Open AL292 opened 3 months ago
AL292
commented
3 months ago Well, I'm closing this issue because the problem it isn't related with Ferdium but with anything that is based on electron or have the last selinux policies updates from fedora. For some context why I'm closing the issue, head over to selinux-execheap-denials .
AL292
commented
1 month ago Well, it is Ferdium that makes the SElinux fire alerts, when I don't have it installed SElinux stays pretty calm, but when I install Ferdium it becomes an AVC party. Last AVC from Ferdium and SElinux.txt My system is the already described in the 1st opened issued
Avoid duplicates
Ferdium Version
6.7.5-nightly.16
What Operating System are you using?
Other Linux
Operating System Version
Fedora release 40 (Forty) NAME="Fedora Linux" VERSION="40 (Forty)" ID=fedora VERSION_ID=40 VERSION_CODENAME="" PLATFORM_ID="platform:f40" PRETTY_NAME="Fedora Linux 40 (Forty)" ANSI_COLOR="0;38;2;60;110;180" LOGO=fedora-logo-icon CPE_NAME="cpe:/o:fedoraproject:fedora:40" DEFAULT_HOSTNAME="fedora" HOME_URL="https://fedoraproject.org/" DOCUMENTATION_URL="https://docs.fedoraproject.org/en-US/fedora/f40/system-administrators-guide/" SUPPORT_URL="https://ask.fedoraproject.org/" BUG_REPORT_URL="https://bugzilla.redhat.com/" REDHAT_BUGZILLA_PRODUCT="Fedora" REDHAT_BUGZILLA_PRODUCT_VERSION=40 REDHAT_SUPPORT_PRODUCT="Fedora" REDHAT_SUPPORT_PRODUCT_VERSION=40 SUPPORT_END=2025-05-13 Fedora release 40 (Forty) Fedora release 40 (Forty) cpe:/o:fedoraproject:fedora:40
What arch are you using?
x64
Last Known Working Ferdium version
No response
Expected Behavior
No SElinux warnings that the program is trying to access execheap.
Actual Behavior
Plenty of warnings from SElinux that ferdium is trying to access execheap. The ferdium app is running all the time in background and randomly tryes to access that part of ram.
The message it is the following: SELinux está a proibir ferdium de utilizar os acessos execheap num processo.
* Plugin allow_execheap (53.1 confidence) suggests ****
If you do not think ferdium should need to map heap memory that is both writable and executable. Em seguida precisa de reportar um erro. Este acesso é potencialmente perigoso. Fazer contacte o administrador de segurança e reporte este problema.
* Plugin catchall_boolean (42.6 confidence) suggests **
If you want to allow selinuxuser to execheap Em seguida you must tell SELinux about this by enabling the 'selinuxuser_execheap' boolean.
Fazer setsebool -P selinuxuser_execheap 1
* Plugin catchall (5.76 confidence) suggests **
If you believe that ferdium should be allowed execheap access on processes labeled unconfined_t by default. Em seguida you should report this as a bug. You can generate a local policy module to allow this access. Fazer allow this access for now by executing:
ausearch -c 'ferdium' --raw | audit2allow -M my-ferdium
semodule -X 300 -i my-ferdium.pp
Informações adicionais: Contexto de Origem unconfined_u:unconfined_r:unconfined_t:s0- s0:c0.c1023 Contexto de Destino unconfined_u:unconfined_r:unconfined_t:s0- s0:c0.c1023 Objectos de Destino Desconhecido [ process ] Fonte ferdium Caminho de Origem ferdium Porto
Máquina ThinkPad
Pacotes RPM Fonte
Pacotes RPM Destino
SELinux Policy RPM selinux-policy-targeted-40.23-1.fc40.noarch Local Policy RPM selinux-policy-targeted-40.23-1.fc40.noarch Selinux Activo True Tipo de Política targeted Modo de Execução Forçada Enforcing Nome da Máquina ThinkPad Plataforma Linux ThinkPad 6.9.5-200.fc40.x86_64 #1 SMP PREEMPT_DYNAMIC Sun Jun 16 15:47:09 UTC 2024 x86_64 Contador de Alertas 2 Primeira Vez Visto 2024-06-26 16:25:03 WEST Última Vez Visto 2024-06-26 18:00:41 WEST ID Local 34837d65-129e-40ae-86b8-3c852e9f5090
Mensagens de Auditoria em Bruto type=AVC msg=audit(1719421241.815:636): avc: denied { execheap } for pid=39135 comm="ferdium" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process permissive=0
Hash: ferdium,unconfined_t,unconfined_t,process,execheap
Steps to reproduce
Debug link
https://debug.ferdium.org/d0def1a2-6ba0-497c-bfa6-f6b29ba96737
Screenshots
Additional information
I've made all the SElinux contexts confirmations, but it stills happening. there was another another person with the same problem #1726 but that ticket was close without a solution. I've fresh installed this system, because before it was happening with VSCode, but not with Ferdium, now happen only with Ferdium.