Bug 2014228

Summary: libffi: Python scripts crash with ANOM_ABEND when SELinux is enabled
Product: Red Hat Enterprise Linux 8 Reporter: Paulo Andrade <pandrade>
Component: libffiAssignee: DJ Delorie <dj>
Status: CLOSED ERRATA QA Contact: Lenka Špačková <lkuprova>
Severity: medium Docs Contact: Jacob Taylor Valdez <jvaldez>
Priority: medium    
Version: 8.4CC: codonell, dj, fweimer, jvaldez, mcermak
Target Milestone: rcKeywords: Triaged
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: libffi-3.1-24.el8 Doc Type: Bug Fix
Doc Text:
.`libffi` can now probe for executable memory with SELinux enabled By default, `libffi` does not probe for executable memory when SELinux is enabled. As a consequence, programs which use `libffi` closures and `fork()` without immediately executing some other processes terminate unexpectedly when SELinux is enabled. With this update, `libffi` looks for a `/etc/sysconfig/libffi-force-shared-memory-check-first` file and, if it exists, probes for executable memory regardless of if SELinux is enabled. As a result, programs using `libffi` can safely `fork()` without crashing with SELinux enabled.
 Story Points: ---
Clone Of:
: 2152228 (view as bug list) Environment:
Last Closed: 2023-05-16 09:10:24 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 2152228    

Description Paulo Andrade 2021-10-14 16:23:47 UTC 
This bug was initially created as a copy of Bug #1977410

I am copying this bug because: 



Description of problem:
When SELinux is enabled, even in permissive mode, the attached code crashes.  When SELinux is disabled, it runs fine.  The only message I see in audit.log is:

type=ANOM_ABEND msg=audit(1624551198.965:416): auid=47927 uid=47927 gid=47927 ses=14 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 pid=4090 comm="test.py" reason="memory violation" sig=6

I'm not seeing any AVC messages, even after running "semodule -DB".  I spotted a Bugzilla report (1249685) from a few years back which mentioned python-cffi, the system doesn't have that package installed.  Adjusting the deny_execmem boolean didn't have any effect either - which I'm taking as a good thing, as the warnings about that were sufficiently dire.

Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1. Enable SELinux, in either enforcing or permissive mode.
2. Run attached code.
3. Code crashes.

Actual results:


Expected results:


Additional info:
I have talked with the Red Hat SELinux Userspace team, who have reproduced the issue on Fedora 34 with Python 3.9.  They suspect the issue may be in the Python _ctypes module.
Comment 17 errata-xmlrpc 2023-05-16 09:10:24 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (libffi bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2023:3014