Bug 1047947

Summary: execmem/execstack AVCs with new kernels
Product: [Fedora] Fedora Reporter: Tom London <selinux>
Component: krb5Assignee: Nalin Dahyabhai <nalin>
Status: CLOSED DUPLICATE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: rawhideCC: codonell, dwalsh, eparis, gansalmon, itamar, jakub, jonathan, kernel-maint, law, madhu.chinakonda, nalin, nathaniel, pfrankli, pmoore, spoyarek
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-01-02 18:25:24 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
AVC spew from journal none

Description Tom London 2014-01-02 16:45:11 UTC 
Created attachment 844619 [details]
AVC spew from journal

Description of problem:
Recent Rawhide kernels are producing AVCs for key system components for execmem/execstack. Has there been a change in how the kernel is handling this.... ?

Attaching spew from journal.

For example:


#============= abrt_t ==============
allow abrt_t self:process { execstack execmem };

#============= auditd_t ==============
allow auditd_t self:process { execstack execmem };

#============= cupsd_t ==============
allow cupsd_t self:process { execstack execmem };

#============= devicekit_power_t ==============
allow devicekit_power_t self:process { execstack execmem };

#============= rpcbind_t ==============
allow rpcbind_t self:process { execstack execmem };

#============= sshd_t ==============
allow sshd_t self:process { execstack execmem };

#============= telepathy_msn_t ==============
allow telepathy_msn_t self:process { execstack execmem };

Version-Release number of selected component (if applicable):


How reproducible:
Every boot

Steps to Reproduce:
1. boot
2.
3.

Actual results:


Expected results:


Additional info:
Comment 1 Daniel Walsh 2014-01-02 16:58:56 UTC 
Not sure if this is a kernel issue or a glibc/gcc issue.  Lots of domains in Rawhide now need execmem and execstack to be allowed to run.
Comment 2 Daniel Walsh 2014-01-02 17:26:59 UTC 
Could be caused by kerberos libraries?

# find /usr/lib64 -name libk5\* -exec execstack {} \;
X /usr/lib64/libk5crypto.so.3
X /usr/lib64/libk5crypto.so.3.1
X /usr/lib64/libk5crypto.so
Comment 3 Carlos O'Donell 2014-01-02 18:20:51 UTC 
On the glibc side we haven't purposely changed anything that should impact execmem/execstack.
Comment 4 Nalin Dahyabhai 2014-01-02 18:24:09 UTC 
krb5-1.12-6.fc21 added a buildrequires on the relevant arches which enabled use of assembly to get AES-NI support.  I'm untagging it now.
Comment 5 Nalin Dahyabhai 2014-01-02 18:25:24 UTC 

*** This bug has been marked as a duplicate of bug 1045699 ***