thr3ads.net - wxruby development - [wxruby-development] [ wxruby-Bugs-27580 ] SELinux stops the command: ruby -e ''require "wx"'' [Dec 2009]

If this information is useful, please help other people find it:
Share via:
noreply at rubyforge.org
2009-Dec-16 21:44 UTC
[wxruby-development] [ wxruby-Bugs-27580 ] SELinux stops the command: ruby -e ''require "wx"''

Bugs item #27580, was opened at 2009-12-16 21:44
You can respond by visiting: 
http://rubyforge.org/tracker/?func=detail&atid=218&aid=27580&group_id=35

Category: Incorrect behavior
Group: current
Status: Open
Resolution: None
Priority: 3
Submitted By: Poch at Home (rubyforge_p)
Assigned to: Nobody (None)
Summary: SELinux stops the command: ruby -e ''require
"wx"''

Initial Comment:
RUBY COMMAND:

$ ruby -e ''require "wx"''
/usr/local/lib/ruby/gems/1.9.1/gems/wxruby-2.0.1-x86-linux/lib/wx.rb:12:in
`require'':
/usr/local/lib/ruby/gems/1.9.1/gems/wxruby-2.0.1-x86-linux/lib/wxruby2.so:
cannot restore segment prot after reloc: Permission denied -
/usr/local/lib/ruby/gems/1.9.1/gems/wxruby-2.0.1-x86-linux/lib/wxruby2.so
(LoadError)
	from /usr/local/lib/ruby/gems/1.9.1/gems/wxruby-2.0.1-x86-linux/lib/wx.rb:12:in
`<top (required)>''
	from -e:1:in `require''
	from -e:1:in `<main>''


SELINUX WARNING:

Summary:

SELinux is preventing ruby from loading
/usr/local/lib/ruby/gems/1.9.1/gems/wxruby-2.0.1-x86-linux/lib/wxruby2.so which
requires text relocation.

Detailed Description:

The ruby application attempted to load
/usr/local/lib/ruby/gems/1.9.1/gems/wxruby-2.0.1-x86-linux/lib/wxruby2.so which
requires text relocation. This is a potential security problem. Most libraries
do not need this permission. Libraries are sometimes coded incorrectly and
request this permission. The SELinux Memory Protection Tests
(http://people.redhat.com/drepper/selinux-mem.html) web page explains how to
remove this requirement. You can configure SELinux temporarily to allow
/usr/local/lib/ruby/gems/1.9.1/gems/wxruby-2.0.1-x86-linux/lib/wxruby2.so to use
relocation as a workaround, until the library is fixed. Please file a bug report
(http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package.

Allowing Access:

If you trust
/usr/local/lib/ruby/gems/1.9.1/gems/wxruby-2.0.1-x86-linux/lib/wxruby2.so to run
correctly, you can change the file context to textrel_shlib_t. "chcon -t
textrel_shlib_t
''/usr/local/lib/ruby/gems/1.9.1/gems/wxruby-2.0.1-x86-linux/lib/wxruby2.so''"
You
must also change the default file context files on the system in order to
preserve them even on a full relabel. "semanage fcontext -a -t
textrel_shlib_t
''/usr/local/lib/ruby/gems/1.9.1/gems/wxruby-2.0.1-x86-linux/lib/wxruby2.so''"

The following command will allow this access:

chcon -t textrel_shlib_t
''/usr/local/lib/ruby/gems/1.9.1/gems/wxruby-2.0.1-x86-linux/lib/wxruby2.so''

Additional Information:

Source Context                user_u:system_r:unconfined_t
Target Context                user_u:object_r:lib_t
Target Objects                /usr/local/lib/ruby/gems/1.9.1/gems/wxruby-2.0.1-x
                              86-linux/lib/wxruby2.so [ file ]
Source                        ruby
Source Path                   /usr/local/bin/ruby
Port                          <Unknown>
Host                          localhost.localdomain
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-2.4.6-203.el5
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   allow_execmod
Host Name                     localhost.localdomain
Platform                      Linux localhost.localdomain 2.6.18-128.1.6.el5 #1
                              SMP Wed Apr 1 09:19:18 EDT 2009 i686 i686
Alert Count                   1
First Seen                    Wed 16 Dec 2009 04:20:19 PM EST
Last Seen                     Wed 16 Dec 2009 04:20:19 PM EST
Local ID                      822...(this info removed)
Line Numbers                  

Raw Audit Messages            

host=localhost.localdomain type=AVC msg=audit(1260998419.336:52): avc:  denied 
{ execmod } for  pid=3312 comm="ruby"
path="/usr/local/lib/ruby/gems/1.9.1/gems/wxruby-2.0.1-x86-linux/lib/wxruby2.so"
dev=hda5 ino=6514789 scontext=user_u:system_r:unconfined_t:s0
tcontext=user_u:object_r:lib_t:s0 tclass=file

host=localhost.localdomain type=SYSCALL msg=audit(1260998419.336:52):
arch=40000003 syscall=125 success=no exit=-13 a0=e4f000 a1=888000 a2=5
a3=bf935340 items=0 ppid=2931 pid=3312 auid=500 uid=500 gid=500 euid=500
suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=pts1 ses=1
comm="ruby" exe="/usr/local/bin/ruby"
subj=user_u:system_r:unconfined_t:s0 key=(null)


LDD COMMAND: (shown here in case relevant)

$ ldd /usr/local/lib/ruby/gems/1.9.1/gems/wxruby-2.0.1-x86-linux/lib/wxruby2.so
	linux-gate.so.1 =>  (0x001c2000)
	libwx_gtk2u_stc-2.8.so.0 => /usr/lib/libwx_gtk2u_stc-2.8.so.0 (0x0056d000)
	libwx_gtk2u_gl-2.8.so.0 => /usr/lib/libwx_gtk2u_gl-2.8.so.0 (0x00110000)
	libwx_gtk2u_media-2.8.so.0 => /usr/lib/libwx_gtk2u_media-2.8.so.0
(0x00f6d000)
	libwx_gtk2u_richtext-2.8.so.0 => /usr/lib/libwx_gtk2u_richtext-2.8.so.0
(0x001c3000)
	libwx_gtk2u_aui-2.8.so.0 => /usr/lib/libwx_gtk2u_aui-2.8.so.0 (0x002e2000)
	libwx_gtk2u_xrc-2.8.so.0 => /usr/lib/libwx_gtk2u_xrc-2.8.so.0 (0x0011c000)
	libwx_gtk2u_qa-2.8.so.0 => /usr/lib/libwx_gtk2u_qa-2.8.so.0 (0x002b8000)
	libwx_gtk2u_html-2.8.so.0 => /usr/lib/libwx_gtk2u_html-2.8.so.0 (0x00349000)
	libwx_gtk2u_adv-2.8.so.0 => /usr/lib/libwx_gtk2u_adv-2.8.so.0 (0x003e8000)
	libwx_gtk2u_core-2.8.so.0 => /usr/lib/libwx_gtk2u_core-2.8.so.0 (0x00f7e000)
	libwx_baseu_xml-2.8.so.0 => /usr/lib/libwx_baseu_xml-2.8.so.0 (0x001b4000)
	libwx_baseu_net-2.8.so.0 => /usr/lib/libwx_baseu_net-2.8.so.0 (0x004ac000)
	libwx_baseu-2.8.so.0 => /usr/lib/libwx_baseu-2.8.so.0 (0x08010000)
	librt.so.1 => /lib/librt.so.1 (0x002d8000)
	libdl.so.2 => /lib/libdl.so.2 (0x001be000)
	libcrypt.so.1 => /lib/libcrypt.so.1 (0x0050a000)
	libgtk-x11-2.0.so.0 => /usr/lib/libgtk-x11-2.0.so.0 (0x03f92000)
	libgdk-x11-2.0.so.0 => /usr/lib/libgdk-x11-2.0.so.0 (0x082b9000)
	libatk-1.0.so.0 => /usr/lib/libatk-1.0.so.0 (0x0053c000)
	libgdk_pixbuf-2.0.so.0 => /usr/lib/libgdk_pixbuf-2.0.so.0 (0x02f05000)
	libpangoxft-1.0.so.0 => /usr/lib/libpangoxft-1.0.so.0 (0x004da000)
	libpangox-1.0.so.0 => /usr/lib/libpangox-1.0.so.0 (0x004e1000)
	libpango-1.0.so.0 => /usr/lib/libpango-1.0.so.0 (0x0324d000)
	libgobject-2.0.so.0 => /lib/libgobject-2.0.so.0 (0x015d0000)
	libgmodule-2.0.so.0 => /lib/libgmodule-2.0.so.0 (0x00558000)
	libgthread-2.0.so.0 => /lib/libgthread-2.0.so.0 (0x0055b000)
	libglib-2.0.so.0 => /lib/libglib-2.0.so.0 (0x0180a000)
	libstdc++.so.6 => /usr/lib/libstdc++.so.6 (0x019d8000)
	libm.so.6 => /lib/libm.so.6 (0x01302000)
	libgcc_s.so.1 => /lib/libgcc_s.so.1 (0x00560000)
	libpthread.so.0 => /lib/libpthread.so.0 (0x01329000)
	libc.so.6 => /lib/libc.so.6 (0x04b7c000)
	libz.so.1 => /usr/lib/libz.so.1 (0x03820000)
	libXinerama.so.1 => /usr/lib/libXinerama.so.1 (0x00683000)
	libSM.so.6 => /usr/lib/libSM.so.6 (0x036f4000)
	libpng12.so.0 => /usr/lib/libpng12.so.0 (0x03a5a000)
	libjpeg.so.62 => /usr/lib/libjpeg.so.62 (0x039e2000)
	libtiff.so.3 => /usr/lib/libtiff.so.3 (0x07534000)
	libGL.so.1 => /usr/lib/libGL.so.1 (0x01340000)
	libGLU.so.1 => /usr/lib/libGLU.so.1 (0x013ae000)
	libgstreamer-0.10.so.0 => /usr/lib/libgstreamer-0.10.so.0 (0x07a45000)
	libxml2.so.2 => /usr/lib/libxml2.so.2 (0x07ba4000)
	libgconf-2.so.4 => /usr/lib/libgconf-2.so.4 (0x078b0000)
	libORBit-2.so.0 => /usr/lib/libORBit-2.so.0 (0x07916000)
	libgstinterfaces-0.10.so.0 => /usr/lib/libgstinterfaces-0.10.so.0
(0x0782f000)
	libSDL-1.2.so.0 => /usr/lib/libSDL-1.2.so.0 (0x02374000)
	libexpat.so.0 => /lib/libexpat.so.0 (0x01f34000)
	/lib/ld-linux.so.2 (0x004ee000)
	libpangocairo-1.0.so.0 => /usr/lib/libpangocairo-1.0.so.0 (0x01e74000)
	libX11.so.6 => /usr/lib/libX11.so.6 (0x02518000)
	libcairo.so.2 => /usr/lib/libcairo.so.2 (0x0219a000)
	libfontconfig.so.1 => /usr/lib/libfontconfig.so.1 (0x02020000)
	libXext.so.6 => /usr/lib/libXext.so.6 (0x01f66000)
	libXrender.so.1 => /usr/lib/libXrender.so.1 (0x0142e000)
	libXi.so.6 => /usr/lib/libXi.so.6 (0x01437000)
	libXrandr.so.2 => /usr/lib/libXrandr.so.2 (0x00686000)
	libXcursor.so.1 => /usr/lib/libXcursor.so.1 (0x0143f000)
	libXfixes.so.3 => /usr/lib/libXfixes.so.3 (0x01449000)
	libpangoft2-1.0.so.0 => /usr/lib/libpangoft2-1.0.so.0 (0x0144e000)
	libXft.so.2 => /usr/lib/libXft.so.2 (0x07b83000)
	libfreetype.so.6 => /usr/lib/libfreetype.so.6 (0x0147c000)
	libICE.so.6 => /usr/lib/libICE.so.6 (0x014fc000)
	libXxf86vm.so.1 => /usr/lib/libXxf86vm.so.1 (0x0665a000)
	libdrm.so.2 => /usr/lib/libdrm.so.2 (0x06675000)
	libesd.so.0 => /usr/lib/libesd.so.0 (0x051fc000)
	libaudiofile.so.0 => /usr/lib/libaudiofile.so.0 (0x05346000)
	libXau.so.6 => /usr/lib/libXau.so.6 (0x0068a000)
	libXdmcp.so.6 => /usr/lib/libXdmcp.so.6 (0x03b66000)
	libasound.so.2 => /lib/libasound.so.2 (0x0160f000)


PRIOR COMMANDS:

(as root)
# gem install wxruby
# yum install wxGTK
# yum install wxGTK-gl

MY SYSTEM:

(Centos 5.1)
$ uname -a
Linux localhost.localdomain 2.6.18-128.1.6.el5 #1 SMP Wed Apr 1 09:19:18 EDT
2009 i686 i686 i386 GNU/Linux


SOME BACKGROUND INFO WHICH MAY HELP:
Text Relocations
http://people.redhat.com/drepper/textrelocs.html

----------------------------------------------------------------------

You can respond by visiting: 
http://rubyforge.org/tracker/?func=detail&atid=218&aid=27580&group_id=35
wxruby development - Dec 2009 - [ wxruby-Bugs-27580 ] SELinux stops the command: ruby -e 'require "wx"'

[wxruby-development] [ wxruby-Bugs-27580 ] SELinux stops the command: ruby -e ''require "wx"''
