Linux - Desktop This forum is for the discussion of all Linux Software used in a desktop context. |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
|
03-17-2008, 01:53 PM
|
#1
|
Member
Registered: Jul 2007
Location: Kolkata, India
Distribution: Fedora 9
Posts: 85
Rep:
|
SELinux error message when working in OpenOffice Writer
Hi everybody,
Today I got an error message in my Fedora installation while working on OpenOffice.. I don't know what it means because I'm not that much knowledgeable person.
I was working in OpenOffice Writer. Before start writing, I wanted to use the wizard from 'File' menu. I choose 'Letter' from the sub-menu. As soon as I clicked the sub-menu, I got an SELinux error message.
Here's the trimmed version of the message:
Summary: SELinux is preventing swriter.bin from changing the access protection of memory on the heap.
Detailed Description: The swriter.bin application attempted to change the access protection of memory on the heap (e.g., allocated using malloc). This is a potential security problem. Applications should not be doing this. Applications are sometimes coded incorrectly and request this permission. The SELinux Memory Protection Tests web page explains how to remove this requirement. If swriter.bin does not work and you need it to work, you can configure SELinux temporarily to allow this access until the application is fixed. Please file a bug report against this package.
I really don't know much about this message. Should I file a bug-report as per the suggestion from SELinux? Or is it something else?
|
|
|
03-17-2008, 02:05 PM
|
#2
|
Moderator
Registered: May 2001
Posts: 29,415
|
Quote:
Originally Posted by arijit_2404
Here's the trimmed version of the message
|
If you're unsure *always* post unabbreviated messages as it makes it easier for us to help you. Besides the workaround was noted at the end of the message, running "setsebool -P allow_execheap=1".
Quote:
Originally Posted by arijit_2404
Should I file a bug-report as per the suggestion from SELinux?
|
Yes, please do. The more people do the more chance we have things will be changed.
|
|
|
03-17-2008, 03:28 PM
|
#3
|
Member
Registered: Jul 2007
Location: Kolkata, India
Distribution: Fedora 9
Posts: 85
Original Poster
Rep:
|
Ok, here's full message:
Quote:
Summary:
SELinux is preventing swriter.bin from changing the access protection of memory on the heap.
Detailed Description:
The swriter.bin application attempted to change the access protection of memory on the heap (e.g., allocated using malloc). This is a potential security problem. Applications should not be doing this. Applications are sometimes coded incorrectly and request this permission. The SELinux Memory Protection Tests web page explains how to remove this requirement. If swriter.bin does not work and you need it to work, you can configure SELinux temporarily to allow this access until the application is fixed. Please file a bug report against this package.
Allowing Access:
If you want swriter.bin to continue, you must turn on the allow_execheap boolean.
Note: This boolean will affect all applications on the system. The following command will allow this access:setsebool -P allow_execheap=1
Additional Information:
Source Context: unconfined_u:system_r:unconfined_t:s0-s0:c0.c1023
Target Context: unconfined_u:system_r:unconfined_t:s0-s0:c0.c1023
Target Objects: None [ process ]
Source: swriter.binSource
Path: /usr/lib/openoffice.org/program/swriter.binPort: <Unknown>
Host: lenovo
Source RPM Packages: openoffice.org-writer-2.3.0-6.11.fc8
Target RPM Packages:
Policy RPM: selinux-policy-3.0.8-87.fc8
Selinux Enabled: True
Policy Type: targeted
MLS Enabled: True
Enforcing Mode: Enforcing
Plugin Name: allow_execheap
Host Name: lenovo
Platform: Linux lenovo 2.6.24.3-12.fc8 #1 SMP Tue Feb 26 14:58:29 EST 2008 i686 i686
Alert Count: 825
First Seen: Mon 17 Mar 2008 11:02:35 PM IST
Last Seen: Mon 17 Mar 2008 11:03:29 PM IST
Local ID: 3c88f649-5f8a-479e-8b6c-cbfaee49f098
Line Numbers:
Raw Audit Messages :host=lenovo type=AVC msg=audit(1205775209.893:847): avc: denied { execheap } for pid=2863 comm="swriter.bin" scontext=unconfined_u:system_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:unconfined_t:s0-s0:c0.c1023 tclass=process host=lenovo type=SYSCALL msg=audit(1205775209.893:847): arch=40000003 syscall=125 success=no exit=-13 a0=8053000 a1=41a000 a2=5 a3=bfa26390 items=0 ppid=2853 pid=2863 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) comm="swriter.bin" exe="/usr/lib/openoffice.org/program/swriter.bin" subj=unconfined_u:system_r:unconfined_t:s0-s0:c0.c1023 key=(null)
|
My question is, Should I allow this application using suggested way?
And please let me know how and where can I file my bug-report.
I would like to help the community and do my part of the work.
thanks for the help.
|
|
|
03-17-2008, 06:52 PM
|
#4
|
LQ Guru
Registered: Nov 2003
Location: N. E. England
Distribution: Fedora, CentOS, Debian
Posts: 16,298
Rep:
|
According to this site, one possible solution is to enter the commands below in the program directory of your OOo installation
Code:
chcon -t textrel_shlib_t libvclplug_gen680li.so.1.1
Other possible solutions are listed here.
Last edited by reddazz; 03-17-2008 at 06:53 PM.
|
|
|
03-17-2008, 08:00 PM
|
#5
|
Moderator
Registered: May 2001
Posts: 29,415
|
Quote:
Originally Posted by arijit_2404
My question is, Should I allow this application using suggested way?
|
Flipping this boolean affects the *whole* unconfined system, IIGC. I'd say if you don't need it don't enable it. You could locate "soffice" (as it is a shell script that drives soffice.bin) and patch it with this diff:
Code:
--- /usr/local/openoffice.org2.3/program/soffice 2007-11-13 16:59:39.000000000 +0100
+++ /usr/local/openoffice.org2.3/program/soffice 2007-11-13 16:00:40.000000000 +0100
@@ -244,7 +244,10 @@
fi
export PATH
-
+# SELinux "execheap" errors workaround: on
+# Since execheap should be off by default just toggle it.
+# Requires /etc/sudoers entry for user with "NOPASSWD: /usr/sbin/togglesebool allow_execheap"
+sudo /usr/sbin/togglesebool allow_execheap
# execute soffice binary
"$sd_prog/$sd_binary" "$@" &
trap 'kill -9 $!' TERM
@@ -255,5 +258,7 @@
"$sd_prog/$sd_binary" ""$BOOTSTRAPVARS"" &
wait $!
done
+# SELinux "execheap" errors workaround: off
+sudo /usr/sbin/togglesebool allow_execheap
exit
..this should enable it while running and disable it when done. Needs a /etc/sudoers entry though to work for non-root users since the *sebool binaries aren't sposed to be run by users other than root.
Quote:
Originally Posted by arijit_2404
And please let me know how and where can I file my bug-report.
|
I'd add it to Fedora's bugtracker. If it's not theirs to fix they'll notify upstream (or so I'd hope).
Quote:
Originally Posted by reddazz
chcon -t textrel_shlib_t libvclplug_gen680li.so.1.1
|
I only see a heap problem? I don't see any execmod problems requiring a text relocation exception in his OP or FUP?
|
|
|
03-17-2008, 10:57 PM
|
#6
|
Member
Registered: Jul 2007
Location: Kolkata, India
Distribution: Fedora 9
Posts: 85
Original Poster
Rep:
|
Sorry for late reply (it was night here in India).
I have successfully patched the file. After that I've worked in OpenOffice, and yet to receive any SELinux error. But I would like to see more.
Thanks guys.
This community is really helpful.
|
|
|
03-18-2008, 06:58 AM
|
#7
|
Moderator
Registered: May 2001
Posts: 29,415
|
Quote:
Originally Posted by arijit_2404
But I would like to see more.
|
Cool to see it works. But what do you mean by "more"? More errors? Wasn't one enough? :-]
|
|
|
03-18-2008, 07:07 AM
|
#8
|
Member
Registered: Jul 2007
Location: Kolkata, India
Distribution: Fedora 9
Posts: 85
Original Poster
Rep:
|
I meant to say that I would like to work more extensively to see if everything is alright.
Also if I found more errors then I can report back, so that bugs can be fixed. Just want to help community. [:-)]
|
|
|
03-18-2008, 07:44 AM
|
#9
|
Moderator
Registered: May 2001
Posts: 29,415
|
Ah, OK, I see.
If you report bugs please check if they are already ticketed.
|
|
|
All times are GMT -5. The time now is 06:54 AM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|