Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 160331 - update to selinux-policy-targeted breaks 3rd party apps (like wine + Lotus Notes, IBM db2, etc)
Summary: update to selinux-policy-targeted breaks 3rd party apps (like wine + Lotus No...
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted
Version: 3
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2005-06-14 14:55 UTC by James Hunt
Modified: 2007-11-30 22:11 UTC (History)
3 users (show)

Fixed In Version: 1.25.2-4
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2005-07-21 19:16:10 UTC


Attachments (Terms of Use)

Description James Hunt 2005-06-14 14:55:38 UTC
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.8) Gecko/20050513 Fedora/1.0.4-1.3.1 Firefox/1.0.4

Description of problem:
The udpate to selinux-policy-targeted-1.17.30-3.2 that I received on June 10, 2005 has broken Wine / Lotus Notes. Here are the log messages I get when I attempt to start Notes:

audit(1118735600.902:0): avc:  denied  { execmod } for  pid=7102 comm=wine-preloader path=/usr/ibm/c4eb/nul6/program/Lotus/Notes/nnotesws.dll dev=dm-5 ino=672289 scontext=user_u:system_r:unconfined_t tcontext=system_u:object_r:usr_t tclass=file

This worked with selinux-policy-targeted-1.17.30-2.96.

Version-Release number of selected component (if applicable):
selinux-policy-targeted-1.17.30-3.2 

How reproducible:
Always

Steps to Reproduce:
1. start notes under wine
2. watch the splash screen appear and then disappear
3. observe the error in the ring buffer by typing 'dmesg'.
  

Actual Results:  Application (Lotus Notes) did not start, and this message appeared in the ring buffer:

audit(1118735600.902:0): avc:  denied  { execmod } for  pid=7102 comm=wine-preloader path=/usr/ibm/c4eb/nul6/program/Lotus/Notes/nnotesws.dll dev=dm-5 ino=672289 scontext=user_u:system_r:unconfined_t tcontext=system_u:object_r:usr_t tclass=file

Expected Results:  I expected no error, and for Notes to start, as it did when I was running with
selinux-policy-targeted-1.17.30-2.96.


Additional info:

I have very similar errors ("avc: denied { execmod }") for IBM's DB2 and eclipse (haven't had a chance to check running all the other 3rd party apps I've got installed). Here is a DB2 example:

audit(1118735088.338:0): avc:  denied  { execmod } for  pid=5997 comm=db2dasstm path=/usr/IBM/db2/V8.1/das/function/db2mdfile dev=dm-5 ino=720934 scontext=user_u:system_r:unconfined_
t tcontext=system_u:object_r:usr_t tclass=file

I'm not a SELinux guru, but it appears that the major change introduced by selinux-policy-targeted-1.17.30-3.2 was all the boolean stuff:

sdiff /etc/selinux/targeted/booleans /tmp/old/selinux/etc/selinux/targeted/
allow_execmem=1                                               <
allow_execmod=1                                               <
allow_execstack=1                                             <
allow_kerberos=1                                              <
allow_ypbind=1                                                <
dhcpd_disable_trans=0                                         <
httpd_builtin_scripting=0                                     <
httpd_can_network_connect=0                                   <
httpd_disable_trans=0                                         <
httpd_enable_cgi=1                                              httpd_enable_cgi=1
httpd_enable_homedirs=1                                         httpd_enable_homedirs=1
httpd_ssi_exec=1                                                httpd_ssi_exec=1
httpd_tty_comm=0                                              <
httpd_unified=1                                               <
mysqld_disable_trans=0                                        <
named_disable_trans=0                                         <
named_write_master_zones=0                                      named_write_master_zones=0
nscd_disable_trans=0                                          | httpd_unified=1
ntpd_disable_trans=0                                          | httpd_tty_comm=0
portmap_disable_trans=0                                       <
postgresql_disable_trans=0                                    <
snmpd_disable_trans=0                                         <
squid_disable_trans=0                                         <
syslogd_disable_trans=0                                       <
use_nfs_home_dirs=0                                           <
use_samba_home_dirs=0                                         <
use_syslogng=0                                                <
winbind_disable_trans=0                                       <
ypbind_disable_trans=0                                        <

I tried to change allow_execmod to "0", but got my fingers singed as I couldn't even run '/bin/clear' after that!! The "fix" for me was to run system-config-securitylevel, select the "SELinux" tab, and then uncheck "Enforcing Current" box, which I believe (a complete guess, due to lack of documentation) puts the system in "permissive" mode.

Please consider reverting these changes as they appear to be breaking lots of non-Fedora packaged applications. Maybe some actual documentation would be kind of useful too: try googling on these sets of keywords:

  selinux allow_execmod
  linux allow_execmod
  fc3 allow_execmod

I rest my case...

Comment 1 Jose Pedro Oliveira 2005-06-14 16:12:46 UTC
Related ticket

* selinux-policy-targeted 1.17.30-3.2 breaks Adobe AcroRead 7.0.0-2
  https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=160106


Comment 2 Jose Pedro Oliveira 2005-06-14 16:14:17 UTC
Also breaks the cisco vpnclient package:

Jun 14 16:12:20 localhost kernel: audit(1118761940.276:0): avc:  denied  {
execmod } for pid=5447 comm=vpnclient path=/opt/cisco-vpnclient/lib/libvpnapi.so
dev=hda9 ino=827502 scontext=root:system_r:unconfined_t
tcontext=root:object_r:usr_t tclass=file


Comment 3 Daniel Walsh 2005-06-15 18:54:13 UTC
fixed in selinux-policy-targeted 1.17.30-3.9

Comment 4 James Hunt 2005-06-17 09:35:23 UTC
Daniel,

Unfortunately, it is not fixed in 1.17.30-3.9; I get exactly the same errors,
and have had to revert to permissive mode again.

Regards,

James.


Comment 5 Daniel Walsh 2005-06-17 10:41:06 UTC
James, Do you have allow_execmod set?

setsebool -P allow_execmod=1

Dan

Comment 6 James Hunt 2005-06-17 12:29:39 UTC
Hi Da,

I believe so...

cat /selinux/booleans/allow_execmod
1 1

Here's the output of "sestatus -v":

SELinux status:         enabled
SELinuxfs mount:        /selinux
Current mode:           enforcing
Mode from config file:  enforcing
Policy version:         18
Policy from config file:targeted

Policy booleans:
allow_execmem           active
allow_execmod           active
allow_execstack         active
allow_kerberos          active
allow_ypbind            active
dhcpd_disable_trans     inactive
httpd_builtin_scripting inactive
httpd_can_network_connectinactive
httpd_disable_trans     inactive
httpd_enable_cgi        active
httpd_enable_homedirs   active
httpd_ssi_exec          active
httpd_tty_comm          inactive
httpd_unified           active
mysqld_disable_trans    inactive
named_disable_trans     inactive
named_write_master_zonesinactive
nscd_disable_trans      inactive
ntpd_disable_trans      inactive
portmap_disable_trans   inactive
postgresql_disable_transinactive
snmpd_disable_trans     inactive
squid_disable_trans     inactive
syslogd_disable_trans   inactive
use_nfs_home_dirs       inactive
use_samba_home_dirs     inactive
use_syslogng            inactive
winbind_disable_trans   inactive
ypbind_disable_trans    inactive

Process contexts:
Current context:        root:system_r:unconfined_t
Init context:           user_u:system_r:unconfined_t
/sbin/mingetty          user_u:system_r:unconfined_t
/usr/sbin/sshd          user_u:system_r:unconfined_t

File contexts:
Controlling term:       root:object_r:devpts_t
/etc/passwd             system_u:object_r:etc_t
/etc/shadow             system_u:object_r:shadow_t
/bin/bash               system_u:object_r:shell_exec_t
/bin/login              system_u:object_r:bin_t
/bin/sh                 system_u:object_r:bin_t -> system_u:object_r:shell_exec_t
/sbin/agetty            system_u:object_r:sbin_t
/sbin/init              system_u:object_r:init_exec_t
/sbin/mingetty          system_u:object_r:sbin_t
/usr/sbin/sshd          system_u:object_r:sbin_t
/lib/libc.so.6          system_u:object_r:lib_t -> system_u:object_r:shlib_t
/lib/ld-linux.so.2      system_u:object_r:lib_t -> system_u:object_r:ld_so_t


Here's one of the many errors I get in dmesg when I attempt to start Notes under
Wine:

audit(1119011237.629:0): avc:  denied  { execmod } for  pid=26379
comm=wine-preloader path=/usr/ibm/c4eb/nul6/program/Lotus/Notes/nnotesws.dll
dev=dm-5 ino=672253 scontext=user_u:system_r:unconfined_t
tcontext=system_u:object_r:usr_t tclass=file

Comment 7 Doug Maxey 2005-06-28 20:43:24 UTC
(In reply to comment #3)
> fixed in selinux-policy-targeted 1.17.30-3.9

Works For Me (tm) with crossover office 4.2. 

Comment 8 Joachim Selke 2005-06-29 10:00:13 UTC
I now have a problem with the current Java SDK from Sun. With
selinux-policy-targeted-1.17.30-3.9 everything was working fine. But then I
updated to 1.17.30-3.13 and get errors when executing java or javac.

Even the Java installer doesn't work. When executing
jdk-1_5_0_04-linux-amd64.bin (the installer's binary) I get the following error:

./install.sfx.19637: error while loading shared libraries: /lib64/tls/libc.so.6:
cannot apply additional memory protection after relocation: Permission denied


/var/var/messages says:

kernel: audit(1120039055.765:0): avc:  denied  { execmod } for  pid=19648
comm=install.sfx.196 path=/lib64/tls/libc-2.3.5.so dev=dm-0 ino=24281097
scontext=root:system_r:unconfined_t tcontext=system_u:object_r:lib_t tclass=file


The output of "sestatus -v" is:

SELinux status:         enabled
SELinuxfs mount:        /selinux
Current mode:           enforcing
Mode from config file:  enforcing
Policy version:         18
Policy from config file:targeted

Policy booleans:
allow_execmem           active
allow_execmod           active
allow_execstack         active
allow_kerberos          active
allow_ypbind            active
dhcpd_disable_trans     inactive
httpd_builtin_scripting inactive
httpd_can_network_connectinactive
httpd_disable_trans     inactive
httpd_enable_cgi        active
httpd_enable_homedirs   active
httpd_ssi_exec          active
httpd_tty_comm          inactive
httpd_unified           active
mysqld_disable_trans    inactive
named_disable_trans     inactive
named_write_master_zonesinactive
nscd_disable_trans      inactive
ntpd_disable_trans      inactive
portmap_disable_trans   inactive
postgresql_disable_transinactive
read_default_t          active
snmpd_disable_trans     inactive
squid_connect_any       inactive
squid_disable_trans     inactive
syslogd_disable_trans   inactive
use_nfs_home_dirs       inactive
use_samba_home_dirs     inactive
winbind_disable_trans   inactive
ypbind_disable_trans    inactive

Process contexts:
Current context:        root:system_r:unconfined_t
Init context:           user_u:system_r:unconfined_t
/sbin/mingetty          user_u:system_r:unconfined_t
/usr/sbin/sshd          root:system_r:unconfined_t

File contexts:
Controlling term:       root:object_r:devpts_t
/etc/passwd             system_u:object_r:etc_t
/etc/shadow             system_u:object_r:shadow_t
/bin/bash               system_u:object_r:shell_exec_t
/bin/login              system_u:object_r:bin_t
/bin/sh                 system_u:object_r:bin_t -> system_u:object_r:shell_exec_t
/sbin/agetty            system_u:object_r:sbin_t
/sbin/init              system_u:object_r:init_exec_t
/sbin/mingetty          system_u:object_r:sbin_t
/usr/sbin/sshd          system_u:object_r:sbin_t
/lib/libc.so.6          system_u:object_r:lib_t -> system_u:object_r:shlib_t
/lib/ld-linux.so.2      system_u:object_r:lib_t -> system_u:object_r:ld_so_t

Comment 9 Joachim Selke 2005-06-29 16:45:40 UTC
Addition to comment #8:

If I set "setenforce 0" everything is working as expected, but I think this is a
workaround and not a solution.

Comment 10 James Hunt 2005-07-21 09:48:32 UTC
Sorry - forgot to update bug. I'm now running with
selinux-policy-targeted-1.25.2-4, and it is also fixed for me; I'm now running
back in enforcing mode.


Note You need to log in before you can comment on or make changes to this bug.