Bug 427161
| Summary: | denial setting heap access protection in ld-27.so | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | kincaid <gmail987654321> |
| Component: | selinux-policy-targeted | Assignee: | Daniel Walsh <dwalsh> |
| Status: | CLOSED WORKSFORME | QA Contact: | Ben Levenson <benl> |
| Severity: | low | Docs Contact: | |
| Priority: | low | ||
| Version: | 8 | CC: | jonstanley |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | i686 | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2008-02-26 22:38:59 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
Making subject sane, reassigning to policy. Did you implement the workaround suggested in the error message? This should allow whatever was denied to succeed. Moreover, what exactly is the cron job that you are attempting to execute (i.e. what are you trying to do). This may help. Is this a cron job run by a user? download then apply updates is when it happen I am going to mark this as fixed in the latest release. I have not heard of this happening since. |
Description of problem: Version-Release number of selected component (if applicable): How reproducible: Steps to Reproduce: 1. 2. 3. Actual results: Expected results: Additional info: Summary SELinux is preventing /lib/ld-2.7.so from changing the access protection of memory on the heap. Detailed Description The /lib/ld-2.7.so application attempted to change the access protection of memory on the heap (e.g., allocated using malloc). This is a potential security problem. Applications should not be doing this. Applications are sometimes coded incorrectly and request this permission. The http://people.redhat.com/drepper/selinux-mem.html web page explains how to remove this requirement. If /lib/ld-2.7.so does not work and you need it to work, you can configure SELinux temporarily to allow this access until the application is fixed. Please file a http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this package. Allowing Access If you want /lib/ld-2.7.so to continue, you must turn on the allow_execheap boolean. Note: This boolean will affect all applications on the system. The following command will allow this access: setsebool -P allow_execheap=1 Additional Information Source Context unconfined_u:unconfined_r:unconfined_crond_t:s0 Target Context unconfined_u:unconfined_r:unconfined_crond_t:s0 Target Objects None [ process ] Affected RPM Packages glibc-2.7-2 [application] Policy RPM selinux-policy-3.0.8-44.fc8 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name plugins.allow_execheap Host Name localhost.localdomain Platform Linux localhost.localdomain 2.6.23.1-42.fc8 #1 SMP Tue Oct 30 13:55:12 EDT 2007 i686 i686 Alert Count 1 First Seen Tue 01 Jan 2008 08:18:12 AM EST Last Seen Tue 01 Jan 2008 08:18:12 AM EST Local ID 3cc8eab5-96d0-4f36-9dc3-3df15b37b320 Line Numbers Raw Audit Messages avc: denied { execheap } for comm=ld-linux.so.2 egid=0 euid=0 exe=/lib/ld-2.7.so exit=-13 fsgid=0 fsuid=0 gid=0 items=0 pid=20957 scontext=unconfined_u:unconfined_r:unconfined_crond_t:s0 sgid=0 subj=unconfined_u:unconfined_r:unconfined_crond_t:s0 suid=0 tclass=process tcontext=unconfined_u:unconfined_r:unconfined_crond_t:s0 tty=(none) uid=0