search

flathub / com.slack.Slack

https://flathub.org/apps/details/com.slack.Slack
34 stars 36 forks source link

SELinux reported slack wants to use the execheap access on a process #285

Open tjanez opened 1 month ago

tjanez commented 1 month ago

Hi,

SELinux started reporting that it is blocking the Slack process from using execheap access.

Here is the full report:

SELinux is preventing slack from using the execheap access on a process.

*****  Plugin allow_execheap (53.1 confidence) suggests   ********************

If you do not think slack should need to map heap memory that is both writable and executable.
Then you need to report a bug. This is a potentially dangerous access.
Do
contact your security administrator and report this issue.

*****  Plugin catchall_boolean (42.6 confidence) suggests   ******************

If you want to allow selinuxuser to execheap
Then you must tell SELinux about this by enabling the 'selinuxuser_execheap' boolean.

Do
setsebool -P selinuxuser_execheap 1

*****  Plugin catchall (5.76 confidence) suggests   **************************

If you believe that slack should be allowed execheap access on processes labeled unconfined_t by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'slack' --raw | audit2allow -M my-slack
# semodule -X 300 -i my-slack.pp

Additional Information:
Source Context                unconfined_u:unconfined_r:unconfined_t:s0-
                              s0:c0.c1023
Target Context                unconfined_u:unconfined_r:unconfined_t:s0-
                              s0:c0.c1023
Target Objects                Unknown [ process ]
Source                        slack
Source Path                   slack
Port                          <Unknown>
Host                          toronto
Source RPM Packages           
Target RPM Packages           
SELinux Policy RPM            selinux-policy-targeted-40.18-2.fc40.noarch
Local Policy RPM              selinux-policy-targeted-40.18-2.fc40.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     toronto
Platform                      Linux toronto 6.8.9-300.fc40.x86_64 #1 SMP
                              PREEMPT_DYNAMIC Thu May  2 18:59:06 UTC 2024
                              x86_64
Alert Count                   49
First Seen                    2024-06-14 12:53:20 CEST
Last Seen                     2024-06-14 12:53:21 CEST
Local ID                      7de8d806-767b-4cc3-b84a-000004d854c4

Raw Audit Messages
type=AVC msg=audit(1718362401.951:3778): avc:  denied  { execheap } for  pid=228304 comm="slack" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process permissive=0

Hash: slack,unconfined_t,unconfined_t,process,execheap

Has something in Slack upstream changed that Slack would now need this potentially dangerous access?

OS: Fedora 40 Desktop: Gnome with Wayland Slack version (flatpak run com.slack.Slack --version): 4.38.125

ZVNexus commented 1 month ago

Not that I'm aware of. I would just ignore it if there isn't anything resulting from it.

cam-rod commented 3 weeks ago

I saw a similar alert in Chrome last week, and then disappeared after an update. I'm thinking there was a bug in Chromium that got fixed, but not before making its way into Electron.