710768 – Gimp's help browser needs execmem

Bug 710768 - Gimp's help browser needs execmem

Summary: Gimp's help browser needs execmem

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy-targeted
Sub Component:
Version:	15
Hardware:	Unspecified
OS:	Linux
Priority:	unspecified
Severity:	medium
Target Milestone:	---
Assignee:	Miroslav Grepl
QA Contact:	Ben Levenson
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2011-06-04 16:57 UTC by Göran Uddeborg
Modified:	2011-10-11 10:18 UTC (History)
CC List:	1 user (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2011-10-07 14:21:57 UTC
Type:	---
Dependent Products:

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Description Göran Uddeborg 2011-06-04 16:57:31 UTC

When using the help function in gimp, a window flashes briefly but disappears,
and the message
  /usr/lib64/gimp/2.0/plug-ins/help-browser: fatal error: Segmenteringsfel
is written on the console.

I previously reported this problem in bug 668162, and that was closed with updates to F13.  I'm not sure if it ever was fixed for F14, but it seems to have reappeared in F15.

The fix I believe was to set the default context for /usr/lib(64)?/gimp/2\.0/plug-ins/help-browser to execmem_exec_t.  But doing

semanage fcontext -l | grep /gimp/

only returns

/usr/lib(64)?/gimp/.*/plug-ins(/.*)?  all files  system_u:object_r:bin_t:s0 

So that particular fix does at least not seem to be part of F15.

Version-Release number of selected component (if applicable):
selinux-policy-targeted-3.9.16-24.fc15.noarch

Comment 1 Miroslav Grepl 2011-06-06 10:06:59 UTC

so 

# chcon -t execmem_exec_t /usr/lib64/gimp/2.0/plug-ins/help-browser

works for you?

Comment 2 Göran Uddeborg 2011-06-06 14:59:11 UTC

Yes it does.  It is something like that I thought would be in the default file contexts.

Comment 3 Göran Uddeborg 2011-10-07 18:52:21 UTC

In which version of selinux-policy is this fixed?  Only for F15, and not F16?  If so, do you want me to open a separate case to have it fixed in F16 too?

I tried on my F16 machine, and it still the same crash as before.

Packages:
selinux-policy-targeted-3.10.0-38.fc16.noarch
gimp-help-browser-2.6.11-22.fc16.x86_64

The AVC alert:
type=SYSCALL msg=audit(1318013321.421:1825): arch=c000003e syscall=9 success=no exit=-13 a0=0 a1=80000000 a2=7 a3=22 items=0 ppid=26164 pid=26354 auid=503 uid=503 gid=503 euid=503 suid=503 fsuid=503 egid=503 sgid=503 fsgid=503 tty=pts0 ses=262 comm="help-browser" exe="/usr/lib64/gimp/2.0/plug-ins/help-browser" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1318013321.421:1825): avc:  denied  { execmem } for  pid=26354 comm="help-browser" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process

Comment 4 Miroslav Grepl 2011-10-10 10:46:18 UTC

Yeap, you are right. This is not fixed in F16. Could you open a new bug for F16. Thank you.

Comment 5 Göran Uddeborg 2011-10-11 10:17:32 UTC

I've opened bug 710768 for the same problem in F16.

Comment 6 Göran Uddeborg 2011-10-11 10:18:26 UTC

Sorry, copied the wrong number!  I mean I've opened 745057.

Note You need to log in before you can comment on or make changes to this bug.