Summary: SELinux is preventing /usr/lib64/maxima/5.22.1/binary-gcl/maxima from changing the access protection of memory on the heap. Detailed Description: The maxima application attempted to change the access protection of memory on the heap (e.g., allocated using malloc). This is a potential security problem. Applications should not be doing this. Applications are sometimes coded incorrectly and request this permission. The SELinux Memory Protection Tests (http://www.akkadia.org/drepper/selinux-mem.html) web page explains how to remove this requirement. If maxima does not work and you need it to work, you can configure SELinux temporarily to allow this access until the application is fixed. Please file a bug report against this package. Allowing Access: If you want maxima to continue, you must turn on the allow_execheap boolean. Note: This boolean will affect all applications on the system. Fix Command: setsebool -P allow_execheap=1 Additional Information: Source Context unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1 023 Target Context unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1 023 Target Objects None [ process ] Source maxima Source Path /usr/lib64/maxima/5.22.1/binary-gcl/maxima Port <Unknown> Host (removed) Source RPM Packages maxima-runtime-gcl-5.22.1-5.fc13 Target RPM Packages Policy RPM selinux-policy-3.7.19-69.fc13 Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Plugin Name allow_execheap Host Name (removed) Platform Linux (removed) 2.6.34.7-61.fc13.x86_64 #1 SMP Tue Oct 19 04:06:30 UTC 2010 x86_64 x86_64 Alert Count 3 First Seen Fri 05 Nov 2010 11:41:12 AM CDT Last Seen Fri 05 Nov 2010 11:43:17 AM CDT Local ID bb9210cc-ff7e-4105-a03d-eef2e87baab7 Line Numbers Raw Audit Messages node=(removed) type=AVC msg=audit(1288975397.737:23588): avc: denied { execheap } for pid=7229 comm="maxima" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process node=(removed) type=SYSCALL msg=audit(1288975397.737:23588): arch=c000003e syscall=10 per=40000 success=no exit=-13 a0=3674000 a1=8f5a000 a2=7 a3=7fffffffd840 items=0 ppid=2179 pid=7229 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=pts0 ses=1 comm="maxima" exe="/usr/lib64/maxima/5.22.1/binary-gcl/maxima" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null) Hash String generated from allow_execheap,maxima,unconfined_t,unconfined_t,process,execheap audit2allow suggests: #============= unconfined_t ============== #!!!! This avc can be allowed using the boolean 'allow_execheap' allow unconfined_t self:process execheap;
Hrm, tried installing gcl-selinux which is supposed to contain policy to correct this, but it doesn't seem to help. ??
Fwiw, original bug about this was awhile back in bug #496124
It would appear the policy needs apply to /usr/lib/maxima/[^/]+/binary-gcl/maxima /usr/lib64/maxima/[^/]+/binary-gcl/maxima not just /usr/lib/maxima/[^/]+/binary-gcl /usr/lib64/maxima/[^/]+/binary-gcl which is a directory (unless these policies can be made to be recursive?). Though, after making that change, I encounter this, /usr/sbin/semodule -i /usr/share/selinux/packages/gcl/gcl.pp /etc/selinux/targeted/contexts/files/file_contexts: Multiple different specifications for /usr/lib/maxima/[^/]+/binary-gcl/maxima (system_u:object_r:gcl_exec_t:s0 and system_u:object_r:textrel_shlib_t:s0). /etc/selinux/targeted/contexts/files/file_contexts: Multiple different specifications for /usr/lib64/maxima/[^/]+/binary-gcl/maxima (system_u:object_r:gcl_exec_t:s0 and system_u:object_r:textrel_shlib_t:s0). /etc/selinux/targeted/contexts/files/file_contexts: Invalid argument
We have those defined as textrel_shlib_t, should I remove.
Yes, those need to be gcl_exec_t. With respect to comment 3, my understanding is that I'm specifying a regular expression, so the existing regexps: /usr/lib/maxima/[^/]+/binary-gcl /usr/lib64/maxima/[^/]+/binary-gcl DO match these already: /usr/lib/maxima/[^/]+/binary-gcl/maxima /usr/lib64/maxima/[^/]+/binary-gcl/maxima Is that correct? If so, I should probably just combine those into one rule: /usr/lib(64)?/maxima/[^/]+/binary-gcl
/usr/lib(64)?/maxima/[^/]+/binary-gcl Will not match an executable that ends with maxima.
Miroslav, remove the maxima lines from our policy. /usr/lib/maxima/[^/]+/binary-gcl/maxima -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib64/maxima/[^/]+/binary-gcl/maxima -- gen_context(system_u:object_r:textrel_shlib_t,s0)
Ok, removed.
This message is a reminder that Fedora 13 is nearing its end of life. Approximately 30 (thirty) days from now Fedora will stop maintaining and issuing updates for Fedora 13. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as WONTFIX if it remains open with a Fedora 'version' of '13'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, simply change the 'version' to a later Fedora version prior to Fedora 13's end of life. Bug Reporter: Thank you for reporting this issue and we are sorry that we may not be able to fix it before Fedora 13 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora please change the 'version' of this bug to the applicable version. If you are unable to change the version, please add a comment here and someone will do it for you. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete. The process we are following is described here: http://fedoraproject.org/wiki/BugZappers/HouseKeeping
Oops, sorry Rex. I let this fall off my radar. I've got the trivial fix to the SELinux policy and a few more fixes checked into git and a build is on the way once the builders are back online.
gcl-2.6.8-0.8.20110516cvs.fc15 has been submitted as an update for Fedora 15. https://admin.fedoraproject.org/updates/gcl-2.6.8-0.8.20110516cvs.fc15
gcl-2.6.8-0.8.20110516cvs.fc14 has been submitted as an update for Fedora 14. https://admin.fedoraproject.org/updates/gcl-2.6.8-0.8.20110516cvs.fc14
Package gcl-2.6.8-0.8.20110516cvs.fc15: * should fix your issue, * was pushed to the Fedora 15 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing gcl-2.6.8-0.8.20110516cvs.fc15' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/gcl-2.6.8-0.8.20110516cvs.fc15 then log in and leave karma (feedback).
gcl-2.6.8-0.8.20110516cvs.fc15 has been pushed to the Fedora 15 stable repository. If problems still persist, please make note of it in this bug report.
gcl-2.6.8-0.8.20110516cvs.fc14 has been pushed to the Fedora 14 stable repository. If problems still persist, please make note of it in this bug report.