[krita] [Bug 459490] New: SELinux is preventing /app/bin/krita from execmod access on the file /memfd:JITCode:/app/lib/libQt5Qml.so.5

Wed, 21 Sep 2022 06:26:12 -0700 

https://bugs.kde.org/show_bug.cgi?id=459490

            Bug ID: 459490
           Summary: SELinux is preventing /app/bin/krita from execmod
                    access on the file
                    /memfd:JITCode:/app/lib/libQt5Qml.so.5
    Classification: Applications
           Product: krita
           Version: 5.1.1
          Platform: Flatpak
                OS: Linux
            Status: REPORTED
          Severity: crash
          Priority: NOR
         Component: General
          Assignee: krita-bugs-n...@kde.org
          Reporter: t...@siosm.fr
  Target Milestone: ---

SUMMARY

```
$ flatpak run org.kde.krita
Qt: Session management error: None of the authentication protocols specified
are supported
Qt: Session management error: None of the authentication protocols specified
are supported
Qt: Session management error: None of the authentication protocols specified
are supported
Gtk-Message: 10:38:18.107: Failed to load module "canberra-gtk-module"
Gtk-Message: 10:38:18.107: Failed to load module "pk-gtk-module"
Gtk-Message: 10:38:18.107: Failed to load module "canberra-gtk-module"
Gtk-Message: 10:38:18.107: Failed to load module "pk-gtk-module"
Qt: Session management error: None of the authentication protocols specified
are supported
QObject::startTimer: Timers cannot have negative intervals
/app/lib/krita-python-libs/krita added to PYTHONPATH
mprotect failed in ExecutableAllocator::makeExecutable: Permission denied
*** stack smashing detected ***: terminated
```

The execmod permissions is:
```
execmod Make executable a file mapping that has been modified by copy-on-write.
(Text relocation)
```

SELinux info:
```
SELinux is preventing /app/bin/krita from execmod access on the file
/memfd:JITCode:/app/lib/libQt5Qml.so.5 (deleted).

*****  Plugin catchall_boolean (89.3 confidence) suggests   ******************

If you want to allow selinuxuser to execmod
Then you must tell SELinux about this by enabling the 'selinuxuser_execmod'
boolean.

Do
setsebool -P selinuxuser_execmod 1

*****  Plugin catchall (11.6 confidence) suggests   **************************

If you believe that krita should be allowed execmod access on the
libQt5Qml.so.5 (deleted) file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'krita' --raw | audit2allow -M my-krita
# semodule -X 300 -i my-krita.pp

Additional Information:
Source Context               
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1
                              023
Target Context                unconfined_u:object_r:user_tmp_t:s0
Target Objects                /memfd:JITCode:/app/lib/libQt5Qml.so.5 (deleted)
[
                              file ]
Source                        krita
Source Path                   /app/bin/krita
Port                          <Unknown>
Host                          localhost.localdomain
Source RPM Packages           
Target RPM Packages           
SELinux Policy RPM            selinux-policy-targeted-34.1.43-1.el9.noarch
Local Policy RPM              selinux-policy-targeted-34.1.43-1.el9.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     localhost.localdomain
Platform                      Linux localhost.localdomain 5.14.0-165.el9.x86_64
                              #1 SMP PREEMPT_DYNAMIC Sat Sep 17 14:08:33 UTC
                              2022 x86_64 x86_64
Alert Count                   1
First Seen                    2022-09-21 10:35:57 UTC
Last Seen                     2022-09-21 10:35:57 UTC
Local ID                      b05c62de-18d6-4526-99b3-dc83fc8c1748

Raw Audit Messages
type=AVC msg=audit(1663756557.214:170): avc:  denied  { execmod } for  pid=4216
comm="krita"
path=2F6D656D66643A4A4954436F64653A2F6170702F6C69622F6C6962517435516D6C2E736F2E35202864656C6574656429
dev="tmpfs" ino=14421
scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=file permissive=0


type=SYSCALL msg=audit(1663756557.214:170): arch=x86_64 syscall=mprotect
success=no exit=EACCES a0=7f5f6c1dd000 a1=ae a2=5 a3=2 items=0 ppid=4215
pid=4216 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000
sgid=1000 fsgid=1000 tty=(none) ses=3 comm=krita exe=/app/bin/krita
subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)

Hash: krita,unconfined_t,user_tmp_t,file,execmod
```

I will try to provide a stack-trace later.

STEPS TO REPRODUCE
1. Install Krita from Flathub on CentOS Stream 9 (can be reproduced in a VM)
2. Start Krita

OBSERVED RESULT

Crash

EXPECTED RESULT

No crash

SOFTWARE/OS VERSIONS
Linux/KDE Plasma: CentOS Stream 9
KDE Plasma Version: N/A, happens in GNOME too
KDE Frameworks Version: From Flatpak
Qt Version: From Flatpak

ADDITIONAL INFORMATION

See original report in https://github.com/flathub/org.kde.krita/issues/66

-- 
You are receiving this mail because:
You are watching all bug changes.

Reply via email to