View Issue Details

Jump to NotesJump to History
IDProjectCategoryView StatusDate SubmittedLast Update
0005908Rocky-Linux-9selinux-policypublic2024-02-25 11:162024-02-25 17:50
ReporterVinicius Pinho Assigned ToLouis Abel  
PrioritynormalSeverityblockReproducibilityalways
Status closedResolutionwon't fix 
Summary0005908: Labview 2017 / Installation
DescriptionI have Labview for CentOS 7 and works fine, I try to install in Rocky and cannot open since SElinux message.

This is Rocky 9

[elsys@localhost ~]$ cat /etc/os-release
NAME="Rocky Linux"
VERSION="9.3 (Blue Onyx)"
ID="rocky"
ID_LIKE="rhel centos fedora"
VERSION_ID="9.3"
PLATFORM_ID="platform:el9"
PRETTY_NAME="Rocky Linux 9.3 (Blue Onyx)"
ANSI_COLOR="0;32"
LOGO="fedora-logo-icon"
CPE_NAME="cpe:/o:rocky:rocky:9::baseos"
HOME_URL="https://rockylinux.org/"
BUG_REPORT_URL="https://bugs.rockylinux.org/"
SUPPORT_END="2032-05-31"
ROCKY_SUPPORT_PRODUCT="Rocky-Linux-9"
ROCKY_SUPPORT_PRODUCT_VERSION="9.3"
REDHAT_SUPPORT_PRODUCT="Rocky Linux"
REDHAT_SUPPORT_PRODUCT_VERSION="9.3"
[elsys@localhost ~]$

[elsys@localhost ~]$ uname -r
5.14.0-362.18.1.el9_3.0.1.x86_64


Steps To ReproduceInstall Labview 2017 for Linux.
Additional InformationELinux is preventing /usr/local/natinst/LabVIEW-2017-64/labview from using the execheap access on a process.

***** Plugin allow_execheap (53.1 confidence) suggests ********************

If you do not think /usr/local/natinst/LabVIEW-2017-64/labview should need to map heap memory that is both writable and executable.
Then you need to report a bug. This is a potentially dangerous access.
Do
contact your security administrator and report this issue.

***** Plugin catchall_boolean (42.6 confidence) suggests ******************

If you want to allow selinuxuser to execheap
Then you must tell SELinux about this by enabling the 'selinuxuser_execheap' boolean.

Do
setsebool -P selinuxuser_execheap 1

***** Plugin catchall (5.76 confidence) suggests **************************

If you believe that labview should be allowed execheap access on processes labeled unconfined_t by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'labview' --raw | audit2allow -M my-labview
# semodule -X 300 -i my-labview.pp

Additional Information:
Source Context unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1
                              023
Target Context unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1
                              023
Target Objects Unknown [ process ]
Source labview
Source Path /usr/local/natinst/LabVIEW-2017-64/labview
Port <Unknown>
Host localhost.localdomain
Source RPM Packages labview-2017-exe-17.0.0-1.x86_64
Target RPM Packages
SELinux Policy RPM selinux-policy-targeted-38.1.23-1.el9_3.2.noarch
Local Policy RPM selinux-policy-targeted-38.1.23-1.el9_3.2.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name localhost.localdomain
Platform Linux localhost.localdomain
                              5.14.0-362.18.1.el9_3.0.1.x86_64 #1 SMP
                              PREEMPT_DYNAMIC Sun Feb 11 13:49:23 UTC 2024
                              x86_64 x86_64
Alert Count 14
First Seen 2024-02-24 19:22:22 WET
Last Seen 2024-02-25 11:13:39 WET
Local ID fab491fe-8d02-46a5-8632-737408b9439a

Raw Audit Messages
type=AVC msg=audit(1708859619.200:228): avc: denied { execheap } for pid=5946 comm="labview" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process permissive=0


type=SYSCALL msg=audit(1708859619.200:228): arch=x86_64 syscall=mprotect success=no exit=EACCES a0=55b4000 a1=5000 a2=7 a3=55b7500 items=0 ppid=2661 pid=5946 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=3 comm=labview exe=/usr/local/natinst/LabVIEW-2017-64/labview subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)

Hash: labview,unconfined_t,unconfined_t,process,execheap
TagsNo tags attached.

Activities

Louis Abel

Louis Abel

2024-02-25 17:50

administrator   ~0006139

Thank you for the report.

As this software is not part of Rocky Linux, it is out of scope for support. The additional information you have provided in this report explains the steps needed to fix the issue with your software.

Closing.

Issue History

Date Modified Username Field Change
2024-02-25 11:16 Vinicius Pinho New Issue
2024-02-25 17:50 Louis Abel Assigned To => Louis Abel
2024-02-25 17:50 Louis Abel Status new => closed
2024-02-25 17:50 Louis Abel Resolution open => won't fix
2024-02-25 17:50 Louis Abel Note Added: 0006139