Jami triggers SELinux security alerts on default install of Alma Linux 9
- OS: Alma Linux 9.3 (new install)
- Jami version: 202401311741
When starting Jami from a terminal, the following message appears repeatedly in the logs:
mprotect failed in ExecutableAllocator::makeExecutable: Permission denied
gdb backtrace:
Thread 1 "jami" hit Breakpoint 1, __GI_perror (s=0x7ffff5e986f0 "mprotect failed in ExecutableAllocator::makeExecutable") at perror.c:48
48 {
(gdb) bt
#0 __GI_perror (s=0x7ffff5e986f0 "mprotect failed in ExecutableAllocator::makeExecutable") at perror.c:48
#1 0x00007ffff5b02214 in JSC::Yarr::YarrGenerator(JSC::Yarr::YarrJITCompileMode)1::compile() () from /usr/lib64/qt-jami/lib/libQt6Qml.so.6
#2 0x00007ffff5ae94d1 in JSC::Yarr::jitCompile(JSC::Yarr::YarrPattern&, JSC::Yarr::YarrCharSize, JSC::VM*, JSC::Yarr::YarrCodeBlock&, JSC::Yarr::YarrJITCompileMode) ()
from /usr/lib64/qt-jami/lib/libQt6Qml.so.6
#3 0x00007ffff5c3b386 in QV4::Heap::RegExp::init(QV4::ExecutionEngine*, QString const&, unsigned int) () from /usr/lib64/qt-jami/lib/libQt6Qml.so.6
#4 0x00007ffff5c3bc19 in QV4::RegExp::create(QV4::ExecutionEngine*, QString const&, unsigned int) () from /usr/lib64/qt-jami/lib/libQt6Qml.so.6
#5 0x00007ffff5bd36b1 in QV4::ExecutableCompilationUnit::linkToEngine(QV4::ExecutionEngine*) () from /usr/lib64/qt-jami/lib/libQt6Qml.so.6
#6 0x00007ffff5d756c5 in QQmlObjectCreator::init(QQmlRefPointer) () from /usr/lib64/qt-jami/lib/libQt6Qml.so.6
#7 0x00007ffff5d75c0b in QQmlObjectCreator::QQmlObjectCreator(QQmlRefPointer, QQmlRefPointerQV4::ExecutableCompilationUnit const&, QQmlObjectCreatorSharedState*, bool) () from /usr/lib64/qt-jami/lib/libQt6Qml.so.6
#8 0x00007ffff5d7d5bc in QQmlObjectCreator::createInstance(int, QObject*, bool) () from /usr/lib64/qt-jami/lib/libQt6Qml.so.6
#9 0x00007ffff5d7f419 in QQmlObjectCreator::setPropertyBinding(QQmlPropertyData const*, QV4::CompiledData::Binding const*) () from /usr/lib64/qt-jami/lib/libQt6Qml.so.6
#10 0x00007ffff5d8120e in QQmlObjectCreator::setupBindings(QFlagsQQmlObjectCreator::BindingMode) () from /usr/lib64/qt-jami/lib/libQt6Qml.so.6
#11 0x00007ffff5d7aedc in QQmlObjectCreator::populateInstance(int, QObject*, QObject*, QQmlPropertyData const*, QV4::CompiledData::Binding const*) ()
from /usr/lib64/qt-jami/lib/libQt6Qml.so.6
#12 0x00007ffff5d7cb68 in QQmlObjectCreator::createInstance(int, QObject*, bool) () from /usr/lib64/qt-jami/lib/libQt6Qml.so.6
#13 0x00007ffff5d7e493 in QQmlObjectCreator::create(int, QObject*, QQmlInstantiationInterrupt*, int) () from /usr/lib64/qt-jami/lib/libQt6Qml.so.6
#14 0x00007ffff5ce6d41 in QQmlComponentPrivate::beginCreate(QQmlRefPointer) () from /usr/lib64/qt-jami/lib/libQt6Qml.so.6
#15 0x00007ffff5ce7309 in QQmlComponent::beginCreate(QQmlContext*) () from /usr/lib64/qt-jami/lib/libQt6Qml.so.6
#16 0x00007ffff5ce81e9 in QQmlComponentPrivate::createWithProperties(QObject*, QMap<QString, QVariant> const&, QQmlContext*, QQmlComponentPrivate::CreateBehavior) ()
from /usr/lib64/qt-jami/lib/libQt6Qml.so.6
#17 0x00007ffff5ce84c9 in QQmlComponent::create(QQmlContext*) () from /usr/lib64/qt-jami/lib/libQt6Qml.so.6
#18 0x00007ffff5cc6263 in QQmlApplicationEnginePrivate::finishLoad(QQmlComponent*) () from /usr/lib64/qt-jami/lib/libQt6Qml.so.6
#19 0x00007ffff5cc67bc in QQmlApplicationEngine::load(QUrl const&) () from /usr/lib64/qt-jami/lib/libQt6Qml.so.6
#20 0x00000000004c1dea in MainApplication::initQmlLayer() ()
#21 0x00000000004c5e0f in MainApplication::init() ()
#22 0x0000000000477dca in main ()
Moreover, the user sees SELinux security alerts pop up ("AVC denial, click icon to view"). The details are as follows:
SELinux is preventing /usr/bin/jami from execmod access on the file /memfd:JITCode:QtQml (deleted).
***** Plugin catchall_boolean (89.3 confidence) suggests ******************
If you want to allow selinuxuser to execmod
Then you must tell SELinux about this by enabling the 'selinuxuser_execmod' boolean.
Do
setsebool -P selinuxuser_execmod 1
***** Plugin catchall (11.6 confidence) suggests **************************
If you believe that jami should be allowed execmod access on the memfd:JITCode:QtQml (deleted) file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'jami' --raw | audit2allow -M my-jami
# semodule -X 300 -i my-jami.pp
Additional Information:
Source Context unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1
023
Target Context unconfined_u:object_r:user_tmp_t:s0
Target Objects /memfd:JITCode:QtQml (deleted) [ file ]
Source jami
Source Path /usr/bin/jami
Port <Unknown>
Host localhost.localdomain
Source RPM Packages jami-20240131.0-1.el9.x86_64
Target RPM Packages
SELinux Policy RPM selinux-policy-targeted-38.1.23-1.el9_3.1.noarch
Local Policy RPM selinux-policy-targeted-38.1.23-1.el9_3.1.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name localhost.localdomain
Platform Linux localhost.localdomain
5.14.0-362.18.1.el9_3.x86_64 #1 SMP
PREEMPT_DYNAMIC Mon Jan 29 07:05:48 EST 2024
x86_64 x86_64
Alert Count 1132
First Seen 2024-01-31 15:13:33 EST
Last Seen 2024-01-31 15:27:06 EST
Local ID 215aa501-d883-4734-9f3b-d0468ee9cf60
Raw Audit Messages
type=AVC msg=audit(1706732826.100:1457): avc: denied { execmod } for pid=36261 comm="jami" path=2F6D656D66643A4A4954436F64653A5174516D6C202864656C6574656429 dev="tmpfs" ino=4210 scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=file permissive=0
type=SYSCALL msg=audit(1706732826.100:1457): arch=x86_64 syscall=mprotect success=no exit=EACCES a0=7fc5982f4000 a1=ac0 a2=5 a3=1 items=0 ppid=3768 pid=36261 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=pts0 ses=3 comm=jami exe=/usr/bin/jami subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
Hash: jami,unconfined_t,user_tmp_t,file,execmod
Other Qt applications have had similar issues in the past, see for example: https://bugs.kde.org/show_bug.cgi?id=459490
As far as I can tell there's not much we can do about this (short of writing a patch for Qt), but at least it's possible for users to disable the alerts (e.g. by running setsebool -P selinuxuser_execmod 1
, as mentioned in the SELinux logs above).
Edited by François-Simon Fauteux-Chapleau