Bug 529757

Summary: Fix up gcl SELinux code.
Product: [Fedora] Fedora Reporter: Daniel Walsh <dwalsh>
Component: gclAssignee: Jerry James <loganjerry>
Status: CLOSED CURRENTRELEASE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: low    
Version: 12CC: eparis, green, loganjerry
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2009-11-19 18:17:24 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Daniel Walsh 2009-10-19 19:56:29 UTC 
Description of problem:

You gcl policy will not work with confined users.

It will not allow me to disable the unconfined policy module.

Please change it to 

optional_policy(`
	unconfined_domain(gcl_t)
')

Is this really required?

allow gcl_t self:memprotect mmap_zero;

If yes, the policy should be

domain_mmap_low_type(gcl_t)
tunable_policy(`mmap_low_allowed',`
domain_mmap_low(gcl_t)
')
Comment 1 Eric Paris 2009-10-19 20:09:15 UTC 
I STRONGLY suggest you figure out what what is requiring mmap_zero

mmap(NULL, ..., MAP_FIXED, ...

and rework your code.  That's a very bad idea to allow for security reasons and something Linux does not allow regular users (even without selinux) do by default.
Comment 2 Eric Paris 2009-10-19 20:15:24 UTC 
(unrelated note but dan showed me your policy out of band)

execheap?  you know that isn't POSIX complaint? (it's actually forbidden by POSIX)  You really should be using mmap with PROT_EXEC. 

http://people.redhat.com/drepper/selinux-mem.html 

explains most of the memory potections (not mmap_zero) and how they should be handled in a more secure manor....
Comment 3 Jerry James 2009-10-20 21:58:41 UTC 
I made the first change requested in comment #0 and am testing it now.

As for the second change in comment #0 and comment #1, no, it appears that gcl does NOT need mmap_zero, so I have removed that from the policy.

With respect to comment #2, gcl is generating and compiling code on the fly.  The gcl code that does this is VERY complex.  I took a stab at changing it to use mmap with PROT_EXEC last winter, when I took over maintainership of the package.  I failed.  I simply don't have the time I need to study the gcl code enough to understand it deeply enough to edit it in this fashion.  That is not likely to change any time soon.  Upstream is nearly (but not completely) dead, so I do not hold out any hope of convincing them to do the work.  If someone who is able to make it work correctly steps up with a patch, I would be happy to include it in the gcl package.
Comment 4 Fedora Update System 2009-10-20 22:47:05 UTC 
gcl-2.6.8-0.6.20090701cvs.fc12 has been submitted as an update for Fedora 12.
http://admin.fedoraproject.org/updates/gcl-2.6.8-0.6.20090701cvs.fc12
Comment 5 Fedora Update System 2009-10-20 22:47:17 UTC 
gcl-2.6.8-0.4.20090701cvs.fc11 has been submitted as an update for Fedora 11.
http://admin.fedoraproject.org/updates/gcl-2.6.8-0.4.20090701cvs.fc11
Comment 6 Fedora Update System 2009-11-04 12:18:03 UTC 
gcl-2.6.8-0.4.20090701cvs.fc11 has been pushed to the Fedora 11 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 7 Bug Zapper 2009-11-16 13:51:50 UTC 
This bug appears to have been reported against 'rawhide' during the Fedora 12 development cycle.
Changing version to '12'.

More information and reason for this action is here:
http://fedoraproject.org/wiki/BugZappers/HouseKeeping