Bug 2294760

Summary: SELinux is preventing ThreadPoolForeg from using the 'execheap' accesses on a process.
Product: [Fedora] Fedora Reporter: Subhendu Ghosh <sghosh>
Component: selinux-policyAssignee: Zdenek Pytela <zpytela>
Status: CLOSED DUPLICATE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 40CC: dwalsh, lvrabec, mmalik, omosnacek, pkoncity, sghosh, vmojzis, zpytela
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Unspecified   
Whiteboard: abrt_hash:99d25e7dda8cd2fc8c6ea7cf1807dfcdc15c2cf0bb97b61aa4cad97d00b7b98b;VARIANT_ID=workstation;
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2024-07-01 07:11:41 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
File: description
none
File: os_info none

Description Subhendu Ghosh 2024-06-28 21:00:27 UTC 
Description of problem:
started Draw.io Flathub image
SELinux is preventing ThreadPoolForeg from using the 'execheap' accesses on a process.

*****  Plugin allow_execheap (53.1 confidence) suggests   ********************

If you do not think ThreadPoolForeg should need to map heap memory that is both writable and executable.
Then you need to report a bug. This is a potentially dangerous access.
Do
contact your security administrator and report this issue.

*****  Plugin catchall_boolean (42.6 confidence) suggests   ******************

If you want to allow selinuxuser to execheap
Then you must tell SELinux about this by enabling the 'selinuxuser_execheap' boolean.

Do
setsebool -P selinuxuser_execheap 1

*****  Plugin catchall (5.76 confidence) suggests   **************************

If you believe that ThreadPoolForeg should be allowed execheap access on processes labeled unconfined_t by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'ThreadPoolForeg' --raw | audit2allow -M my-ThreadPoolForeg
# semodule -X 300 -i my-ThreadPoolForeg.pp

Additional Information:
Source Context                unconfined_u:unconfined_r:unconfined_t:s0-
                              s0:c0.c1023
Target Context                unconfined_u:unconfined_r:unconfined_t:s0-
                              s0:c0.c1023
Target Objects                Unknown [ process ]
Source                        ThreadPoolForeg
Source Path                   ThreadPoolForeg
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           
Target RPM Packages           
SELinux Policy RPM            selinux-policy-targeted-40.23-1.fc40.noarch
Local Policy RPM              selinux-policy-targeted-40.23-1.fc40.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 6.9.5-200.fc40.x86_64 #1 SMP
                              PREEMPT_DYNAMIC Sun Jun 16 15:47:09 UTC 2024
                              x86_64
Alert Count                   440
First Seen                    2024-06-28 16:56:47 EDT
Last Seen                     2024-06-28 16:56:50 EDT
Local ID                      44cef487-58f2-458b-9a54-b1866eeb1a6c

Raw Audit Messages
type=AVC msg=audit(1719608210.681:1527): avc:  denied  { execheap } for  pid=168745 comm="drawio" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process permissive=0


Hash: ThreadPoolForeg,unconfined_t,unconfined_t,process,execheap

Version-Release number of selected component:
selinux-policy-targeted-40.23-1.fc40.noarch

Additional info:
reporter:       libreport-2.17.15
component:      selinux-policy
comment:        started Draw.io Flathub image
reason:         SELinux is preventing ThreadPoolForeg from using the 'execheap' accesses on a process.
type:           libreport
kernel:         6.9.5-200.fc40.x86_64
package:        selinux-policy-targeted-40.23-1.fc40.noarch
hashmarkername: setroubleshoot
component:      selinux-policy
Comment 1 Subhendu Ghosh 2024-06-28 21:00:29 UTC 
Created attachment 2038485 [details]
File: description
Comment 2 Subhendu Ghosh 2024-06-28 21:00:31 UTC 
Created attachment 2038486 [details]
File: os_info
Comment 3 Zdenek Pytela 2024-07-01 07:11:41 UTC 
The Linux implementation of mprotect (unlike POSIX) allows changing the access protection of memory on the heap, e. g. allocated using malloc. This AVC denial indicates that heap memory was supposed to be made executable. While the permission can be granted turning the selinuxuser_execheap boolean on as suggested by setroubleshoot, it should not be done without a thorough code review as in most cases it indicates a bug in the code and you should consider reporting a bug on the related component. If anonymous executable memory is needed, another method should be considered, e. g. allocating memory using mmap.

Please refer to the boolean description:

  # semanage boolean -l|grep execheap
selinuxuser_execheap           (off  ,  off)  Allow unconfined executables to make their heap memory executable.  Doing this is a really bad idea. Probably indicates a badly coded executable, but could indicate an attack. This executable should be reported in bugzilla
Comment 4 Zdenek Pytela 2024-07-11 17:27:07 UTC 

*** This bug has been marked as a duplicate of bug 2254434 ***