SUMMARY ``` $ flatpak run org.kde.krita Qt: Session management error: None of the authentication protocols specified are supported Qt: Session management error: None of the authentication protocols specified are supported Qt: Session management error: None of the authentication protocols specified are supported Gtk-Message: 10:38:18.107: Failed to load module "canberra-gtk-module" Gtk-Message: 10:38:18.107: Failed to load module "pk-gtk-module" Gtk-Message: 10:38:18.107: Failed to load module "canberra-gtk-module" Gtk-Message: 10:38:18.107: Failed to load module "pk-gtk-module" Qt: Session management error: None of the authentication protocols specified are supported QObject::startTimer: Timers cannot have negative intervals /app/lib/krita-python-libs/krita added to PYTHONPATH mprotect failed in ExecutableAllocator::makeExecutable: Permission denied *** stack smashing detected ***: terminated ``` The execmod permissions is: ``` execmod Make executable a file mapping that has been modified by copy-on-write. (Text relocation) ``` SELinux info: ``` SELinux is preventing /app/bin/krita from execmod access on the file /memfd:JITCode:/app/lib/libQt5Qml.so.5 (deleted). ***** Plugin catchall_boolean (89.3 confidence) suggests ****************** If you want to allow selinuxuser to execmod Then you must tell SELinux about this by enabling the 'selinuxuser_execmod' boolean. Do setsebool -P selinuxuser_execmod 1 ***** Plugin catchall (11.6 confidence) suggests ************************** If you believe that krita should be allowed execmod access on the libQt5Qml.so.5 (deleted) file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'krita' --raw | audit2allow -M my-krita # semodule -X 300 -i my-krita.pp Additional Information: Source Context unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1 023 Target Context unconfined_u:object_r:user_tmp_t:s0 Target Objects /memfd:JITCode:/app/lib/libQt5Qml.so.5 (deleted) [ file ] Source krita Source Path /app/bin/krita Port <Unknown> Host localhost.localdomain Source RPM Packages Target RPM Packages SELinux Policy RPM selinux-policy-targeted-34.1.43-1.el9.noarch Local Policy RPM selinux-policy-targeted-34.1.43-1.el9.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name localhost.localdomain Platform Linux localhost.localdomain 5.14.0-165.el9.x86_64 #1 SMP PREEMPT_DYNAMIC Sat Sep 17 14:08:33 UTC 2022 x86_64 x86_64 Alert Count 1 First Seen 2022-09-21 10:35:57 UTC Last Seen 2022-09-21 10:35:57 UTC Local ID b05c62de-18d6-4526-99b3-dc83fc8c1748 Raw Audit Messages type=AVC msg=audit(1663756557.214:170): avc: denied { execmod } for pid=4216 comm="krita" path=2F6D656D66643A4A4954436F64653A2F6170702F6C69622F6C6962517435516D6C2E736F2E35202864656C6574656429 dev="tmpfs" ino=14421 scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=file permissive=0 type=SYSCALL msg=audit(1663756557.214:170): arch=x86_64 syscall=mprotect success=no exit=EACCES a0=7f5f6c1dd000 a1=ae a2=5 a3=2 items=0 ppid=4215 pid=4216 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=3 comm=krita exe=/app/bin/krita subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null) Hash: krita,unconfined_t,user_tmp_t,file,execmod ``` I will try to provide a stack-trace later. STEPS TO REPRODUCE 1. Install Krita from Flathub on CentOS Stream 9 (can be reproduced in a VM) 2. Start Krita OBSERVED RESULT Crash EXPECTED RESULT No crash SOFTWARE/OS VERSIONS Linux/KDE Plasma: CentOS Stream 9 KDE Plasma Version: N/A, happens in GNOME too KDE Frameworks Version: From Flatpak Qt Version: From Flatpak ADDITIONAL INFORMATION See original report in https://github.com/flathub/org.kde.krita/issues/66
Might be related to https://bugzilla.redhat.com/show_bug.cgi?id=1686675. Might be related to the fact that Krita in Flathub uses an old Qt version.
Honestly, I have no idea what all of this means... The flathub reports says this should be reported to us, but what are we supposed to do?
As shown in the official Qt bug report (https://bugreports.qt.io/browse/QTBUG-58508), this should have been fixed in the Qt side in 5.11. We're definitely not doing anything except use Qt QML ourselves. I don't know if this should be marked as RESOLVED UPSTREAM, since the Flathub package clearly isn't of our own authorship. Halla?
Yeah, I'm not sure either... Upstream (if it's an issue in Qt) or downstream (if it's an issue in flatpak, but the flatpak people told Timothée to report here). But I don't see what _we_ can do about this...
One of the commenters mentioned on the issue it also occurred for them using the AppImage on AlmaLinux 9 https://github.com/flathub/org.kde.krita/issues/66#issuecomment-1252893268
Does AlmaLinux also have SELinux enabled by default?
Hm, a better question is: if you run Krita under SELinux with Qt 5.15, does it show the issue?
(In reply to amyspark from comment #6) > Does AlmaLinux also have SELinux enabled by default? Yes, I spun up AlmaLinux 9 on a VM and can repo the issue mentioned there using the AppImage. I can also verify SELinux is enabled out of the box. I'm not sure if the policy shipped by AlmaLinux and CentOS differ from the Fedora ones as Fedora works fine. SELinux status: enabled SELinuxfs mount: /sys/fs/selinux SELinux root directory: /etc/selinux Loaded policy name: targeted Current mode: enforcing Mode from config file: enforcing Policy MLS status: enabled Policy deny_unknown status: allowed Memory protection checking: actual (secure) Max kernel policy version: 33 > Hm, a better question is: if you run Krita under SELinux with Qt 5.15, does it show the issue? Is there a AppImage of Krita using Qt 5.15 for testing? The distro repos don't seem to include Krita.
There's no 5.15 AppImage as it's a Qt version we don't support it officially. But I think I found the reason for this issue, Qt truly fixed their JIT much later: https://codereview.qt-project.org/c/qt/qtdeclarative/+/329522 Unfortunately it's a mix of three different Qt branches, which makes it a royal mess to cherry-pick safely.
I've got the branch ready, will try to build it tomorrow. Sending the draft MR just in case.
A possibly relevant merge request was started @ https://invent.kde.org/graphics/krita/-/merge_requests/1592
Okay, so someone needs to build and test this; I don't think any Krita developer that uses Linux uses selinux.
I'm the one that asked for it to be reported here as Krita is not using the same version of Qt as everyone else so we can not just update it without your input. Thanks for the investigation.
I attempted a build with the patches from the MR, getting this error currently. jsruntime/qv4function.cpp:49:10: fatal error: private/qv4functiontable_p.h: No such file or directory 49 | #include <private/qv4functiontable_p.h> | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ compilation terminated. make[2]: *** [Makefile:11117: .obj/qv4function.o] Error 1 make[2]: *** Waiting for unfinished jobs.... make[2]: Leaving directory '/run/build/qtdeclarative/src/qml' make[1]: *** [Makefile:56: sub-qml-make_first-ordered] Error 2 make[1]: Leaving directory '/run/build/qtdeclarative/src' make: *** [Makefile:50: sub-src-make_first] Error 2 FB: host_command_exited_cb 656805 512
(In reply to Long Vu from comment #14) > I attempted a build with the patches from the MR, getting this error > currently. > > jsruntime/qv4function.cpp:49:10: fatal error: private/qv4functiontable_p.h: > No such file or directory > 49 | #include <private/qv4functiontable_p.h> > | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > compilation terminated. > make[2]: *** [Makefile:11117: .obj/qv4function.o] Error 1 > make[2]: *** Waiting for unfinished jobs.... > make[2]: Leaving directory '/run/build/qtdeclarative/src/qml' > make[1]: *** [Makefile:56: sub-qml-make_first-ordered] Error 2 > make[1]: Leaving directory '/run/build/qtdeclarative/src' > make: *** [Makefile:50: sub-src-make_first] Error 2 > FB: host_command_exited_cb 656805 512 I updated the patches, didn't know Qt shipped pregenerated headers too. Please try again and let me know how it goes?
Git commit 6f95172f6146c696d60a0af94b00d817e4c69117 by L. E. Segovia. Committed on 23/09/2022 at 13:14. Pushed by lsegovia into branch 'master'. 3rdparty: don't let Qt enable JIT under hardened SELinux policies Although the official bug report [1] said it was fixed in 5.11, in reality it was only fixed in 6.1 (with a 5.15 backport) [2]. [1]: https://bugreports.qt.io/browse/QTBUG-58508 [2]: https://codereview.qt-project.org/c/qt/qtdeclarative/+/329522 (cherry picked from commit fca57a28c902218fb5b950d655bc0c473e0b2bce) A +1045 -0 3rdparty/ext_qt/0134-V4-Generate-function-tables-on-64bit-windows.patch A +46 -0 3rdparty/ext_qt/0135-Use-lowercase-name-for-window-header.patch A +203 -0 3rdparty/ext_qt/0136-JIT-When-making-memory-writable-include-the-exceptio.patch A +480 -0 3rdparty/ext_qt/0137-masm-Add-error-handling-for-failed-mprotect.patch A +39 -0 3rdparty/ext_qt/0138-Fix-Clang-10-warning-about-converting-ULLONG_MAX-to-.patch A +128 -0 3rdparty/ext_qt/0139-Fix-Wdeprecated-copy-warnings.patch M +6 -0 3rdparty/ext_qt/CMakeLists.txt https://invent.kde.org/graphics/krita/commit/6f95172f6146c696d60a0af94b00d817e4c69117
Git commit 0ae8ecb44487a3aaa27a7dea30eb67fe65e076af by L. E. Segovia. Committed on 23/09/2022 at 13:16. Pushed by lsegovia into branch 'krita/5.1'. 3rdparty: don't let Qt enable JIT under hardened SELinux policies Although the official bug report [1] said it was fixed in 5.11, in reality it was only fixed in 6.1 (with a 5.15 backport) [2]. [1]: https://bugreports.qt.io/browse/QTBUG-58508 [2]: https://codereview.qt-project.org/c/qt/qtdeclarative/+/329522 (cherry picked from commit fca57a28c902218fb5b950d655bc0c473e0b2bce) (cherry picked from commit 6f95172f6146c696d60a0af94b00d817e4c69117) A +1045 -0 3rdparty/ext_qt/0134-V4-Generate-function-tables-on-64bit-windows.patch A +46 -0 3rdparty/ext_qt/0135-Use-lowercase-name-for-window-header.patch A +203 -0 3rdparty/ext_qt/0136-JIT-When-making-memory-writable-include-the-exceptio.patch A +480 -0 3rdparty/ext_qt/0137-masm-Add-error-handling-for-failed-mprotect.patch A +39 -0 3rdparty/ext_qt/0138-Fix-Clang-10-warning-about-converting-ULLONG_MAX-to-.patch A +128 -0 3rdparty/ext_qt/0139-Fix-Wdeprecated-copy-warnings.patch M +6 -0 3rdparty/ext_qt/CMakeLists.txt https://invent.kde.org/graphics/krita/commit/0ae8ecb44487a3aaa27a7dea30eb67fe65e076af