GNOME Bugzilla – Bug 521109
SELinux is preventing epiphany from making the program stack executable.
Last modified: 2012-10-08 01:58:38 UTC
Please describe the problem: (originally filed into the Red Hat bugzilla as bug https://bugzilla.redhat.com/show_bug.cgi?id=297171) Summary SELinux is preventing epiphany from making the program stack executable. Detailed Description The epiphany application attempted to make the its stack executable. This is a potential security problem. This should never ever be necessary. stack memory is not executable on most OSes these days and this will not change. Executable stack memory is one of the biggest security problems. An execstack error might in fact be most likely raised by malicious code. Applications are sometimes coded incorrectly and request this permission. The http://people.redhat.com/drepper/selinux-mem.html web page explains how to remove this requirement. If epiphany does not work and you need it to work, you can configure SELinux temporarily to allow this access until the application is fixed. Please file a http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this package. Allowing Access Sometimes a library is accidentally marked with the execstack flag, if you find a library with this flag you can clear it with the execstack -c LIBRARY_PATH. Then retry your application. If the app continues to not work, you can turn the flack back on with execstac -s LIBRARY_PATH. Otherwise, if you trust epiphany to run correctly, you can change the context of the executable to unconfined_execmem_exec_t. "chcon -t unconfined_execmem_exec_t epiphany" You must also change the default file context files on the system in order to preserve them even on a full relabel. "semanage fcontext -a -t unconfined_execmem_exec_t epiphany" The following command will allow this access: chcon -t unconfined_execmem_exec_t epiphany Additional Information Source Context system_u:system_r:unconfined_t Target Context system_u:system_r:unconfined_t Target Objects None [ process ] Affected RPM Packages Policy RPM selinux-policy-3.0.7-10.fc8 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name plugins.allow_execstack Host Name <redacted> Platform Linux <redacted> 2.6.23-0.164.rc5.fc8 #1 SMP Tue Sep 4 19:20:43 EDT 2007 i686 athlon Alert Count 31 First Seen Mon 17 Sep 2007 12:40:21 AM EDT Last Seen Wed 19 Sep 2007 08:08:47 PM EDT Local ID 49761f9d-d7b4-4d33-996a-94fdd15da8bf Line Numbers Raw Audit Messages avc: denied { execstack } for comm=epiphany pid=32488 scontext=system_u:system_r:unconfined_t:s0 tclass=process tcontext=system_u:system_r:unconfined_t:s0 Version-Release number of selected component (if applicable): epiphany-2.20.0-1.fc8 ------ Reporter has had 31 of these same errors happen within about a five minute window. Epiphany seems to work just fine even with the denial, so I'd say the behavior is erroneous. Steps to reproduce: 1. 2. 3. Actual results: This is the output of the setroubleshootd reporting application Expected results: nothing Does this happen every time? yes for the reporter Other information:
Asked reporter for reproduction. If the bug is unreproducible with the current version of epiphany, I will close this bug as well.