-3.3.0-9526
Policy RPM                    selinux-policy-3.7.19-65.fc13
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Plugin Name                   allow_execmod
Host Name                     (removed)
Platform                      Linux (removed) 2.6.34.7-61.fc13.i686 #1 SMP Tue
                              Oct 19 04:42:47 UTC 2010 i686 i686
Alert Count                   12
First Seen                    Wed 01 Sep 2010 10:32:10 AM EDT
Last Seen                     Wed 27 Oct 2010 01:10:55 PM EDT
Local ID                      b73df120-ca5b-49db-a940-fb9ce840ea65
Line Numbers                  

Raw Audit Messages            

node=(removed) type=AVC msg=audit(1288199455.234:45): avc:  denied  { execmod } for  pid=4959 comm="soffice.bin" path="/opt/libreoffice3/basis3.3/program/libooxli.so" dev=dm-1 ino=1579075 scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=system_u:object_r:lib_t:s0 tclass=file

node=(removed) type=SYSCALL msg=audit(1288199455.234:45): arch=40000003 syscall=125 success=no exit=-13 a0=388e000 a1=327000 a2=5 a3=bff5eaf0 items=0 ppid=4950 pid=4959 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm="soffice.bin" exe="/opt/libreoffice3/program/soffice.bin" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)



Hash String generated from  allow_execmod,gnome-help,unconfined_t,lib_t,file,execmod
audit2allow suggests:

#============= unconfined_t ==============
#!!!! This avc can be allowed using the boolean 'allow_execmod'

allow unconfined_t lib_t:file execmod;

Comment 1 Daniel Walsh 2010-10-28 09:49:01 EDT

*** Bug 647250 has been marked as a duplicate of this bug. ***

Comment 2 Daniel Walsh 2010-10-28 10:35:22 EDT

This is a bug in libreoffice, you can turn off the check by executing

# setsebool -P allow_execmod 1

Or do the suggested chmon code.

Comment 3 Caolan McNamara 2010-10-28 10:56:03 EDT

This is not the build of libreoffice provided by Red Hat. Presumably an artifact of the build-tooling used to generate the universal build. Nothing I can do about it. Try filing against freedesktop.org to get through to the builders of the universal set of rpms

Note You need to log in before you can comment on or make changes to this bug.