search

flathub / io.freetubeapp.FreeTube

https://flathub.org/apps/details/io.freetubeapp.FreeTube
15 stars 10 forks source link

SELinux violation through execheap #110

Open boredsquirrel opened 2 weeks ago

boredsquirrel commented 2 weeks ago

When starting, SETroubleshoot throws this error

SELinux prevents freetube from accessing a process with "execheap" access.

***** Plugin allow_execheap (53.1 probability) suggests ********

You do not believe that freetube should point to heap memory that is both writable and executable.
Then you need to file an error report. This is a possibly granted access.
Execute
contact your security administrator and report this problem.

***** Plugin catchall_boolean (42.6 probability) suggests ******

You want to do the following: allow selinuxuser to execheap
Then you need to notify SELinux by enabling the \tbool variable "selinuxuser_execheap".

Execute
setsebool -P selinuxuser_execheap 1

***** Plugin catchall (5.76 probability) suggests **************

If you think freetube should be allowed to get execheap access to unconfined_t processes by default.
Then you should report this as an error.
To allow this access, you can create a local policy module.
Execute
Allow access now by executing the following commands:
# ausearch -c 'freetube' --raw | audit2allow -M my-freetube
# semodule -X 300 -i my-freetube.pp

additional information:
Source code unconfined_u:unconfined_r:unconfined_t:s0-
                              s0:c0.c1023
Target context unconfined_u:unconfined_r:unconfined_t:s0-
                              s0:c0.c1023
Target objects Unknown [ process ]
Source freetube
Source path freetube
Port <unknown>
Host PC
RPM packages of the source         
RPM packages of the target          
SELinux Policy RPM selinux-policy-targeted-40.22-1.fc40.noarch
Local Policy RPM selinux-policy-targeted-40.22-1.fc40.noarch
SELinux enabled True
Policy type targeted
Enforcing mode Enforcing
Computer name PC
Platform Linux PC 6.9.5-200.fc40.x86_64 #1 SMP
                              PREEMPT_DYNAMIC Sun Jun 16 15:47:09 UTC 2024
                              x86_64
Number of alarms 1
First seen 2024-06-26 17:39:58 CEST
Last seen 2024-06-26 17:39:58 CEST
Local ID 6f11de17-c17b-4f1e-8b9f-ad5a826cbf2e

Raw audit messages
type=AVC msg=audit(1719416398.508:742): avc: denied { execheap } for pid=55245 comm="freetube" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process permissive=0

Hash: freetube,unconfined_t,unconfined_t,process,execheap

I translated this, may contain errors.

Fedora 40 KDE Freetube latest from Flathub.

boredsquirrel commented 2 weeks ago

this only seems to happen if Freetube has access to the system bus, related to #108