Bug 194452

Summary: Grub fails with execmem AVC denied
Product: [Fedora] Fedora Reporter: Mark McLoughlin <markmc>
Component: selinux-policy-targetedAssignee: Daniel Walsh <dwalsh>
Status: CLOSED CURRENTRELEASE QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: rawhideCC: drepper, pb--bugzilla, pjones
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Current Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2007-08-22 14:14:39 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Mark McLoughlin 2006-06-08 10:24:02 UTC 
Doing the following:

    $> cat > grubscript.tmp << EOF
    root (hd1,0)
    install /grub/stage1 d (hd1) /grub/stage2 p /grub/grub.conf
    EOF
    $> grub --batch --no-floppy --device-map=device.map < grubscript.tmp
    grub: asmstub.c:214: grub_stage2: Assertion `simstack_alloc_base != ((void
*) -1)' failed.
    Aborted

Fails with this AVC denied:

    avc:  denied  { execmem } for  pid=3093 comm="grub"
scontext=root:system_r:unconfined_t:s0-s0:c0.c255
tcontext=root:system_r:unconfined_t:s0-s0:c0.c255 tclass=process

Running with allow_execmem set to 1 makes it work.

Best I can make out is that our grub simulates an executable stack my mmaping a
chunk of memory and marking it executable ... presumably so grub can be built
without an executable stack.

CVS log of the patch:

    $> cvs log grub-0.95-nxstack.patch
    date: 2005/02/11 08:16:53;  author: pjones;  state: Exp;
    vroomfondel:~$ eu-readelf -l /sbin/grub | grep STACK
      GNU_STACK      0x000000 0x00000000 0x00000000 0x000000 0x000000 RW  0x4
                                                                    ^ yay

    This may be one of the worst atrocities I've ever committed to disk.

:-)

Do we need to modify the policy to allow_execmem for grub?
Comment 1 Daniel Walsh 2006-06-08 14:47:18 UTC 
Is this required by grub?  IE Is there another way to do this.  We can define a
context of uncofined_execmem_exec_t for grub which would allow this.

chcon -t uncofined_execmem_exec_t /sbin/grub
Comment 2 Daniel Walsh 2006-06-16 01:29:20 UTC 
Fixed in 2.2.47-3
Comment 3 Piete Brooks 2006-07-07 05:48:20 UTC 
I still see this problem on FC6 T1

Vigor14:~: rpm -q selinux-policy-targeted 
selinux-policy-targeted-2.3.1-1
Vigor14:~: 

audit(1152250446.486:6): avc:  denied  { execmem } for  pid=2177 comm="grub"
scontext=system_u:system_r:unconfined_t:s0
tcontext=system_u:system_r:unconfined_t:s0 tclass=process
Comment 4 Daniel Walsh 2006-07-11 13:38:01 UTC 
Fixed in selinux-policy-targeted-2.3.2-2
Comment 5 Daniel Walsh 2007-08-22 14:14:39 UTC 
Should be fixed in the current release