Bug 605293

Summary: SELinux is preventing skype "execmem" access on <Unknown>
Product: [Fedora] Fedora Reporter: sd.domrep
Component: selinux-policyAssignee: Daniel Walsh <dwalsh>
Status: CLOSED RAWHIDE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: low    
Version: rawhideCC: dwalsh, mgrepl
Target Milestone: ---Keywords: Reopened
Target Release: ---   
Hardware: i686   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2010-07-16 19:32:00 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description sd.domrep 2010-06-17 15:09:24 UTC
Description of problem:

Summary:

SELinux is preventing skype "execmem" access on <Unknown>.

Detailed Description:

SELinux denied access requested by skype. The current boolean settings do not
allow this access. If you have not setup skype to require this access this may
signal an intrusion attempt. If you do intend this access you need to change the
booleans on this system to allow the access.

Allowing Access:

One of the following booleans is set incorrectly: allow_execstack, allow_execmem

Fix Command:

Choose one of the following to allow access:
Allow unconfined executables to make their stack executable. This should never,
ever be necessary. Probably indicates a badly coded executable, but could
indicate an attack. This executable should be reported in bugzilla")
# setsebool -P allow_execstack 1
Allow unconfined executables to map a memory region as both executable and
writable, this is dangerous and the executable should be reported in bugzilla")
# setsebool -P allow_execmem 1


Additional Information:

Source Context                unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1
                              023
Target Context                unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1
                              023
Target Objects                None [ process ]
Source                        skype
Source Path                   skype
Port                          <Unknown>
Host                          localhost.localdomain
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.8.3-4.fc14
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Plugin Name                   catchall_boolean
Host Name                     localhost.localdomain
Platform                      Linux localhost.localdomain
                              2.6.34-40.fc14.i686.PAE #1 SMP Wed Jun 16 15:15:36
                              UTC 2010 i686 i686
Alert Count                   1
First Seen                    Thu 17 Jun 2010 07:02:23 PM MSD
Last Seen                     Thu 17 Jun 2010 07:02:23 PM MSD
Local ID                      9f04bb59-bf65-4b7f-bd36-47e0c034e04f
Line Numbers                  

Raw Audit Messages            

node=localhost.localdomain type=AVC msg=audit(1276786943.735:13823): avc:  denied  { execmem } for  pid=1297 comm="skype" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process

node=localhost.localdomain type=SYSCALL msg=audit(1276786943.735:13823): arch=40000003 syscall=11 per=400000 success=no exit=-13 a0=1f5af48 a1=bff27730 a2=1f5fad0 a3=9dcc80 items=0 ppid=1 pid=1297 auid=500 uid=502 gid=502 euid=502 suid=502 fsuid=502 egid=502 sgid=502 fsgid=502 tty=(none) ses=1 comm="skype" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)




Version-Release number of selected component (if applicable):

selinux-policy-3.8.3-4.fc14

How reproducible:


Steps to Reproduce:
1.
2.
3.
  
Actual results:


Expected results:


Additional info:

Comment 1 Daniel Walsh 2010-06-18 14:40:00 UTC
Where did you install the skype tool.

chcon -t execmem_exec_t PATHTO/skype

Will allow the access.

setsebool -P allow_execmem 1

Will turn off the check.

The mapping for the current path is 

/usr/bin/skype	--	system_u:object_r:execmem_exec_t:s0

restorecon /usr/bin/skype 

will fix the label if that is where you stored it.

Comment 2 sd.domrep 2010-06-18 20:17:53 UTC
Thanks for the answer.
Actually, Sir, I have not chosen where to install it, rpm did it.
And it is:
$ whereis skype
skype: /usr/bin/skype /usr/share/skype.

And skype always works before.

Comment 3 Daniel Walsh 2010-06-21 19:06:17 UTC
Did you run restorecon on it?

restorecon -R -v /usr/bin/skype
ls -lZ /usr/bin/skype

Comment 4 sd.domrep 2010-06-22 08:06:18 UTC
Thanks for the answer.

I want to say, that skype was installed the same time when rawhide was, and it worked with 
 selinux-policy-3.6.32-78 - selinux-policy-3.8.1-5. It stops work on 3.8.3-1 or 3.8.3-4, because I checked it only after 3.8.3-4 update.

Output # ls -lZ /usr/bin/skype 
-rwxr-xr-x. root root system_u:object_r:execmem_exec_t:s0 /usr/bin/skype

Shel I do: restorecon -R -v /usr/bin/skype then?

Thanks.

Comment 5 Daniel Walsh 2010-06-22 12:38:30 UTC
No that is the correct label.  Does it work now?

Comment 6 sd.domrep 2010-06-22 20:14:20 UTC
No, it doesn't work.

That is why I wrote here.

Comment 7 sd.domrep 2010-06-23 07:52:53 UTC
I updated today. Now:
Jun 23 11:34:23 Updated: selinux-policy-3.8.5-1.fc14.noarch
Jun 23 11:36:20 Updated: selinux-policy-targeted-3.8.5-1.fc14.noarch


Result the same.
# ls -lZ /usr/bin/skype 
-rwxr-xr-x. root root system_u:object_r:execmem_exec_t:s0 /usr/bin/skype

$ skype
Killed


Summary:

SELinux is preventing skype "execmem" access on <Unknown>.

Detailed Description:

SELinux denied access requested by skype. The current boolean settings do not
allow this access. If you have not setup skype to require this access this may
signal an intrusion attempt. If you do intend this access you need to change the
booleans on this system to allow the access.

Allowing Access:

One of the following booleans is set incorrectly: allow_execstack, allow_execmem

Fix Command:

Choose one of the following to allow access:
Allow unconfined executables to make their stack executable. This should never,
ever be necessary. Probably indicates a badly coded executable, but could
indicate an attack. This executable should be reported in bugzilla")
# setsebool -P allow_execstack 1
Allow unconfined executables to map a memory region as both executable and
writable, this is dangerous and the executable should be reported in bugzilla")
# setsebool -P allow_execmem 1


Additional Information:

Source Context                unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
Target Context                unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
Target Objects                None [ process ]
Source                        skype
Source Path                   skype
Port                          <Unknown>
Host                          localhost.localdomain
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.8.5-1.fc14
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Plugin Name                   catchall_boolean
Host Name                     localhost.localdomain
Platform                      Linux localhost.localdomain
                              2.6.34-45.fc14.i686.PAE #1 SMP Mon Jun 21 21:27:49  UTC 2010 i686 i686
Alert Count                   2
First Seen                    Wed 23 Jun 2010 12:11:31 AM MSD
Last Seen                     Wed 23 Jun 2010 11:45:01 AM MSD
Local ID                      fb4d235b-1fcb-41d5-93b7-b7ce040b05c6
Line Numbers                  

Raw Audit Messages            

node=localhost.localdomain type=AVC msg=audit(1277279101.218:13658): avc:  denied  { execmem } for  pid=1388 comm="skype" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process

node=localhost.localdomain type=SYSCALL msg=audit(1277279101.218:13658): arch=40000003 syscall=11 per=400000 success=no exit=-13 a0=85d29b0 a1=85da9a8 a2=85d3a80 a3=85da9a8 items=0 ppid=1305 pid=1388 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=pts0 ses=1 comm="skype" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)

Comment 8 Daniel Walsh 2010-06-25 19:09:42 UTC
Either you are not executing the skype you think you are, or there is something very strange on your machine.

which skype

Comment 9 sd.domrep 2010-06-25 20:14:26 UTC
I executed:
 setsebool -P allow_execstack 1
And now skype works.

Thanks.

Comment 10 sd.domrep 2010-06-26 07:41:51 UTC
I was too quick. "setsebool -P allow_execstack 1" works good but it application independent.
Skype starts to work, but Firefox as well. I do not like that kind of protection.

So I turned it back. Skype doesn't work now as well as some firefox plugins.

What about my skype - I got it from skype web site. Skype 2.1.0.81. And I installed it with
yum --nogpgcheck.

Bug is open, because problem still exist.

Comment 11 Daniel Walsh 2010-06-28 15:08:14 UTC
Execute 

which skype


THen execute 

ls -lZ `which skype`

Comment 12 sd.domrep 2010-06-28 18:46:20 UTC
Thanks for replay.

[root@localhost ~]# which skype
/usr/bin/skype
[root@localhost ~]# ls -lZ `which skype`
-rwxr-xr-x. root root system_u:object_r:execmem_exec_t:s0 /usr/bin/skype


I installed skype with rawhide, and it works until the last selinux update.

Comment 13 sd.domrep 2010-06-28 19:15:56 UTC
Sorry, I meant:
... and it worked until the last selinux update.

Comment 14 sd.domrep 2010-06-28 19:33:37 UTC
If it helps you, output of the "strace":

$ strace skype
execve("/usr/bin/skype", ["skype"], [/* 45 vars */] <unfinished ...>
+++ killed by SIGKILL +++
Killed

Comment 15 Daniel Walsh 2010-06-29 15:52:14 UTC
# cat > /usr/bin/myskype << _EOF
#!/bin/sh
id -Z
_EOF
# chmod +x /usr/bin/myskype
# chcon -t execmem_exec_t /usr/bin/myskype
# /usr/bin/myskype

What does it output?

Comment 16 sd.domrep 2010-06-29 18:20:06 UTC
The output is:
unconfined_u:unconfined_r:unconfined_execmem_t:s0-s0:c0.c1023

Comment 17 sd.domrep 2010-07-02 10:55:19 UTC
I tried to reinstall skype, removed it before, but still got the same result - killed and the same selinux deny.

Comment 18 Daniel Walsh 2010-07-12 20:01:36 UTC
Could you attach the latest avc messages?

BTW I just used skype while on vacation for two weeks and it worked fine in confinement.

Comment 19 sd.domrep 2010-07-13 11:12:48 UTC
Am talking about rawhide Fedora 14.


Summary:

SELinux is preventing skype "execmem" access on <Unknown>.

Detailed Description:

SELinux denied access requested by skype. The current boolean settings do not
allow this access. If you have not setup skype to require this access this may
signal an intrusion attempt. If you do intend this access you need to change the
booleans on this system to allow the access.

Allowing Access:

One of the following booleans is set incorrectly: allow_execstack, allow_execmem

Fix Command:

Choose one of the following to allow access:
Allow unconfined executables to make their stack executable. This should never,
ever be necessary. Probably indicates a badly coded executable, but could
indicate an attack. This executable should be reported in bugzilla")
# setsebool -P allow_execstack 1
Allow unconfined executables to map a memory region as both executable and
writable, this is dangerous and the executable should be reported in bugzilla")
# setsebool -P allow_execmem 1


Additional Information:

Source Context                unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1
                              023
Target Context                unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1
                              023
Target Objects                None [ process ]
Source                        skype
Source Path                   skype
Port                          <Unknown>
Host                          localhost.localdomain
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.8.6-2.fc14
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Plugin Name                   catchall_boolean
Host Name                     localhost.localdomain
Platform                      Linux localhost.localdomain
                              2.6.35-0.31.rc4.git4.fc14.i686.PAE #1 SMP Fri Jul
                              9 01:18:51 UTC 2010 i686 i686
Alert Count                   11
First Seen                    Mon 28 Jun 2010 11:30:39 PM MSD
Last Seen                     Tue 13 Jul 2010 03:06:05 PM MSD
Local ID                      48dcfb61-3147-44f5-9691-5c3a0b5bca7c
Line Numbers                  

Raw Audit Messages            

node=localhost.localdomain type=AVC msg=audit(1279019165.534:25): avc:  denied  { execmem } for  pid=1435 comm="skype" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process

node=localhost.localdomain type=SYSCALL msg=audit(1279019165.534:25): arch=40000003 syscall=11 per=400000 success=no exit=-13 a0=9bc08d0 a1=9bc0948 a2=9bbaa80 a3=9bc0948 items=0 ppid=1401 pid=1435 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=pts1 ses=1 comm="skype" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)


Thanks

Comment 20 Daniel Walsh 2010-07-13 12:25:22 UTC
so am I.

Could  you give me the output of

which skype
ls -lZ `which skype`

Comment 21 Daniel Walsh 2010-07-13 12:26:34 UTC
Also could you execute 

# auditctl -w /etc/shadow -p w 
run skype
# ausearch -m avc -ts recent

And attach the avc messages.

Comment 22 sd.domrep 2010-07-13 18:40:09 UTC
As you ask.

$ which skype
/usr/bin/skype
$ ls -lZ `which skype`
-rwxr-xr-x. root root system_u:object_r:execmem_exec_t:s0 /usr/bin/skype

time->Tue Jul 13 22:31:36 2010
type=PATH msg=audit(1279045896.962:33): item=1 name=(null) inode=26685 dev=fd:00 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:ld_so_t:s0
type=PATH msg=audit(1279045896.962:33): item=0 name="/usr/bin/skype" inode=59729 dev=fd:00 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:execmem_exec_t:s0
type=CWD msg=audit(1279045896.962:33):  cwd="/home/vas"
type=EXECVE msg=audit(1279045896.962:33): argc=1 a0="skype"
type=SYSCALL msg=audit(1279045896.962:33): arch=40000003 syscall=11 per=400000 success=no exit=-13 a0=1d8fbe8 a1=bfbcb000 a2=1d947e0 a3=b48c80 items=2 ppid=1 pid=1537 auid=500 uid=502 gid=502 euid=502 suid=502 fsuid=502 egid=502 sgid=502 fsgid=502 tty=(none) ses=1 comm="skype" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1279045896.962:33): avc:  denied  { execmem } for  pid=1537 comm="skype" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process


I hope it helps.

Comment 23 sd.domrep 2010-07-13 18:43:08 UTC
As you asked.

$ which skype
/usr/bin/skype
$ ls -lZ `which skype`
-rwxr-xr-x. root root system_u:object_r:execmem_exec_t:s0 /usr/bin/skype

time->Tue Jul 13 22:31:36 2010
type=PATH msg=audit(1279045896.962:33): item=1 name=(null) inode=26685 dev=fd:00 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:ld_so_t:s0
type=PATH msg=audit(1279045896.962:33): item=0 name="/usr/bin/skype" inode=59729 dev=fd:00 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:execmem_exec_t:s0
type=CWD msg=audit(1279045896.962:33):  cwd="/home/vas"
type=EXECVE msg=audit(1279045896.962:33): argc=1 a0="skype"
type=SYSCALL msg=audit(1279045896.962:33): arch=40000003 syscall=11 per=400000 success=no exit=-13 a0=1d8fbe8 a1=bfbcb000 a2=1d947e0 a3=b48c80 items=2 ppid=1 pid=1537 auid=500 uid=502 gid=502 euid=502 suid=502 fsuid=502 egid=502 sgid=502 fsgid=502 tty=(none) ses=1 comm="skype" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1279045896.962:33): avc:  denied  { execmem } for  pid=1537 comm="skype" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process


I hope it helps.

Comment 24 Daniel Walsh 2010-07-13 20:28:21 UTC
Finally some synapses fired in my brain about this and I remember this being talked about years ago.

http://www.nsa.gov/research/selinux/list-archive/0708/22072.shtml

Comment 25 Daniel Walsh 2010-07-13 20:36:57 UTC
Looks like I had allow_execstack turned on which is why skype was working for me.  Sorry about that.

runcon -t unconfined_execmem_t -- bash -c "/usr/bin/skype"

Would work, or

create a shell script in your homedir named skype, that executes /usr/bin/skype and label it execmem_exec_t.

mkdir ~/bin
cat > ~/bin/skype << _EOF
#!/bin/sh
/usr/bin/skype $*
_EOF
chmod +x ~/bin/skype
chcon -t execmem_exec_t ~/bin/skype
~/bin/skype

If yo add ~/bin to your path skype should work.

Comment 26 Daniel Walsh 2010-07-13 20:37:24 UTC
skype is the only app that I have seen this happen too.

Comment 27 sd.domrep 2010-07-14 18:57:43 UTC
Thanks, you have good memory, conversation was in 2007.

I prefer "runcon", it is easy and doesn't change anything.
But what about others, when rawhide will be Fedora 14, what will be a solution?

Second, you probably new about the same problem with firefox?

Summary
SELinux is preventing firefox from making its memory writable and executable. Detailed 

Description
The firefox application attempted to change the access protection of memory (e.g., allocated using malloc). This is a potential security problem. Firefox is probably not the problem here ,but one of its plugins. You could remove the plugin and the app would no longer require the access. If you figure out which plugin is causing the access request, please open a bug report on the plugin.

I tried to start firefox like skype:
runcon -t unconfined_execmem_t -- bash -c "/usr/bin/firefox"

And it works of course.
Can it be the same problem?

Thanks for the solution.
This bug I think now can be closed.