Bug 182965
Summary: | mono needs execmen to execute causes selinux failures. | ||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Daniel Walsh <dwalsh> | ||||||||
Component: | mono | Assignee: | Alexander Larsson <alexl> | ||||||||
Status: | CLOSED RAWHIDE | QA Contact: | |||||||||
Severity: | medium | Docs Contact: | |||||||||
Priority: | medium | ||||||||||
Version: | rawhide | CC: | drepper, jakub, lupus, nalin, sdsmall | ||||||||
Target Milestone: | --- | Keywords: | Security | ||||||||
Target Release: | --- | ||||||||||
Hardware: | All | ||||||||||
OS: | Linux | ||||||||||
Whiteboard: | |||||||||||
Fixed In Version: | Doc Type: | Bug Fix | |||||||||
Doc Text: | Story Points: | --- | |||||||||
Clone Of: | Environment: | ||||||||||
Last Closed: | 2006-03-03 23:14:43 UTC | Type: | --- | ||||||||
Regression: | --- | Mount Type: | --- | ||||||||
Documentation: | --- | CRM: | |||||||||
Verified Versions: | Category: | --- | |||||||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||||
Cloudforms Team: | --- | Target Upstream Version: | |||||||||
Embargoed: | |||||||||||
Bug Depends On: | |||||||||||
Bug Blocks: | 150222 | ||||||||||
Attachments: |
|
Description
Daniel Walsh
2006-02-24 19:55:28 UTC
Basically I get an execmem failure from unconfined_t before mono starts. If I allow execmem in SELinux mono will transition to mono_t but I get an auditallow granted message for unconfined_t. Nalin and I looked into this further and we think the culprit is the following: ======================================================================= Dan, it looks like the 'mono' binary defines a segment named 'writetext' like so (mono/mini/mini.c:7268, preprocessed): static __thread gpointer mono_lmf_addr __attribute__((tls_model("local-exec"))); gint32 mono_get_lmf_tls_offset (void) { int offset; __asm ("jmp 1f; .section writetext, \"awx\"; 1: movl $" "mono_lmf_addr" "@ntpoff, %0; jmp 2f; .previous; 2:" : "=r" (offset));; return offset; } And the run-time linker is probably just hitting the execmem denial as part of doing its job. ELF file has a RWE segment, which triggers the denial when the kernel ELF loader tries to mmap it with those protections, IIUC. This happens prior to switching credentials, so it happens in the caller's context rather than the new domain. Build or code problem in mono. Created attachment 125213 [details]
mono-compiler.patch
Applyin jakub's patch to the latest mono and rebuilding seems to have cleaned up the problem. tomboy is working fine with the new vesion. File upstream here: http://bugzilla.ximian.com/show_bug.cgi?id=77653 Created attachment 125396 [details]
amd64 fix
You need this additional patch to make mono compile and work on amd64 systems.
Thanks.
Yeah, my patch was completely untested, doesn't surprise me I made one typo. Also, IA-64 probably needs similar treatment, i.e. use the current __asm for non-pic and for PIC use __asm ("addl %0 = @ltoff(@tprel(" #var "#)), gp ;; ld8 %0 = [%0]\n" : "=r" (offset)) Created attachment 125569 [details]
fully fleshed out patch
Hi,
Above, is the patch I built into rawhide. It has the x86-64 update and the
ia64 update in it. Can you guys verify that it looks correct?
Hey guys, I'm going to close this bug, but if anyone experiences it again, feel free to reopen. |