Bug 253374

Summary: Selinux runs after being disabled?
Product: [Fedora] Fedora Reporter: Troy Deierling <troydei>
Component: selinux-policyAssignee: Daniel Walsh <dwalsh>
Status: CLOSED NOTABUG QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: medium    
Version: 8   
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2007-08-18 18:21:09 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Troy Deierling 2007-08-18 14:36:28 UTC
Running rawhide on Dell 64bit Vostro 1500 notebook.  I've disabled selinux but
it still runs?  Went to install IE6 via crossover and it popped up still. 
Here's a copy of the alert and my config file.

Summary
    SELinux is preventing /home/troy/cxoffice/bin/cxglibc-check from changing a
    writable memory segment executable.

Detailed Description
    The /home/troy/cxoffice/bin/cxglibc-check application attempted to change
    the access protection of memory (e,g., allocated using malloc).  This is a
    potential security problem.  Applications should not be doing this.
    Applications are sometimes coded incorrectly and request this permission.
    The http://people.redhat.com/drepper/selinux-mem.html web page explains how
    to remove this requirement.  If /home/troy/cxoffice/bin/cxglibc-check does
    not work and you need it to work, you can configure SELinux temporarily to
    allow this access until the application is fixed. Please file a
    http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this package.

Allowing Access
    If you trust /home/troy/cxoffice/bin/cxglibc-check to run correctly, you can
    change the context of the executable to unconfined_execmem_exec_t. "chcon -t
    unconfined_execmem_exec_t /home/troy/cxoffice/bin/cxglibc-check". You must
    also change the default file context files on the system in order to
    preserve them even on a full relabel.  "semanage fcontext -a -t
    unconfined_execmem_exec_t /home/troy/cxoffice/bin/cxglibc-check"

    The following command will allow this access:
    chcon -t unconfined_execmem_exec_t /home/troy/cxoffice/bin/cxglibc-check

Additional Information        

Source Context                system_u:system_r:unconfined_t
Target Context                system_u:system_r:unconfined_t
Target Objects                None [ process ]
Affected RPM Packages         
Policy RPM                    selinux-policy-3.0.5-7.fc8
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Permissive
Plugin Name                   plugins.allow_execmem
Host Name                     localhost.localdomain
Platform                      Linux localhost.localdomain
                              2.6.23-0.110.rc3.git1.fc8 #1 SMP Wed Aug 15
                              17:59:11 EDT 2007 x86_64 x86_64
Alert Count                   3
First Seen                    Fri 17 Aug 2007 08:49:11 PM EDT
Last Seen                     Sat 18 Aug 2007 10:02:37 AM EDT
Local ID                      e3a67a24-53ed-4a03-874d-adb0b1bc4337
Line Numbers                  

Raw Audit Messages            

avc: denied { execmem } for comm="cxglibc-check" egid=500 euid=500
exe="/home/troy/cxoffice/bin/cxglibc-check" exit=0 fsgid=500 fsuid=500 gid=500
items=0 pid=3246 scontext=system_u:system_r:unconfined_t:s0 sgid=500
subj=system_u:system_r:unconfined_t:s0 suid=500 tclass=process
tcontext=system_u:system_r:unconfined_t:s0 tty=(none) uid=500

============
Here's a copy of my config file

# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
#	enforcing - SELinux security policy is enforced.
#	permissive - SELinux prints warnings instead of enforcing.
#	disabled - SELinux is fully disabled.
SELINUX=diabled
# SELINUXTYPE= type of policy in use. Possible values are:
#	targeted - Only targeted network daemons are protected.
#	strict - Full SELinux protection.
SELINUXTYPE=targeted

# SETLOCALDEFS= Check local definition changes
SETLOCALDEFS=0

Comment 1 Troy Deierling 2007-08-18 14:41:49 UTC
Install went fine after running
chcon -t unconfined_execmem_exec_t /home/troy/cxoffice/bin/cxglibc-check



Comment 2 Troy Deierling 2007-08-18 18:21:09 UTC
Disregard, it was a typo in the config.  Sorry!