Bug 1613056

Summary:	BUG: SELinux does not skip mmap/PROT_EXEC checks for internal files when invoking shmat(2)
Product:	Red Hat Enterprise Linux 7	Reporter:	Paul Moore <pmoore>
Component:	kernel	Assignee:	Ondrej Mosnacek <omosnace>
kernel sub component:	SELinux	QA Contact:	Milos Malik <mmalik>
Status:	CLOSED ERRATA	Docs Contact:
Severity:	high
Priority:	high	CC:	kernel-qe, mmalik, mthacker, plautrba, wgomerin
Version:	7.6	Keywords:	AutoVerified, Regression
Target Milestone:	rc
Target Release:	---
Hardware:	All
OS:	Linux
Whiteboard:
Fixed In Version:	kernel-3.10.0-972.el7	Doc Type:	If docs needed, set a value
Doc Text:		Story Points:	---
Clone Of:	1600850	Environment:
Last Closed:	2019-08-06 12:08:16 UTC	Type:	Bug
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:
Bug Depends On:	1600850
Bug Blocks:	1622032

Description Paul Moore 2018-08-06 21:44:41 UTC

+++ This bug was initially created as a clone of Bug #1600850 +++

Description of problem:
Test Summary Report
-------------------
shm/test                  (Wstat: 0 Tests: 16 Failed: 1)
  Failed test:  15
mmap/test                 (Wstat: 0 Tests: 47 Failed: 1)
  Failed test:  46
extended_socket_class/test (Wstat: 0 Tests: 16 Failed: 15)
  Failed tests:  1-3, 5-16
Files=48, Tests=512, 73 wallclock secs ( 0.21 usr  0.04 sys +  1.07 cusr  2.08 csys =  3.40 CPU)
Result: FAIL
Failed 3/48 test programs. 17/512 subtests failed.

Version-Release number of selected component (if applicable):
kernel-3.10.0-919.el7.x86_64
kernel-devel-3.10.0-919.el7.x86_64
kernel-headers-3.10.0-919.el7.x86_64
kernel-tools-3.10.0-919.el7.x86_64
kernel-tools-libs-3.10.0-919.el7.x86_64
selinux-policy-3.13.1-207.el7.noarch
selinux-policy-devel-3.13.1-207.el7.noarch
selinux-policy-doc-3.13.1-207.el7.noarch
selinux-policy-minimum-3.13.1-207.el7.noarch
selinux-policy-mls-3.13.1-207.el7.noarch
selinux-policy-sandbox-3.13.1-207.el7.noarch
selinux-policy-targeted-3.13.1-207.el7.noarch

How reproducible:
 * always

Steps to Reproduce:
1. get a RHEL-7.6 (targeted policy is active)
2. git clone git://github.com/SELinuxProject/selinux-testsuite
3. run the test suite

Actual results:
 * the selinux-testsuite fails

Expected results:
 * the selinux-testsuite passes

--- Additional comment from Milos Malik on 2018-07-13 04:03:30 EDT ---

Compiling targeted test_policy module
/usr/bin/checkmodule:  loading policy configuration from tmp/test_policy.tmp
/usr/bin/checkmodule:  policy configuration loaded
/usr/bin/checkmodule:  writing binary representation (version 19) to tmp/test_policy.mod
Creating targeted test_policy.pp policy package
Running as user root with context unconfined_u:unconfined_r:unconfined_t

domain_trans/test ........... ok   
entrypoint/test ............. ok   
execshare/test .............. ok   
exectrace/test .............. ok   
execute_no_trans/test ....... ok   
fdreceive/test .............. ok   
inherit/test ................ ok   
link/test ................... ok   
mkdir/test .................. ok   
msg/test .................... ok     
open/test ................... ok   
ptrace/test ................. ok   
readlink/test ............... ok   
relabel/test ................ ok   
rename/test ................. ok   
rxdir/test .................. ok   
sem/test .................... ok     
setattr/test ................ ok   
setnice/test ................ ok   
shm/test .................... 1/16 # Test 15 got: "65280" (shm/test at line 61)
#    Expected: "0"
#  shm/test line 61 is: ok( $?, 0 );
shm/test .................... Failed 1/16 subtests 
sigkill/test ................ ok     
stat/test ................... ok   
sysctl/test ................. ok   
task_create/test ............ ok   
task_setnice/test ........... ok   
task_setscheduler/test ...... ok   
task_getscheduler/test ...... ok   
task_getsid/test ............ ok   
task_getpgid/test ........... ok   
task_setpgid/test ........... ok   
file/test ................... ok     
ioctl/test .................. ok   
capable_file/test ........... ok     
capable_net/test ............ ok   
capable_sys/test ............ ok   
dyntrans/test ............... ok   
dyntrace/test ............... ok   
bounds/test ................. ok     
nnp_nosuid/test ............. ok     
mmap/test ................... 23/47 shmat SHM_EXEC: Permission denied
# Test 46 got: "256" (mmap/test at line 225)
#    Expected: "0"
#  mmap/test line 225 is: ok( $result, 0 );
mmap/test ................... Failed 1/47 subtests 
unix_socket/test ............ ok   
inet_socket/test ............ ok     
overlay/test ................ ok       
checkreqprot/test ........... ok   
mqueue/test ................. ok     
mac_admin/test .............. ok   
atsecure/test ............... ok   
extended_socket_class/test .. 1/16 # Test 1 got: "256" (extended_socket_class/test at line 15)
#   Expected: "0"
#  extended_socket_class/test line 15 is: ok( $result, 0 );
# Failed test 2 in extended_socket_class/test at line 21
#  extended_socket_class/test line 21 is: ok($result);
# Test 3 got: "256" (extended_socket_class/test at line 27)
#   Expected: "0"
#  extended_socket_class/test line 27 is: ok( $result, 0 );
extended_socket_class/test .. 5/16 # Test 5 got: "256" (extended_socket_class/test at line 42)
#   Expected: "0"
#  extended_socket_class/test line 42 is: ok( $result, 0 );
# Failed test 6 in extended_socket_class/test at line 48
#  extended_socket_class/test line 48 is: ok($result);
# Test 7 got: "256" (extended_socket_class/test at line 54)
#   Expected: "0"
#  extended_socket_class/test line 54 is: ok( $result, 0 );
# Failed test 8 in extended_socket_class/test at line 60
#  extended_socket_class/test line 60 is: ok($result);
# Test 9 got: "256" (extended_socket_class/test at line 66)
#   Expected: "0"
#  extended_socket_class/test line 66 is: ok( $result, 0 );
# Failed test 10 in extended_socket_class/test at line 72
#  extended_socket_class/test line 72 is: ok($result);
# Test 11 got: "256" (extended_socket_class/test at line 78)
#    Expected: "0"
#  extended_socket_class/test line 78 is: ok( $result, 0 );
# Failed test 12 in extended_socket_class/test at line 84
#  extended_socket_class/test line 84 is: ok($result);
# Test 13 got: "256" (extended_socket_class/test at line 90)
#    Expected: "0"
#  extended_socket_class/test line 90 is: ok( $result, 0 );
# Failed test 14 in extended_socket_class/test at line 96
#  extended_socket_class/test line 96 is: ok($result);
# Test 15 got: "256" (extended_socket_class/test at line 102)
#    Expected: "0"
#  extended_socket_class/test line 102 is: ok( $result, 0 );
# Failed test 16 in extended_socket_class/test at line 108
#  extended_socket_class/test line 108 is: ok($result);
extended_socket_class/test .. Failed 15/16 subtests

Comment 2 Paul Moore 2018-08-06 21:46:54 UTC

Cloning the original to BZ so that it can focus on the extended_socket_class test failures and this BZ can focus on the shm/mmap test failures.

Comment 3 Paul Moore 2018-09-13 01:25:49 UTC

Milos, this looks like a duplicate of BZ 1373749, what do you think?

Comment 4 Milos Malik 2018-09-13 06:44:42 UTC

I believe that there were no failures in shm subtests when BZ#1373749 was filed, only mmap subtests were failing. Otherwise they look like duplicates.

Comment 5 Paul Moore 2018-09-13 20:38:05 UTC

True.

Okay, I'll leave them as separate BZs, but I'll put a comment in the other linking back to this BZ.

Comment 14 Ondrej Mosnacek 2018-09-26 07:27:44 UTC

Mystery finally solved!

These failures have apparently been introduced with changes in BZ 1458535, which brought in support for the file:map permission to the RHEL 7.6 kernel. The problem is that shmget(2) internally creates a special invisible file (labeled as tmpfs_t), which shmat(2) then tries to map, triggering an SELinux check.

Since the permissions for doing shared memory operations are already checked separately, this is a bug that has been already addressed upstream by marking the file with the S_PRIVATE flag and skipping the unnecessary access checks for it.

The relevant commits upstream are:

commit 892e8cac99a71f6254f84fc662068d912e1943bf
Author: Stephen Smalley <sds.gov>
Date:   Fri Jul 10 09:40:59 2015 -0400

    selinux: fix mprotect PROT_EXEC regression caused by mm change

commit e1832f2923ec92d0e590e496c8890675457f8568
Author: Stephen Smalley <sds.gov>
Date:   Thu Aug 6 15:46:55 2015 -0700

    ipc: use private shmem or hugetlbfs inodes for shm segments.

The most important is the second commit, which fixes both failing tests. The first commit's log message doesn't sound related, but it adds skipping also EXEC_MEM check for S_PRIVATE files, which fixes the last mmap test (which starts failing after applying only the second commit).

Note that upstream kernels never hit this problem, because the above two fixes had been applied long before the mmap support was added (v4.2 vs. v4.13).

Comment 20 Bruno Meneguele 2018-12-05 09:29:05 UTC

Patch(es) committed on kernel-3.10.0-972.el7

Comment 37 errata-xmlrpc 2019-08-06 12:08:16 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2019:2029