Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.

Bug 455782

Summary: vbetool fails to mmap /var/run/video.rom on resume
Product: [Fedora] Fedora Reporter: Matthew Garrett <mjg>
Component: selinux-policyAssignee: Daniel Walsh <dwalsh>
Status: CLOSED CURRENTRELEASE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: low Docs Contact:
Priority: low    
Version: rawhideCC: jfeeney, rvokal
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2008-11-17 22:05:09 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Description Matthew Garrett 2008-07-17 18:16:45 UTC
vbetool needs to be able to mmap /var/run/video.rom as executable on resume -
it's running as root but executed by hal at the time. The following trace is
running it directly as root, as I'm having trouble getting a trace with it on
resume due to the machine hanging immediately afterwards if it doesn't succeed
in running...

Summary:

SELinux is preventing vbetool from changing a writable memory segment
executable.

Detailed Description:

The vbetool application attempted to change the access protection of memory
(e.g., allocated using malloc). This is a potential security problem.
Applications should not be doing this. Applications are sometimes coded
incorrectly and request this permission. The SELinux Memory Protection Tests
(http://people.redhat.com/drepper/selinux-mem.html) web page explains how to
remove this requirement. If vbetool does not work and you need it to work, you
can configure SELinux temporarily to allow this access until the application is
fixed. Please file a bug report
(http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package.

Allowing Access:

If you trust vbetool to run correctly, you can change the context of the
executable to unconfined_execmem_exec_t. "chcon -t unconfined_execmem_exec_t
'/usr/sbin/vbetool'". You must also change the default file context files on the
system in order to preserve them even on a full relabel. "semanage fcontext -a
-t unconfined_execmem_exec_t '/usr/sbin/vbetool'"

Fix Command:

chcon -t unconfined_execmem_exec_t '/usr/sbin/vbetool'

Additional Information:

Source Context                unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1
                              023
Target Context                unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1
                              023
Target Objects                None [ process ]
Source                        vbetool
Source Path                   /usr/sbin/vbetool
Port                          <Unknown>
Host                          2510p
Source RPM Packages           vbetool-1.1-1.fc10
Target RPM Packages           
Policy RPM                    selinux-policy-3.4.2-14.fc10
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   allow_execmem
Host Name                     2510p
Platform                      Linux 2510p 2.6.26-138.fc10.x86_64 #1 SMP Mon Jul
                              14 14:20:48 EDT 2008 x86_64 x86_64
Alert Count                   7
First Seen                    Tue Jul 15 13:38:02 2008
Last Seen                     Thu Jul 17 19:05:55 2008
Local ID                      6535366b-d1df-40ec-8710-ca2cf47bf69f
Line Numbers                  

Raw Audit Messages            

host=2510p type=AVC msg=audit(1216317955.156:87): avc:  denied  { execmem } for
 pid=5512 comm="vbetool"
scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process

host=2510p type=SYSCALL msg=audit(1216317955.156:87): arch=c000003e syscall=9
success=no exit=-13 a0=c0000 a1=10000 a2=7 a3=12 items=0 ppid=5236 pid=5512
auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=tty1 ses=3
comm="vbetool" exe="/usr/sbin/vbetool"
subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)

Comment 1 Daniel Walsh 2008-07-17 18:43:09 UTC
Fixed in selinux-policy-3.5.1-1.fc10

Comment 2 Matthew Garrett 2008-08-16 14:05:40 UTC
Seems broken in selinux-policy-3.5.1-4.fc10 - I'm seeing the same failure on a fresh rawhide install.

Comment 3 Daniel Walsh 2008-08-18 11:49:35 UTC
So hal is trying to run vbetool and is failing.  Did you get any avc messages related to hal?

Comment 4 Matthew Garrett 2008-08-18 12:10:42 UTC
Unfortunately not - the system hangs hard immediately afterwards as it switches back to X.

Comment 5 Daniel Walsh 2008-08-28 20:23:06 UTC
Fixed in selinux-policy-3.5.5-4.fc10

Comment 6 Daniel Walsh 2008-11-17 22:05:09 UTC
Closing all bugs that have been in modified for over a month.  Please reopen if the bug is not actually fixed.