Bug 147749

Summary: enable execmod/execmem by default
Product: [Fedora] Fedora Reporter: Paul Nasrat <nobody+pnasrat>
Component: selinux-policy-targetedAssignee: Daniel Walsh <dwalsh>
Status: CLOSED CURRENTRELEASE QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: rawhideCC: aking, djuran, dwalsh, oliva, sundaram, walters
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: 1.21.13-1 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2005-09-04 23:34:19 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Paul Nasrat 2005-02-10 22:22:29 UTC 
Description of problem:

terminate called after throwing an instance of 'std::bad_alloc'
  what():  St9bad_alloc
/usr/lib/openoffice.org1.9.75/program/soffice.bin: error while loading shared
libraries: /usr/lib/openoffice.org1.9.75/program/libicudata.so.26: cannot
restore segment prot after reloc: Permission denied


Version-Release number of selected component (if applicable):

1.1.3-5.7.0 and 1.9.73-2 1.9.75-2


How reproducible:

Always

glibc-2.3.4-7
kernel 2.6.10-1.1134_FC4

Steps to Reproduce:
1. Update to latest rawhide
2. oowriter or oowriter2

  
Actual results:

Fails

Expected results:

Works


Additional info:

type=KERNEL msg=audit(1108073842.013:279577): avc:  denied  { execmod } for 
pid=3141 comm=soffice.bin
path=/usr/lib/openoffice.org1.9.75/program/libicudata.so.26.0 dev=hda2
ino=2427125 scontext=user_u:system_r:unconfined_t
tcontext=system_u:object_r:lib_t tclass=filele

setenforce 0 works around

contexts seem ok rpm -V openoffice.org2-core

selinux-policy-targeted-1.21.11-3
Comment 1 Colin Walters 2005-02-11 15:32:47 UTC 
This is a bug in the selinux-policy-targeted package; this permission should
have been enabled by default.

However - it is desirable to if possible eliminate the requirement for writable
and executable memory areas.  This is likely fixable in libicudata.  I'll clone
a new bug on this issue.
Comment 2 Alexandre Oliva 2005-02-12 14:10:53 UTC 
I have this one executable (gtimer) that, when started as
/usr/bin/gtimer, fails with:
gtimer: error while loading shared libraries: /lib/ld-linux.so.2:
cannot apply additional memory protection after relocation: Permission
denied

even with both execmod and execmem set to true.  However, if I start
it as /lib/ld-linux.so.2 /usr/bin/gtimer, it works.  ?!?

Oddly, the only system call that fails is:

mprotect(0x5556e000, 4096, PROT_READ)   = -1 EACCES (Permission denied)

See, it's not attempting to grant exec permission on anything, it's
actually taking out write permission from a page that contained data
that needed relocation, but that is read-only (relro in binutilspeak).  

type=KERNEL msg=audit(1108217207.401:4003324): avc:  denied  { execmod
} for  pid=5249 comm=gtimer path=/lib/ld-2.3.4.so dev=dm-2 ino=753730
scontext=user_u:system_r:unconfined_t
tcontext=system_u:object_r:ld_so_t tclass=file
type=KERNEL msg=audit(1108217207.401:4003324): syscall=125 per=400000
exit=-13 a0=5556f300 a1=5556f300 a2=1 a3=0 items=0 pid=5249
loginuid=-1 uid=404 gid=404 euid=404 suid=404 fsuid=404 egid=404
sgid=404 fsgid=404

It appears to me that execmod/execmem are a bit too strict, since
they're denying not only the addition of exec permission, but also at
removal of other permissions.
Comment 3 Alexandre Oliva 2005-02-12 14:25:43 UTC 
So, it looks like this older program of mine is qualified as a
`legacy' binary per the policy, because it has no GNU stack header. 
Still, it's a bit odd that I can run it fine using the ld.so wrapper,
but not the program by itself.  Unfortunately, rebuilding this program
on a recent system is not much of an option.  Any ideas of how to get
it to work without resorting to wrappers?
Comment 4 Daniel Walsh 2005-02-14 14:44:26 UTC 
The execmod for ld_so_t should be back in unconfined_t in the latest
policy selinux-policy-targeted-1.21.12-2
Comment 5 Deji 2005-02-14 22:57:42 UTC 
With selinux-policy-targeted-1.21.12-2, i'm still experiencing this
problem. However it seems to be happening only to 3rd party apps.
Eg:
[deji@rhema2 ~]$ mplayer
mplayer: error while loading shared libraries:
/usr/lib/libSDL-1.2.so.0: cannot restore segment prot after reloc:
Permission denied

[deji@rhema2 mars1d-w]$ make main
ifort -c main.f
/opt/intel/bin/ifort: error while loading shared libraries:
/lib/tls/libc.so.6: cannot apply additional memory protection after
relocation: Permission denied
make: *** [main.o] Error 127

Also nomachine's NX's client failed with the 'cannot restore segment
prot after reloc: Permission denied' error message.

All the above works fine after issuing 'setenforce 0'.
Comment 6 Daniel Walsh 2005-02-15 14:05:58 UTC 
restorecon /usr/lib/libSDL* should fix that one.

What avc messages are you seeing on the tls?

Dan
Comment 7 Deji 2005-02-15 15:26:06 UTC 
(In reply to comment #6)

> What avc messages are you seeing on the tls?
> 
Feb 14 18:02:58 rhema2 dbus: avc:  received setenforce notice (enforcing=0) 
Feb 14 18:02:58 rhema2 dbus: avc:  received setenforce notice (enforcing=0) 
Feb 14 18:03:08 rhema2 kernel: audit(1108422188.698:0): avc:  denied  { execmod
} for  pid=3273 comm=ifortbin path=/lib/tls/libc-2.3.4.so dev=hda6 ino=1778917
scontext=user_u:system_r:unconfined_t tcontext=system_u:object_r:lib_t tclass=file
Feb 14 18:03:08 rhema2 kernel: audit(1108422188.699:0): avc:  denied  { execmod
} for  pid=3273 comm=ifortbin path=/lib/ld-2.3.4.so dev=hda6 ino=1778895
scontext=user_u:system_r:unconfined_t tcontext=system_u:object_r:ld_so_t tclass=file

Deji
Comment 8 Daniel Walsh 2005-02-15 15:33:24 UTC 
setsebool -P allow_execmod=1 allow_execmem=1

Should eliminate this.
Comment 9 Alexandre Oliva 2005-02-15 19:58:59 UTC 
The legacy binary works fine with today's (and yesterday's) rawhide,
with the setsebool settings above.  Thanks,
Comment 10 Colin Walters 2005-02-16 15:03:58 UTC 
Dan, I thought we agreed these booleans were going to be on by default?  This is
just a temporary workaround until a new policy is uploaded, right?
Comment 11 Colin Walters 2005-02-16 15:20:16 UTC 
Actually though, perhaps it would be be best to change this to an auditallow in
rawhide for a while, so that we can still gather a list of problematic libraries
and programs while allowing them to continue to work?
Comment 12 Daniel Walsh 2005-02-17 14:58:32 UTC 
The allow_execmod/execmem is defaulted to true for unconfined_t for a while now.
Comment 13 Deji 2005-02-18 01:03:10 UTC 
selinux-policy-targeted-1.21.13-1 works for me without any need to apply the
setsebool settings.
Thanks.