Bug 2055822

Summary: enabled by default: selinuxuser_execstack?
Product: Red Hat Enterprise Linux 9 Reporter: Zdenek Pytela <zpytela>
Component: selinux-policyAssignee: Zdenek Pytela <zpytela>
Status: CLOSED ERRATA QA Contact: Milos Malik <mmalik>
Severity: high Docs Contact: Jan Fiala <jafiala>
Priority: high    
Version: 9.0CC: bfinger, codonell, fweimer, gfialova, kdudka, lvrabec, mhofmann, mmalik, rjones, scorreia, sgrubb, skolosov, ssekidde, vkadlcik
Target Milestone: rcKeywords: Triaged
Target Release: 9.0   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-34.1.27-1.el9 Doc Type: Enhancement
Doc Text:
.Default SELinux policy disallows commands with text relocation libraries The `selinuxuser_execmod` boolean is now off by default to improve the security footprint of installed systems. As a result, SELinux users cannot enter commands using libraries that require text relocation, unless the library files have the `textrel_shlib_t` label.
 Story Points: ---
Clone Of: 2053815 Environment:
Last Closed: 2022-05-17 15:50:20 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2053815, 2064274    
Bug Blocks:    

Description Zdenek Pytela 2022-02-17 17:19:50 UTC 
+++ This bug was initially created as a clone of Bug #2053815 +++

Description of problem:

I discovered selinuxuser_execstack=1 (via system-config-selinux)

I also discovered the description of that setting:
'allow unconfined executables to make their stack executable. This should never, ever be necessary. Probably indicates a badly coded executable, but could indicate an attack. This executable should be reported in bugzilla'

So, thought that sounded nasty and I turned it off:
# getsebool selinuxuser_execstack
selinuxuser_execstack --> off

Now,
The Cockpit SELinux policy page reports under 'System modifications':
'Disallow unconfined executables to make their stack executable. This should never, ever be necessary. Probably indicates a badly coded executable, but could indicate an attack. This executable should be reported in bugzilla'

So, that suggests that the default for the system is selinuxuser_execstack=1 and that seems wrong, given the warnings above...

But:
# semanage boolean -l | grep selinuxuser_execstack
selinuxuser_execstack          (off  ,  off)  Allow unconfined executables to make their stack executable.  This should never, ever be necessary. Probably indicates a badly coded executable, but could indicate an attack. This executable should be reported in bugzilla

So, I'm a bit confused - perhaps this is a bug in Cockpit's reporting?


Version-Release number of selected component (if applicable):
libselinux-2.9-5
selinux-policy.noarch-3.14.3-80
cockpit-251.3-1

How reproducible:
Apparently always

Steps to Reproduce:
1. Install selinux & cockpit
2. Check on selinuxuser_execstack
3.

Actual results:
Confusing

Expected results:
Not confusing

Additional info:

--- Additional comment from Milos Malik on 2022-02-14 09:18:53 CET ---

Default value of the selinuxuser_execmod boolean is also an issue.
Comment 1 Zdenek Pytela 2022-02-17 19:37:25 UTC 
The default value changed in dist-git with this commit:

commit a270091f195ba840bc9e8d1119b7d04dd537b0ef
Author: Miroslav Grepl <mgrepl>
Date:   Mon Dec 17 17:21:00 2012 +0100

    Make rawhide == f18
...

+selinuxuser_direct_dri_enabled = true
+selinuxuser_execmem = true
+selinuxuser_execmod = true
+selinuxuser_execstack = true
+selinuxuser_rw_noexattrfile=true
+selinuxuser_ping = true
+squid_connect_any = true
Comment 7 Richard W.M. Jones 2022-03-15 14:01:52 UTC 
Has this changed the default to disallow execstack?
https://bugzilla.redhat.com/show_bug.cgi?id=2013629
https://bugzilla.redhat.com/show_bug.cgi?id=2064274
Comment 10 Zdenek Pytela 2022-03-25 18:06:22 UTC 
FYI: the decision was reconsidered and the selinuxuser_execstack boolean now changes to true again:
https://bugzilla.redhat.com/show_bug.cgi?id=2064274
Comment 16 errata-xmlrpc 2022-05-17 15:50:20 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (new packages: selinux-policy), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2022:3918