Bug 185339

Summary: avc: denied { execheap } comm="ld-linux.so.2" scontext=system_u:system_r:crond_t:s0 tcontext=system_u:system_r:crond_t:s0
Product: [Fedora] Fedora Reporter: Orion Poplawski <orion>
Component: selinux-policy-targetedAssignee: Daniel Walsh <dwalsh>
Status: CLOSED CURRENTRELEASE QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: 5CC: tjpueschel
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-2.2.38-1.FC5 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2006-05-16 15:23:37 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Orion Poplawski 2006-03-13 20:31:12 UTC 
Description of problem:

On a freshly installed rawhide system:

audit(1142281782.485:707): avc:  denied  { execheap } for  pid=32722
comm="ld-linux.so.2" scontext=system_u:system_r:crond_t:s0
tcontext=system_u:system_r:crond_t:s0 tclass=process

Also:

lots of:

audit(1142282037.478:751): avc:  granted  { execstack } for  pid=1048
comm="ld-linux.so.2" scontext=system_u:system_r:crond_t:s0
tcontext=system_u:system_r:crond_t:s0 tclass=process
audit(1142282037.478:752): avc:  granted  { execmem } for  pid=1048
comm="ld-linux.so.2" scontext=system_u:system_r:crond_t:s0
tcontext=system_u:system_r:crond_t:s0 tclass=process

Version-Release number of selected component (if applicable):
selinux-policy-targeted-2.2.23-15
Comment 1 Orion Poplawski 2006-03-28 16:55:46 UTC 
Can you tell me what I should be doing about the following?

audit(1142282037.478:751): avc:  granted  { execstack } for  pid=1048
comm="ld-linux.so.2" scontext=system_u:system_r:crond_t:s0
tcontext=system_u:system_r:crond_t:s0 tclass=process
audit(1142282037.478:752): avc:  granted  { execmem } for  pid=1048
comm="ld-linux.so.2" scontext=system_u:system_r:crond_t:s0
tcontext=system_u:system_r:crond_t:s0 tclass=process

Presumably some program needs to get fixed so that it doesn't need execstack and
execmem priviledges, but how do I find out which one?

These messages trigger daily logwatch emails:

--------------------- Selinux Audit Begin ------------------------ 

  *** Grants ***
    user_u user_u (process): 81 times
 
so it's an annoyance.  But before I configure logwatch to ignore grant messages,
I figured I'd try to see if I can fix them properly.
Comment 2 Tim PĆ¼schel 2006-04-08 09:42:03 UTC 
The 

audit(1144487527.582:5): avc:  denied  { execheap } for  pid=8497
comm="ld-linux.so.2" scontext=system_u:system_r:crond_t:s0
tcontext=system_u:system_r:crond_t:s0 tclass=process

message also appears on fc5 with glibc-2.4-4 and selinux-policy-2.2.29-3.

It appears a few times everytime prelink is run.
Comment 5 Daniel Walsh 2006-05-09 16:27:04 UTC 
Added prelink policy fixed in current policy
Comment 6 Orion Poplawski 2006-05-16 15:23:37 UTC 
Confirmed.