View Issue Details

IDProjectCategoryView StatusLast Update
0018262CentOS-7selinux-policypublic2021-08-03 08:26
Reporterwalter wang Assigned To 
PrioritynormalSeverityminorReproducibilityhave not tried
Status closedResolutionnot fixable 
OS Version7 
Summary0018262: SELinux is preventing labview from using the 'execheap' accesses on a process.
DescriptionDescription of problem:
SELinux is preventing labview from using the 'execheap' accesses on a process.

***** Plugin allow_execheap (53.1 confidence) suggests ********************

If you do not think labview should need to map heap memory that is both writable and executable.
Then you need to report a bug. This is a potentially dangerous access.
Do
contact your security administrator and report this issue.

***** Plugin catchall_boolean (42.6 confidence) suggests ******************

If you want to allow selinuxuser to execheap
Then you must tell SELinux about this by enabling the 'selinuxuser_execheap' boolean.

Do
setsebool -P selinuxuser_execheap 1

***** Plugin catchall (5.76 confidence) suggests **************************

If you believe that labview should be allowed execheap access on processes labeled unconfined_t by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'labview' --raw | audit2allow -M my-labview
# semodule -i my-labview.pp

Additional Information:
Source Context unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1
                              023
Target Context unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1
                              023
Target Objects Unknown [ process ]
Source labview
Source Path labview
Port <Unknown>
Host (removed)
Source RPM Packages
Target RPM Packages
Policy RPM selinux-policy-3.13.1-268.el7_9.2.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name (removed)
Platform Linux (removed) 5.13.5-1.el7.elrepo.x86_64 #1 SMP
                              Sat Jul 24 12:30:08 EDT 2021 x86_64 x86_64
Alert Count 1
First Seen 2021-07-28 17:02:23 PDT
Last Seen 2021-07-28 17:02:23 PDT
Local ID f103ee6d-d273-483e-82e3-fcba62b550d8

Raw Audit Messages
type=AVC msg=audit(1627516943.958:244): avc: denied { execheap } for pid=3382 comm="labview" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process permissive=0


Hash: labview,unconfined_t,unconfined_t,process,execheap

Version-Release number of selected component:
selinux-policy-3.13.1-268.el7_9.2.noarch
Additional Informationreporter: libreport-2.1.11.1
hashmarkername: setroubleshoot
kernel: 5.13.5-1.el7.elrepo.x86_64
reproducible: Not sure how to reproduce the problem
type: libreport
TagsNo tags attached.
abrt_hash334af2f57f83829e9f5143bb898d82af17f56f42cc781b3be148015bdbc23b70
URL

Activities

ManuelWolfshant

ManuelWolfshant

2021-08-03 08:26

manager   ~0038565

labview is not something that we ship therefore we can't support either. I suggest following one of the pieces of advice that you have received mentioned in your report. I for one would generate a custom selinux policy for labview rather than granting access for selinuxuser to execheap, with one specific change: If the application works normally despite the report, I'd use a policy that does "dontaudit" instead of "allow".

Issue History

Date Modified Username Field Change
2021-07-29 00:11 walter wang New Issue
2021-08-03 08:26 ManuelWolfshant Status new => closed
2021-08-03 08:26 ManuelWolfshant Resolution open => not fixable
2021-08-03 08:26 ManuelWolfshant Note Added: 0038565