Bug 1917099
| Summary: | SELinux is preventing privoxy from using the 'execmem' accesses on a process. | |||
|---|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | ivanov17 <ivanov17> | |
| Component: | selinux-policy | Assignee: | Zdenek Pytela <zpytela> | |
| Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | |
| Severity: | medium | Docs Contact: | ||
| Priority: | medium | |||
| Version: | 33 | CC: | cheese, chris_plass, dwalsh, grepl.miroslav, gwync, karsten, lvrabec, mmalik, omosnace, pablo.iranzo, plautrba, samarino, thunderbirdtr, vmojzis, zpytela | |
| Target Milestone: | --- | Keywords: | Triaged | |
| Target Release: | --- | |||
| Hardware: | x86_64 | |||
| OS: | Unspecified | |||
| Whiteboard: | abrt_hash:cc93a199f99d880f16fc3e5e2450ec03dac4131fa2228eeec51910ea52092045;VARIANT_ID=xfce; | |||
| Fixed In Version: | selinux-policy-3.14.6-38.fc33 | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | ||
| Clone Of: | ||||
| : | 2083940 (view as bug list) | Environment: | ||
| Last Closed: | 2021-06-16 01:07:16 UTC | Type: | --- | |
| Regression: | --- | Mount Type: | --- | |
| Documentation: | --- | CRM: | ||
| Verified Versions: | Category: | --- | ||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
| Cloudforms Team: | --- | Target Upstream Version: | ||
| Embargoed: | ||||
| Bug Depends On: | ||||
| Bug Blocks: | 2083940 | |||
Hi, The execmem permission is required for mapping a memory region as executable which is not common and is possibly insecure so it is disabled by default. For more information about the execmem permission, refer to the following articles: * https://akkadia.org/drepper/selinux-mem.html * https://danwalsh.livejournal.com/6117.html Changing the component for the maintainer to assess if this permission is required. Please switch it back to selinux-policy if further action is required. ----
type=PROCTITLE msg=audit(01/18/2021 04:20:32.984:707) : proctitle=/usr/sbin/privoxy --pidfile /run/privoxy.pid --user privoxy /etc/privoxy/config
type=SYSCALL msg=audit(01/18/2021 04:20:32.984:707) : arch=x86_64 syscall=mmap success=no exit=EACCES(Permission denied) a0=0x0 a1=0x10000 a2=PROT_READ|PROT_WRITE|PROT_EXEC a3=MAP_PRIVATE|MAP_ANONYMOUS items=0 ppid=1377 pid=1378 auid=unset uid=privoxy gid=privoxy euid=privoxy suid=privoxy fsuid=privoxy egid=privoxy sgid=privoxy fsgid=privoxy tty=(none) ses=unset comm=privoxy exe=/usr/sbin/privoxy subj=system_u:system_r:privoxy_t:s0 key=(null)
type=AVC msg=audit(01/18/2021 04:20:32.984:707) : avc: denied { execmem } for pid=1378 comm=privoxy scontext=system_u:system_r:privoxy_t:s0 tcontext=system_u:system_r:privoxy_t:s0 tclass=process permissive=0
----
The same SELinux denial appeared in permissive mode:
----
type=PROCTITLE msg=audit(01/18/2021 04:24:57.144:716) : proctitle=/usr/sbin/privoxy --pidfile /run/privoxy.pid --user privoxy /etc/privoxy/config
type=SYSCALL msg=audit(01/18/2021 04:24:57.144:716) : arch=x86_64 syscall=mmap success=yes exit=140399402266624 a0=0x0 a1=0x10000 a2=PROT_READ|PROT_WRITE|PROT_EXEC a3=MAP_PRIVATE|MAP_ANONYMOUS items=0 ppid=1394 pid=1395 auid=unset uid=privoxy gid=privoxy euid=privoxy suid=privoxy fsuid=privoxy egid=privoxy sgid=privoxy fsgid=privoxy tty=(none) ses=unset comm=privoxy exe=/usr/sbin/privoxy subj=system_u:system_r:privoxy_t:s0 key=(null)
type=AVC msg=audit(01/18/2021 04:24:57.144:716) : avc: denied { execmem } for pid=1395 comm=privoxy scontext=system_u:system_r:privoxy_t:s0 tcontext=system_u:system_r:privoxy_t:s0 tclass=process permissive=1
----
Hi! I've used tor and privoxy with the same configuration as now for about 5 years, with several Fedora releases. All this time I've used SELinux running in enforcing mode and I had no issues with privoxy. This error started happening about 2 or 3 days ago. I hope this will be helpful for finding and fixing the error. *** Bug 1917021 has been marked as a duplicate of this bug. *** Asking upstream: https://sourceforge.net/p/ijbswa/bugs/924/ Upstream says this is likely caused by JIT pcre filter compilation. I can either rebuild with it disabled, or we can update the SELinux policy. I vote the latter. If the feature is necessary for you project, we surely can add it to policy, but document properly - can you make sure what is the reason? Yes, it's for a new feature, JIT filter compilation. https://www.privoxy.org/announce.txt *** Bug 1927329 has been marked as a duplicate of this bug. *** *** Bug 1932676 has been marked as a duplicate of this bug. *** I've submitted a Fedora PR to address the issue: https://github.com/fedora-selinux/selinux-policy/pull/728 FEDORA-2021-e2de9e9e55 has been submitted as an update to Fedora 33. https://bodhi.fedoraproject.org/updates/FEDORA-2021-e2de9e9e55 FEDORA-2021-e2de9e9e55 has been pushed to the Fedora 33 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2021-e2de9e9e55` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2021-e2de9e9e55 See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates. FEDORA-2021-e2de9e9e55 has been pushed to the Fedora 33 stable repository. If problem still persists, please make note of it in this bug report. |
Description of problem: 1. dnf install tor privoxy 2. In /etc/privoxy/config set: listen-address 127.0.0.1:8118 forward-socks5t / 127.0.0.1:9050 . 3. systemctl start tor privoxy SELinux is preventing privoxy from using the 'execmem' accesses on a process. ***** Plugin allow_execmem (91.4 confidence) suggests ********************* If this issue occurred during normal system operation. Then this alert could be a serious issue and your system could be compromised. Do contact your security administrator and report this issue ***** Plugin catchall (9.59 confidence) suggests ************************** Если вы считаете, что privoxy должно быть разрешено execmem доступ к процессам с меткой privoxy_t по умолчанию. Then рекомендуется создать отчет об ошибке. Чтобы разрешить доступ, можно создать локальный модуль политики. Do разрешить этот доступ сейчас, выполнив: # ausearch -c 'privoxy'--raw | audit2allow -M my-privoxy # semodule -X 300 -i my-privoxy.pp Additional Information: Source Context system_u:system_r:privoxy_t:s0 Target Context system_u:system_r:privoxy_t:s0 Target Objects Неизвестно [ process ] Source privoxy Source Path privoxy Port <Неизвестно> Host (removed) Source RPM Packages Target RPM Packages SELinux Policy RPM selinux-policy-targeted-3.14.6-33.fc33.noarch Local Policy RPM selinux-policy-targeted-3.14.6-33.fc33.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 5.9.16-200.fc33.x86_64 #1 SMP Mon Dec 21 14:08:22 UTC 2020 x86_64 x86_64 Alert Count 422 First Seen 2021-01-12 19:50:00 MSK Last Seen 2021-01-16 16:32:28 MSK Local ID fc7a6d86-7755-4eb7-b498-13253a26ab40 Raw Audit Messages type=AVC msg=audit(1610803948.132:3270): avc: denied { execmem } for pid=1863 comm="privoxy" scontext=system_u:system_r:privoxy_t:s0 tcontext=system_u:system_r:privoxy_t:s0 tclass=process permissive=0 Hash: privoxy,privoxy_t,privoxy_t,process,execmem Version-Release number of selected component: selinux-policy-targeted-3.14.6-33.fc33.noarch Additional info: component: selinux-policy reporter: libreport-2.14.0 hashmarkername: setroubleshoot kernel: 5.9.16-200.fc33.x86_64 type: libreport