Bug 1802479

Summary: allow_execstack and allow execmem should be off
Product: Red Hat Enterprise Linux 8 Reporter: Julie Pichon <jpichon>
Component: selinux-policyAssignee: Zdenek Pytela <zpytela>
Status: CLOSED WONTFIX QA Contact: Milos Malik <mmalik>
Severity: medium Docs Contact:
Priority: medium    
Version: 8.4CC: jpichon, lhh, ltamagno, lvrabec, mmalik, nlevinki, plautrba, ssekidde, zcaplovi
Target Milestone: rcKeywords: Security, SELinux, Triaged
Target Release: ---Flags: pm-rhel: mirror+
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: No Doc Update
Doc Text:
Story Points: ---
Clone Of: 1801314
: 2013629 (view as bug list) Environment:
Last Closed: 2020-06-25 13:35:43 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 2013629    
Attachments:
Description Flags
CONFIGURATION RECOMMENDATIONS OF A GNU/LINUX SYSTEM (ANSSI GUIDELINE) none

Description Julie Pichon 2020-02-13 09:40:30 UTC 
Created attachment 1662917 [details]
CONFIGURATION RECOMMENDATIONS OF A GNU/LINUX SYSTEM (ANSSI GUIDELINE)

+++ This bug was initially created as a clone of Bug #1801314 +++

Description of problem:
As describe in CONFIGURATION RECOMMENDATIONS OF A GNU/LINUX SYSTEM (ANSSI GUIDELINE), there is a security issue to have:
allow_execstack: on
Allow unconfined executables to map a memory region as both executable and writable, this is dangerous

allow execmem: on
Allow unconfined executables to make their stack executable. 

Steps to Reproduce:
1. semanage boolean -l | grep deny_execmem
2. semanage boolean -l | grep execstack

Actual results:
[root@controller-0 ~]# semanage boolean -l | grep deny_execmem
deny_execmem                   (off  ,  off)  Allow deny to execmem 

[root@controller-0 ~]# semanage boolean -l | grep selinuxuser_execstack
selinuxuser_execstack          (on   ,   on)  Allow selinuxuser to execstack  

Expected results:
[root@controller-0 ~]# semanage boolean -l | grep deny_execmem
deny_execmem                   (on  ,  on)  Allow deny to execmem 

[root@controller-0 ~]# semanage boolean -l | grep selinuxuser_execstack
selinuxuser_execstack          (off ,  off)  Allow selinuxuser to execstack  

Additional info:

[1] https://lists.fedoraproject.org/pipermail/scm-commits/2011-November/681342.html


--- Additional comment from Julie Pichon on 2020-02-11 15:25:49 UTC ---

Hi Lukas,

I would like to ask for your thoughts on the two following booleans mentioned in the bug description:

deny_execmem                   (off  ,  off)  Allow deny to execmem
selinuxuser_execstack          (on   ,   on)  Allow selinuxuser to execstack

According to recent security guidelines (cf. ANSSI document in the attachments), the recommendation is for these to always be set to on (deny_execmem) and off (selinuxuser_execstack) respectively. Would it make sense for the default selinux-policy to change to match the guidelines, do you think? Thank you.
Comment 3 Milos Malik 2020-04-27 15:24:07 UTC 
If the deny_execmem boolean is enabled by default then we need to instruct the cluster team to enable the cluster_use_execmem boolean. Otherwise following SELinux denials will appear:

----
type=PROCTITLE msg=audit(04/27/2020 17:15:51.461:189) : proctitle=/usr/bin/ruby /usr/lib/pcsd/pcsd 
type=SYSCALL msg=audit(04/27/2020 17:15:51.461:189) : arch=x86_64 syscall=mprotect success=no exit=EACCES(Permission denied) a0=0x7fe8a4990000 a1=0x1000 a2=PROT_READ|PROT_EXEC a3=0x22 items=0 ppid=1 pid=1794 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=pcsd exe=/usr/bin/ruby subj=system_u:system_r:cluster_t:s0 key=(null) 
type=AVC msg=audit(04/27/2020 17:15:51.461:189) : avc:  denied  { execmem } for  pid=1794 comm=pcsd scontext=system_u:system_r:cluster_t:s0 tcontext=system_u:system_r:cluster_t:s0 tclass=process permissive=0 
----

# getsebool -a | grep -e selinuxuser_execstack -e deny_execmem
deny_execmem --> on
selinuxuser_execstack --> off
# service pcsd start
Comment 4 Milos Malik 2020-04-28 08:30:32 UTC 
If the deny_execmem boolean should be enabled by default then we need to instruct the desktop team to enable the xserver_execmem boolean. Otherwise following SELinux denials will appear:

----
type=PROCTITLE msg=audit(04/28/2020 10:24:42.377:313) : proctitle=/usr/bin/gnome-shell 
type=SYSCALL msg=audit(04/28/2020 10:24:42.377:313) : arch=x86_64 syscall=mmap success=no exit=EACCES(Permission denied) a0=0x0 a1=0x1000 a2=PROT_READ|PROT_WRITE|PROT_EXEC a3=MAP_PRIVATE|MAP_ANONYMOUS items=0 ppid=3668 pid=3893 auid=unset uid=gdm gid=gdm euid=gdm suid=gdm fsuid=gdm egid=gdm sgid=gdm fsgid=gdm tty=tty1 ses=unset comm=gnome-shell exe=/usr/bin/gnome-shell subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(04/28/2020 10:24:42.377:313) : avc:  denied  { execmem } for  pid=3893 comm=gnome-shell scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tclass=process permissive=0 
----

The gnome-shell is not able to start.
Comment 6 Zdenek Pytela 2020-06-25 13:35:43 UTC 
Julie,

Thank you for bringing this issue on improving security of our products.

RHEL with SELinux is widely used in various customer environments. We cannot predict all of the impact of such important change though, so I am afraid we cannot afford to make such a change during the RHEL 8 development cycle. To declare stability and reliability, we have published the following document:

  Stability of the SELinux Policy API 
  https://access.redhat.com/articles/4854201

I am closing the bz for now. However, as both suggestions seem to be reasonable, we can participate on a wider discussion if the default value can be changed in Fedora and in future RHEL major versions, and even include more booleans of similar kind to the discussion.