Bug 544453

Sommario:

SELinux is preventing /lib/ld-2.11.so from making the program stack executable.

Descrizione dettagliata:

The ld-linux.so.2 application attempted to make its stack executable. This is a
potential security problem. This should never ever be necessary. Stack memory is
not executable on most OSes these days and this will not change. Executable
stack memory is one of the biggest security problems. An execstack error might
in fact be most likely raised by malicious code. Applications are sometimes
coded incorrectly and request this permission. The SELinux Memory Protection
Tests (http://people.redhat.com/drepper/selinux-mem.html) web page explains how
to remove this requirement. If ld-linux.so.2 does not work and you need it to
work, you can configure SELinux temporarily to allow this access until the
application is fixed. Please file a bug report.

Abilitazione accesso in corso:

Sometimes a library is accidentally marked with the execstack flag, if you find
a library with this flag you can clear it with the execstack -c LIBRARY_PATH.
Then retry your application. If the app continues to not work, you can turn the
flag back on with execstack -s LIBRARY_PATH. Otherwise, if you trust
ld-linux.so.2 to run correctly, you can change the context of the executable to
execmem_exec_t. "chcon -t execmem_exec_t '/lib/ld-2.11.so'" You must also change
the default file context files on the system in order to preserve them even on a
full relabel. "semanage fcontext -a -t execmem_exec_t '/lib/ld-2.11.so'"

Comando fix:

chcon -t execmem_exec_t '/lib/ld-2.11.so'

Informazioni aggiuntive:

Contesto della sorgente       unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1
                              023
Contesto target               unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1
                              023
Oggetti target                None [ process ]
Sorgente                      ld-linux.so.2
Percorso della sorgente       /lib/ld-2.11.so
Porta                         <Sconosciuto>
Host                          (removed)
Sorgente Pacchetti RPM        glibc-2.11-2
Pacchetti RPM target          
RPM della policy              selinux-policy-3.6.32-49.fc12
Selinux abilitato             True
Tipo di policy                targeted
Modalità Enforcing           Enforcing
Nome plugin                   allow_execstack
Host Name                     (removed)
Piattaforma                   Linux (removed) 2.6.31.6-145.fc12.i686
                              #1 SMP Sat Nov 21 16:28:23 EST 2009 i686 i686
Conteggio avvisi              6
Primo visto                   mer 02 dic 2009 22:18:34 CET
Ultimo visto                  mer 02 dic 2009 22:27:40 CET
ID locale                     3e4f48c5-127f-4cc9-be53-30927eb16fa6
Numeri di linea               

Messaggi Raw Audit            

node=(removed) type=AVC msg=audit(1259789260.665:39): avc:  denied  { execstack } for  pid=3160 comm="ld-linux.so.2" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process

node=(removed) type=SYSCALL msg=audit(1259789260.665:39): arch=40000003 syscall=125 success=no exit=-13 a0=bfc86000 a1=1000 a2=1000007 a3=bfc86ca4 items=0 ppid=1 pid=3160 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm="ld-linux.so.2" exe="/lib/ld-2.11.so" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)



Hash String generated from  selinux-policy-3.6.32-49.fc12,allow_execstack,ld-linux.so.2,unconfined_t,unconfined_t,process,execstack
audit2allow suggests:

#============= unconfined_t ==============
allow unconfined_t self:process execstack;