search

hluk / CopyQ

Clipboard manager with advanced features
GNU General Public License v3.0
8.52k stars 439 forks source link

SELinux is preventing /usr/local/bin/copyq from execmod access on the file /memfd:JITCode:QtQml #2129

Open luckylittle opened 1 year ago

luckylittle commented 1 year ago

This is an issue probably only on RHEL9.

Describe the bug CopyQ cannot start and gets terminated. These messages related to SELinux appear in the /var/log/messages:

***  Plugin catchall (11.6 confidence) suggests   **************************#012#012If you believe that copyq should be allowed execmod access on the memfd:JITCode:QtQml (deleted) file by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c 'copyq' --raw | audit2allow -M my-copyq#012# semodule -X 300 -i my-copyq.pp#012
Oct  6 22:09:34 localhost setroubleshoot[18564]: SELinux is preventing /usr/local/bin/copyq from execmod access on the file /memfd:JITCode:QtQml (deleted). For complete SELinux messages run: sealert -l 1199e9c3-5696-4579-a6c9-cbe098f4226e
Oct  6 22:09:34 localhost setroubleshoot[18564]: SELinux is preventing /usr/local/bin/copyq from execmod access on the file /memfd:JITCode:QtQml (deleted).#012#012*****  Plugin catchall_boolean (89.3 confidence) suggests   ******************#012#012If you want to allow selinuxuser to execmod#012Then you must tell SELinux about this by enabling the 'selinuxuser_execmod' boolean.#012#012Do#012setsebool -P selinuxuser_execmod 1#012#012*****  Plugin catchall (11.6 confidence) suggests   **************************#012#012If you believe that copyq should be allowed execmod access on the memfd:JITCode:QtQml (deleted) file by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c 'copyq' --raw | audit2allow -M my-copyq#012# semodule -X 300 -i my-copyq.pp#012
Oct  6 22:09:34 localhost setroubleshoot[18564]: SELinux is preventing /usr/local/bin/copyq from execmod access on the file /memfd:JITCode:QtQml (deleted). For complete SELinux messages run: sealert -l 1199e9c3-5696-4579-a6c9-cbe098f4226e
Oct  6 22:09:34 localhost setroubleshoot[18564]: SELinux is preventing /usr/local/bin/copyq from execmod access on the file /memfd:JITCode:QtQml (deleted).#012#012*****  Plugin catchall_boolean (89.3 confidence) suggests   ******************#012#012If you want to allow selinuxuser to execmod#012Then you must tell SELinux about this by enabling the 'selinuxuser_execmod' boolean.#012#012Do#012setsebool -P selinuxuser_execmod 1#012#012*****  Plugin catchall (11.6 confidence) suggests   **************************#012#012If you believe that copyq should be allowed execmod access on the memfd:JITCode:QtQml (deleted) file by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c 'copyq' --raw | audit2allow -M my-copyq#012# semodule -X 300 -i my-copyq.pp#012
Oct  6 22:09:44 localhost systemd[1]: dbus-:1.11-org.fedoraproject.SetroubleshootPrivileged@1.service: Main process exited, code=killed, status=14/ALRM

To Reproduce Steps to reproduce the behavior:

  1. Install the latest version 6.3.2 on RHEL9
  2. Start copyq

Expected behavior CopyQ expected to start without generating a local SELinux policy module

Screenshots N/A

Version, OS and Environment (Get details from copyq version command if possible.)

Additional context The temporary fix was:

  1. sudo ausearch -c 'copyq' --raw | audit2allow -M my-copyq
  2. sudo semodule -i my-copyq.pp
hluk commented 1 year ago

Is there anything I can actually do to help? This looks like a downstream issue - I do not maintain the RHEL package.

luckylittle commented 1 year ago

I'm not sure actually. I think the package sepolicy needs to include this rule.

carlosrodfern commented 1 year ago

This may be a security bug. I found this issue while researching it for another project. Adding a specific SELinux policy is just a last resort workaround. Fixing the linking during the build is best. Posting this here hoping it can help:

https://akkadia.org/drepper/selinux-mem.html (see execmod) https://akkadia.org/drepper/textrelocs.html (more details about the text relocation problem).