Bug 147749
Summary: | enable execmod/execmem by default | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Paul Nasrat <nobody+pnasrat> |
Component: | selinux-policy-targeted | Assignee: | Daniel Walsh <dwalsh> |
Status: | CLOSED CURRENTRELEASE | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | rawhide | CC: | aking, djuran, dwalsh, oliva, sundaram, walters |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | 1.21.13-1 | Doc Type: | Bug Fix |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2005-09-04 23:34:19 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Paul Nasrat
2005-02-10 22:22:29 UTC
This is a bug in the selinux-policy-targeted package; this permission should have been enabled by default. However - it is desirable to if possible eliminate the requirement for writable and executable memory areas. This is likely fixable in libicudata. I'll clone a new bug on this issue. I have this one executable (gtimer) that, when started as /usr/bin/gtimer, fails with: gtimer: error while loading shared libraries: /lib/ld-linux.so.2: cannot apply additional memory protection after relocation: Permission denied even with both execmod and execmem set to true. However, if I start it as /lib/ld-linux.so.2 /usr/bin/gtimer, it works. ?!? Oddly, the only system call that fails is: mprotect(0x5556e000, 4096, PROT_READ) = -1 EACCES (Permission denied) See, it's not attempting to grant exec permission on anything, it's actually taking out write permission from a page that contained data that needed relocation, but that is read-only (relro in binutilspeak). type=KERNEL msg=audit(1108217207.401:4003324): avc: denied { execmod } for pid=5249 comm=gtimer path=/lib/ld-2.3.4.so dev=dm-2 ino=753730 scontext=user_u:system_r:unconfined_t tcontext=system_u:object_r:ld_so_t tclass=file type=KERNEL msg=audit(1108217207.401:4003324): syscall=125 per=400000 exit=-13 a0=5556f300 a1=5556f300 a2=1 a3=0 items=0 pid=5249 loginuid=-1 uid=404 gid=404 euid=404 suid=404 fsuid=404 egid=404 sgid=404 fsgid=404 It appears to me that execmod/execmem are a bit too strict, since they're denying not only the addition of exec permission, but also at removal of other permissions. So, it looks like this older program of mine is qualified as a `legacy' binary per the policy, because it has no GNU stack header. Still, it's a bit odd that I can run it fine using the ld.so wrapper, but not the program by itself. Unfortunately, rebuilding this program on a recent system is not much of an option. Any ideas of how to get it to work without resorting to wrappers? The execmod for ld_so_t should be back in unconfined_t in the latest policy selinux-policy-targeted-1.21.12-2 With selinux-policy-targeted-1.21.12-2, i'm still experiencing this problem. However it seems to be happening only to 3rd party apps. Eg: [deji@rhema2 ~]$ mplayer mplayer: error while loading shared libraries: /usr/lib/libSDL-1.2.so.0: cannot restore segment prot after reloc: Permission denied [deji@rhema2 mars1d-w]$ make main ifort -c main.f /opt/intel/bin/ifort: error while loading shared libraries: /lib/tls/libc.so.6: cannot apply additional memory protection after relocation: Permission denied make: *** [main.o] Error 127 Also nomachine's NX's client failed with the 'cannot restore segment prot after reloc: Permission denied' error message. All the above works fine after issuing 'setenforce 0'. restorecon /usr/lib/libSDL* should fix that one. What avc messages are you seeing on the tls? Dan (In reply to comment #6) > What avc messages are you seeing on the tls? > Feb 14 18:02:58 rhema2 dbus: avc: received setenforce notice (enforcing=0) Feb 14 18:02:58 rhema2 dbus: avc: received setenforce notice (enforcing=0) Feb 14 18:03:08 rhema2 kernel: audit(1108422188.698:0): avc: denied { execmod } for pid=3273 comm=ifortbin path=/lib/tls/libc-2.3.4.so dev=hda6 ino=1778917 scontext=user_u:system_r:unconfined_t tcontext=system_u:object_r:lib_t tclass=file Feb 14 18:03:08 rhema2 kernel: audit(1108422188.699:0): avc: denied { execmod } for pid=3273 comm=ifortbin path=/lib/ld-2.3.4.so dev=hda6 ino=1778895 scontext=user_u:system_r:unconfined_t tcontext=system_u:object_r:ld_so_t tclass=file Deji setsebool -P allow_execmod=1 allow_execmem=1 Should eliminate this. The legacy binary works fine with today's (and yesterday's) rawhide, with the setsebool settings above. Thanks, Dan, I thought we agreed these booleans were going to be on by default? This is just a temporary workaround until a new policy is uploaded, right? Actually though, perhaps it would be be best to change this to an auditallow in rawhide for a while, so that we can still gather a list of problematic libraries and programs while allowing them to continue to work? The allow_execmod/execmem is defaulted to true for unconfined_t for a while now. selinux-policy-targeted-1.21.13-1 works for me without any need to apply the setsebool settings. Thanks. |