CopyQ icon indicating copy to clipboard operation
CopyQ copied to clipboard
verified publisher icon hluk

SELinux is preventing /usr/local/bin/copyq from execmod access on the file /memfd:JITCode:QtQml

Open luckylittle opened this issue 3 years ago • 3 comments

This is an issue probably only on RHEL9.

Describe the bug CopyQ cannot start and gets terminated. These messages related to SELinux appear in the /var/log/messages:

***  Plugin catchall (11.6 confidence) suggests   **************************#012#012If you believe that copyq should be allowed execmod access on the memfd:JITCode:QtQml (deleted) file by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c 'copyq' --raw | audit2allow -M my-copyq#012# semodule -X 300 -i my-copyq.pp#012
Oct  6 22:09:34 localhost setroubleshoot[18564]: SELinux is preventing /usr/local/bin/copyq from execmod access on the file /memfd:JITCode:QtQml (deleted). For complete SELinux messages run: sealert -l 1199e9c3-5696-4579-a6c9-cbe098f4226e
Oct  6 22:09:34 localhost setroubleshoot[18564]: SELinux is preventing /usr/local/bin/copyq from execmod access on the file /memfd:JITCode:QtQml (deleted).#012#012*****  Plugin catchall_boolean (89.3 confidence) suggests   ******************#012#012If you want to allow selinuxuser to execmod#012Then you must tell SELinux about this by enabling the 'selinuxuser_execmod' boolean.#012#012Do#012setsebool -P selinuxuser_execmod 1#012#012*****  Plugin catchall (11.6 confidence) suggests   **************************#012#012If you believe that copyq should be allowed execmod access on the memfd:JITCode:QtQml (deleted) file by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c 'copyq' --raw | audit2allow -M my-copyq#012# semodule -X 300 -i my-copyq.pp#012
Oct  6 22:09:34 localhost setroubleshoot[18564]: SELinux is preventing /usr/local/bin/copyq from execmod access on the file /memfd:JITCode:QtQml (deleted). For complete SELinux messages run: sealert -l 1199e9c3-5696-4579-a6c9-cbe098f4226e
Oct  6 22:09:34 localhost setroubleshoot[18564]: SELinux is preventing /usr/local/bin/copyq from execmod access on the file /memfd:JITCode:QtQml (deleted).#012#012*****  Plugin catchall_boolean (89.3 confidence) suggests   ******************#012#012If you want to allow selinuxuser to execmod#012Then you must tell SELinux about this by enabling the 'selinuxuser_execmod' boolean.#012#012Do#012setsebool -P selinuxuser_execmod 1#012#012*****  Plugin catchall (11.6 confidence) suggests   **************************#012#012If you believe that copyq should be allowed execmod access on the memfd:JITCode:QtQml (deleted) file by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c 'copyq' --raw | audit2allow -M my-copyq#012# semodule -X 300 -i my-copyq.pp#012
Oct  6 22:09:44 localhost systemd[1]: dbus-:[email protected]: Main process exited, code=killed, status=14/ALRM

To Reproduce Steps to reproduce the behavior:

  1. Install the latest version 6.3.2 on RHEL9
  2. Start copyq

Expected behavior CopyQ expected to start without generating a local SELinux policy module

Screenshots N/A

Version, OS and Environment (Get details from copyq version command if possible.)

  • OS Red Hat Enterprise Linux release 9.0 (Plow), 5.14.0-70.26.1.el9_0.x86_64
  • SELinux Enforcing
  • CopyQ Clipboard Manager 6.3.2
  • Qt: 5.15.2
  • KNotifications: 5.90.0
  • Compiler: GCC
  • Arch: x86_64-little_endian-lp64

Additional context The temporary fix was:

  1. sudo ausearch -c 'copyq' --raw | audit2allow -M my-copyq
  2. sudo semodule -i my-copyq.pp

luckylittle avatar Oct 06 '22 11:10 luckylittle

Is there anything I can actually do to help? This looks like a downstream issue - I do not maintain the RHEL package.

hluk avatar Oct 10 '22 09:10 hluk

I'm not sure actually. I think the package sepolicy needs to include this rule.

luckylittle avatar Oct 12 '22 06:10 luckylittle

This may be a security bug. I found this issue while researching it for another project. Adding a specific SELinux policy is just a last resort workaround. Fixing the linking during the build is best. Posting this here hoping it can help:

https://akkadia.org/drepper/selinux-mem.html (see execmod) https://akkadia.org/drepper/textrelocs.html (more details about the text relocation problem).

carlosrodfern avatar Jun 04 '23 15:06 carlosrodfern