Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Selinux issues #74

Open
LecrisUT opened this issue Jul 12, 2024 · 0 comments
Open

Selinux issues #74

LecrisUT opened this issue Jul 12, 2024 · 0 comments

Comments

@LecrisUT
Copy link

I'm on Fedora 40 and I get the following selinux errors:

SELinux is preventing zulip from using the execheap access on a process.

*****  Plugin allow_execheap (53.1 confidence) suggests   ********************

If you do not think zulip should need to map heap memory that is both writable and executable.
Then you need to report a bug. This is a potentially dangerous access.
Do
contact your security administrator and report this issue.

*****  Plugin catchall_boolean (42.6 confidence) suggests   ******************

If you want to allow selinuxuser to execheap
Then you must tell SELinux about this by enabling the 'selinuxuser_execheap' boolean.

Do
setsebool -P selinuxuser_execheap 1

*****  Plugin catchall (5.76 confidence) suggests   **************************

If you believe that zulip should be allowed execheap access on processes labeled unconfined_t by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'zulip' --raw | audit2allow -M my-zulip
# semodule -X 300 -i my-zulip.pp

Additional Information:
Source Context                unconfined_u:unconfined_r:unconfined_t:s0-
                              s0:c0.c1023
Target Context                unconfined_u:unconfined_r:unconfined_t:s0-
                              s0:c0.c1023
Target Objects                Unknown [ process ]
Source                        zulip
Source Path                   zulip
Port                          <Unknown>
Host                          cfelm-pcx33660
Source RPM Packages           
Target RPM Packages           
SELinux Policy RPM            selinux-policy-targeted-40.23-1.fc40.noarch
Local Policy RPM              selinux-policy-targeted-40.23-1.fc40.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     cfelm-pcx33660
Platform                      Linux cfelm-pcx33660 6.9.8-200.fc40.x86_64 #1 SMP
                              PREEMPT_DYNAMIC Fri Jul  5 16:20:11 UTC 2024
                              x86_64
Alert Count                   15
First Seen                    2024-07-12 11:32:08 CEST
Last Seen                     2024-07-12 11:34:27 CEST
Local ID                      a8580292-d985-4e54-9e18-fb5cab54c960

Raw Audit Messages
type=AVC msg=audit(1720776867.593:420): avc:  denied  { execheap } for  pid=3195 comm="zulip" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process permissive=0


Hash: zulip,unconfined_t,unconfined_t,process,execheap

Any ideas if this is an upstream issue or a flatpak packaging issue?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant