Bug 498776
| Summary: | SELinux is preventing R from changing a writable memory segment executable. | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Allan Engelhardt <allane> |
| Component: | R | Assignee: | Tom "spot" Callaway <tcallawa> |
| Status: | CLOSED WONTFIX | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | medium | Docs Contact: | |
| Priority: | low | ||
| Version: | 10 | CC: | dwalsh, tcallawa |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | x86_64 | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2009-12-18 09:23:52 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
I also get a lot of +++[cut]+++ Summary: SELinux is preventing R from making the program stack executable. Detailed Description: The R application attempted to make its stack executable. This is a potential security problem. This should never ever be necessary. Stack memory is not executable on most OSes these days and this will not change. Executable stack memory is one of the biggest security problems. An execstack error might in fact be most likely raised by malicious code. Applications are sometimes coded incorrectly and request this permission. The SELinux Memory Protection Tests (http://people.redhat.com/drepper/selinux-mem.html) web page explains how to remove this requirement. If R does not work and you need it to work, you can configure SELinux temporarily to allow this access until the application is fixed. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package. Allowing Access: Sometimes a library is accidentally marked with the execstack flag, if you find a library with this flag you can clear it with the execstack -c LIBRARY_PATH. Then retry your application. If the app continues to not work, you can turn the flag back on with execstack -s LIBRARY_PATH. Otherwise, if you trust R to run correctly, you can change the context of the executable to unconfined_execmem_exec_t. "chcon -t unconfined_execmem_exec_t '/usr/lib64/R/bin/exec/R'" You must also change the default file context files on the system in order to preserve them even on a full relabel. "semanage fcontext -a -t unconfined_execmem_exec_t '/usr/lib64/R/bin/exec/R'" Fix Command: chcon -t unconfined_execmem_exec_t '/usr/lib64/R/bin/exec/R' Additional Information: Source Context unconfined_u:unconfined_r:unconfined_t:s0 Target Context unconfined_u:unconfined_r:unconfined_t:s0 Target Objects None [ process ] Source nautilus Source Path /usr/bin/nautilus Port <Unknown> Host server.cybaea.net Source RPM Packages R-core-2.9.0-2.fc10 Target RPM Packages Policy RPM selinux-policy-3.5.13-57.fc10 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name allow_execstack Host Name xxx Platform Linux xxx 2.6.27.21-170.2.56.fc10.x86_64 #1 SMP Mon Mar 23 23:08:10 EDT 2009 x86_64 x86_64 Alert Count 7542 First Seen Sat 25 Apr 2009 09:18:31 BST Last Seen Sun 03 May 2009 13:00:20 BST Local ID 5915110c-8c92-4c0d-99f9-063b3072a20c Line Numbers Raw Audit Messages node=xxx type=AVC msg=audit(1241352020.998:16065): avc: denied { execstack } for pid=32581 comm="R" scontext=unconfined_u:unconfined_r:unconfined_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0 tclass=process node=xxx type=SYSCALL msg=audit(1241352020.998:16065): arch=c000003e syscall=10 success=no exit=-13 a0=7fff79261000 a1=1000 a2=1000007 a3=7f8371263000 items=0 ppid=32577 pid=32581 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=pts2 ses=1 comm="R" exe="/usr/lib64/R/bin/exec/R" subj=unconfined_u:unconfined_r:unconfined_t:s0 key=(null) ---[cut]--- After updating my installed packages I have 7,542 of these and 18 of the previous one. Hopefully, Dan will know what to do here. :) What is R? If you label it execmem_exec_t does it work? chcon -t execmem_exec_t '/usr/lib64/R/bin/exec/R' Probably need to treat it like java, wine, mono. > What is R? A tool for statistical computing and analysis. > If you label it execmem_exec_t does it work? Yes. > Probably need to treat it like java, wine, mono. That seems like over-kill: R only appears to need execmem_exec_t while it is compiling third party (CRAN, like CPAN for perl) packages. For normal operation it is not needed. Well currently the only difference between a user executing a java/mono/wine app and a regular app is that the app is allowed to execmem. and then it gets the same privs as the user would have gotten. /usr/lib64/R/bin/exec/R -- gen_context(system_u:object_r:execmem_exec_t,s0) /usr/lib/R/bin/exec/R -- gen_context(system_u:object_r:execmem_exec_t,s0) Fixed in selinux-policy-3.6.12-36.fc11.noarch This message is a reminder that Fedora 10 is nearing its end of life. Approximately 30 (thirty) days from now Fedora will stop maintaining and issuing updates for Fedora 10. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as WONTFIX if it remains open with a Fedora 'version' of '10'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, simply change the 'version' to a later Fedora version prior to Fedora 10's end of life. Bug Reporter: Thank you for reporting this issue and we are sorry that we may not be able to fix it before Fedora 10 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora please change the 'version' of this bug to the applicable version. If you are unable to change the version, please add a comment here and someone will do it for you. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete. The process we are following is described here: http://fedoraproject.org/wiki/BugZappers/HouseKeeping Fedora 10 changed to end-of-life (EOL) status on 2009-12-17. Fedora 10 is no longer maintained, which means that it will not receive any further security or bug fix updates. As a result we are closing this bug. If you can reproduce this bug against a currently maintained version of Fedora please feel free to reopen this bug against that version. Thank you for reporting this bug and we are sorry it could not be fixed. |
Description of problem: When running with enforcing SELinux and with the boolean allow_execmem unset, I get SELinux errors from R. I currently have 12 of them since I started (re-)installing some views. Version-Release number of selected component (if applicable): I am pretty sure it is R-core, but here goes. $ rpm -qa | grep '^R-' | sort R-2.9.0-2.fc10.x86_64 R-abind-1.1-2.fc9.noarch R-acepack-1.3-4.fc9.x86_64 R-affyio-1.10.1-2.fc10.x86_64 R-biglm-0.4-1.fc10.x86_64 R-bigmemory-2.3-3.fc10.x86_64 R-Biobase-2.2.2-1.fc10.x86_64 R-BSgenome.Celegans.UCSC.ce2-1.2.0-5.noarch R-BSgenome.Dmelanogaster.FlyBase.r51-1.3.1-3.noarch R-BufferedMatrix-1.6.0-2.fc10.x86_64 R-BufferedMatrix-devel-1.6.0-2.fc10.x86_64 R-BufferedMatrixMethods-1.3.0-3.fc9.x86_64 R-car-1.2-4.fc10.noarch R-core-2.9.0-2.fc10.x86_64 R-DBI-0.2-2.fc10.noarch R-devel-2.9.0-2.fc10.x86_64 R-DynDoc-1.20.0-1.fc10.noarch R-GeneR-2.12.0-1.fc10.x86_64 R-hdf5-1.6.8-1.fc10.x86_64 R-hgu95av2probe-2.0.0-1.fc9.noarch R-IRanges-1.1.55-1.fc10.x86_64 R-java-2.9.0-2.fc10.x86_64 R-java-devel-2.9.0-2.fc10.x86_64 R-lmtest-0.9-2.fc10.x86_64 R-maanova-1.12.0-1.fc10.x86_64 R-mAr-1.1-13.fc9.x86_64 R-multcomp-1.0-2.fc10.noarch R-multtest-1.22.0-1.fc10.x86_64 R-mvtnorm-0.9-1.fc10.x86_64 R-nws-1.7.0.0-1.fc10.noarch R-pls-2.1-5.fc10.noarch R-qtl-1.10-2.fc10.x86_64 R-qvalue-1.16.0-1.fc10.noarch R-rlecuyer-0.2-1.fc10.x86_64 R-RODBC-1.2-2.fc10.x86_64 R-RScaLAPACK-0.5.1-18.fc10.x86_64 R-RSQLite-0.6-3.fc10.x86_64 R-RUnit-0.4.21-3.fc10.noarch R-systemfit-1.0-4.fc10.noarch R-tkWidgets-1.20.0-1.fc10.noarch R-waveslim-1.6.1-2.fc9.x86_64 R-wavethresh-2.2-9.fc9.x86_64 R-widgetTools-1.18.0-1.fc10.noarch R-zoo-1.5-5.fc10.noarch How reproducible: Very Steps to Reproduce: It seems to be happening when I download or update or install or compile packages (not sure exactly where). In my .Rprofile I have +++[cut]+++ install.myviews <- function() { require("ctv", quietly=TRUE) my.views = c("Bayesian", "Cluster", "Graphics", "gR", "HighPerformanceComputing", "MachineLearning", "Multivariate", "NaturalLanguageProcessing", "Robust", "SocialSciences", "Spatial", "Survival", "TimeSeries") install.views(views=my.views, lib=Sys.getenv("R_LIBS"), dependencies=c("Depends","Suggests")) } ---[cut]--- and I do 1. $ echo -e "install.myviews()" > /tmp/r.cmd && R CMD BATCH /tmp/r.cmd /tmp/r.out 2. 3. Actual results: SELinux alerts as shown below in 'Additional info' Expected results: No package should need allow_execmem Additional info: +++[cut]+++ Summary: SELinux is preventing R from changing a writable memory segment executable. Detailed Description: The R application attempted to change the access protection of memory (e.g., allocated using malloc). This is a potential security problem. Applications should not be doing this. Applications are sometimes coded incorrectly and request this permission. The SELinux Memory Protection Tests (http://people.redhat.com/drepper/selinux-mem.html) web page explains how to remove this requirement. If R does not work and you need it to work, you can configure SELinux temporarily to allow this access until the application is fixed. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package. Allowing Access: If you trust R to run correctly, you can change the context of the executable to unconfined_execmem_exec_t. "chcon -t unconfined_execmem_exec_t '/usr/lib64/R/bin/exec/R'". You must also change the default file context files on the system in order to preserve them even on a full relabel. "semanage fcontext -a -t unconfined_execmem_exec_t '/usr/lib64/R/bin/exec/R'" Fix Command: chcon -t unconfined_execmem_exec_t '/usr/lib64/R/bin/exec/R' Additional Information: Source Context unconfined_u:unconfined_r:unconfined_t:s0 Target Context unconfined_u:unconfined_r:unconfined_t:s0 Target Objects None [ process ] Source gnome-screensav Source Path /usr/libexec/gnome-screensaver-gl-helper Port <Unknown> Host server.cybaea.net Source RPM Packages R-core-2.9.0-2.fc10 Target RPM Packages Policy RPM selinux-policy-3.5.13-57.fc10 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name allow_execmem Host Name xxx Platform Linux xxx 2.6.27.21-170.2.56.fc10.x86_64 #1 SMP Mon Mar 23 23:08:10 EDT 2009 x86_64 x86_64 Alert Count 12 First Seen Sat 25 Apr 2009 10:24:17 BST Last Seen Sun 03 May 2009 10:21:12 BST Local ID 671ff264-b2b6-4425-ae44-0d4dbb475ae5 Line Numbers Raw Audit Messages node=xxx type=AVC msg=audit(1241342472.851:9616): avc: denied { execmem } for pid=23311 comm="R" scontext=unconfined_u:unconfined_r:unconfined_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0 tclass=process node=xxx type=SYSCALL msg=audit(1241342472.851:9616): arch=c000003e syscall=9 success=no exit=-13 a0=7f59660dd000 a1=38000 a2=7 a3=812 items=0 ppid=23307 pid=23311 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=pts2 ses=1 comm="R" exe="/usr/lib64/R/bin/exec/R" subj=unconfined_u:unconfined_r:unconfined_t:s0 key=(null) ---[cut]---