LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Desktop (https://www.linuxquestions.org/questions/linux-desktop-74/)
-   -   SELinux error message when working in OpenOffice Writer (https://www.linuxquestions.org/questions/linux-desktop-74/selinux-error-message-when-working-in-openoffice-writer-628721/)

arijit_2404 03-17-2008 12:53 PM
SELinux error message when working in OpenOffice Writer
 
Hi everybody,
Today I got an error message in my Fedora installation while working on OpenOffice.. I don't know what it means because I'm not that much knowledgeable person.

I was working in OpenOffice Writer. Before start writing, I wanted to use the wizard from 'File' menu. I choose 'Letter' from the sub-menu. As soon as I clicked the sub-menu, I got an SELinux error message.

Here's the trimmed version of the message:

Summary: SELinux is preventing swriter.bin from changing the access protection of memory on the heap.

Detailed Description: The swriter.bin application attempted to change the access protection of memory on the heap (e.g., allocated using malloc). This is a potential security problem. Applications should not be doing this. Applications are sometimes coded incorrectly and request this permission. The SELinux Memory Protection Tests web page explains how to remove this requirement. If swriter.bin does not work and you need it to work, you can configure SELinux temporarily to allow this access until the application is fixed. Please file a bug report against this package.
I really don't know much about this message. Should I file a bug-report as per the suggestion from SELinux? Or is it something else?

unSpawn 03-17-2008 01:05 PM
Quote:
Originally Posted by arijit_2404 (Post 3091670)
Here's the trimmed version of the message
If you're unsure *always* post unabbreviated messages as it makes it easier for us to help you. Besides the workaround was noted at the end of the message, running "setsebool -P allow_execheap=1".


Quote:
Originally Posted by arijit_2404 (Post 3091670)
Should I file a bug-report as per the suggestion from SELinux?
Yes, please do. The more people do the more chance we have things will be changed.

arijit_2404 03-17-2008 02:28 PM
Ok, here's full message:
Quote:
Summary:
SELinux is preventing swriter.bin from changing the access protection of memory on the heap.

Detailed Description:
The swriter.bin application attempted to change the access protection of memory on the heap (e.g., allocated using malloc). This is a potential security problem. Applications should not be doing this. Applications are sometimes coded incorrectly and request this permission. The SELinux Memory Protection Tests web page explains how to remove this requirement. If swriter.bin does not work and you need it to work, you can configure SELinux temporarily to allow this access until the application is fixed. Please file a bug report against this package.

Allowing Access:
If you want swriter.bin to continue, you must turn on the allow_execheap boolean.
Note: This boolean will affect all applications on the system. The following command will allow this access:setsebool -P allow_execheap=1

Additional Information:
Source Context: unconfined_u:system_r:unconfined_t:s0-s0:c0.c1023
Target Context: unconfined_u:system_r:unconfined_t:s0-s0:c0.c1023
Target Objects: None [ process ]
Source: swriter.binSource
Path: /usr/lib/openoffice.org/program/swriter.binPort: <Unknown>
Host: lenovo
Source RPM Packages: openoffice.org-writer-2.3.0-6.11.fc8
Target RPM Packages:
Policy RPM: selinux-policy-3.0.8-87.fc8
Selinux Enabled: True
Policy Type: targeted
MLS Enabled: True
Enforcing Mode: Enforcing
Plugin Name: allow_execheap
Host Name: lenovo
Platform: Linux lenovo 2.6.24.3-12.fc8 #1 SMP Tue Feb 26 14:58:29 EST 2008 i686 i686
Alert Count: 825
First Seen: Mon 17 Mar 2008 11:02:35 PM IST
Last Seen: Mon 17 Mar 2008 11:03:29 PM IST
Local ID: 3c88f649-5f8a-479e-8b6c-cbfaee49f098
Line Numbers:
Raw Audit Messages :host=lenovo type=AVC msg=audit(1205775209.893:847): avc: denied { execheap } for pid=2863 comm="swriter.bin" scontext=unconfined_u:system_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:unconfined_t:s0-s0:c0.c1023 tclass=process host=lenovo type=SYSCALL msg=audit(1205775209.893:847): arch=40000003 syscall=125 success=no exit=-13 a0=8053000 a1=41a000 a2=5 a3=bfa26390 items=0 ppid=2853 pid=2863 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) comm="swriter.bin" exe="/usr/lib/openoffice.org/program/swriter.bin" subj=unconfined_u:system_r:unconfined_t:s0-s0:c0.c1023 key=(null)
My question is, Should I allow this application using suggested way?

And please let me know how and where can I file my bug-report.
I would like to help the community and do my part of the work.

thanks for the help.

reddazz 03-17-2008 05:52 PM
According to this site, one possible solution is to enter the commands below in the program directory of your OOo installation
Code:
chcon -t textrel_shlib_t libvclplug_gen680li.so.1.1
Other possible solutions are listed here.

unSpawn 03-17-2008 07:00 PM
Quote:
Originally Posted by arijit_2404 (Post 3091764)
My question is, Should I allow this application using suggested way?
Flipping this boolean affects the *whole* unconfined system, IIGC. I'd say if you don't need it don't enable it. You could locate "soffice" (as it is a shell script that drives soffice.bin) and patch it with this diff:
Code:
--- /usr/local/openoffice.org2.3/program/soffice        2007-11-13 16:59:39.000000000 +0100
+++ /usr/local/openoffice.org2.3/program/soffice        2007-11-13 16:00:40.000000000 +0100
@@ -244,7 +244,10 @@
 fi
 export PATH
 
-
+# SELinux "execheap" errors workaround: on
+# Since execheap should be off by default just toggle it.
+# Requires /etc/sudoers entry for user with "NOPASSWD: /usr/sbin/togglesebool allow_execheap"
+sudo /usr/sbin/togglesebool allow_execheap
 # execute soffice binary
 "$sd_prog/$sd_binary" "$@" &
 trap 'kill -9 $!' TERM
@@ -255,5 +258,7 @@
        "$sd_prog/$sd_binary" ""$BOOTSTRAPVARS"" &
    wait $!
 done
+# SELinux "execheap" errors workaround: off
+sudo /usr/sbin/togglesebool allow_execheap
 
 exit
..this should enable it while running and disable it when done. Needs a /etc/sudoers entry though to work for non-root users since the *sebool binaries aren't sposed to be run by users other than root.


Quote:
Originally Posted by arijit_2404 (Post 3091764)
And please let me know how and where can I file my bug-report.
I'd add it to Fedora's bugtracker. If it's not theirs to fix they'll notify upstream (or so I'd hope).



Quote:
Originally Posted by reddazz (Post 3091953)
chcon -t textrel_shlib_t libvclplug_gen680li.so.1.1
I only see a heap problem? I don't see any execmod problems requiring a text relocation exception in his OP or FUP?

arijit_2404 03-17-2008 09:57 PM
Sorry for late reply (it was night here in India).

I have successfully patched the file. After that I've worked in OpenOffice, and yet to receive any SELinux error. But I would like to see more.
Thanks guys.
This community is really helpful.

unSpawn 03-18-2008 05:58 AM
Quote:
Originally Posted by arijit_2404 (Post 3092138)
But I would like to see more.
Cool to see it works. But what do you mean by "more"? More errors? Wasn't one enough? :-]

arijit_2404 03-18-2008 06:07 AM
I meant to say that I would like to work more extensively to see if everything is alright.
Also if I found more errors then I can report back, so that bugs can be fixed. Just want to help community. [:-)]

unSpawn 03-18-2008 06:44 AM
Ah, OK, I see.

If you report bugs please check if they are already ticketed.


All times are GMT -5. The time now is 06:32 PM.