Bug 627055

Summary: SELinux is preventing /usr/sbin/squid from loading /usr/sbin/squid which requires text relocation.
Product: [Fedora] Fedora Reporter: Gabriel Sfestarof <ronin3510>
Component: squidAssignee: Jiri Skala <jskala>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: medium    
Version: 12CC: aglotov, drepper, dwalsh, henrik, jonathansteffan, jskala, mgrepl
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard: setroubleshoot_trace_hash:777c85243d7e3633339ddd0582a1293f26489bb3c03cd8e142ed9060c2fc78b2
Fixed In Version: squid-3.1.8-1.fc12 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2010-09-15 07:11:01 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Gabriel Sfestarof 2010-08-24 23:56:08 UTC 
Summary:

SELinux is preventing /usr/sbin/squid from loading /usr/sbin/squid which
requires text relocation.

Detailed Description:

[squid has a permissive type (squid_t). This access was not denied.]

The squid application attempted to load /usr/sbin/squid which requires text
relocation. This is a potential security problem. Most libraries do not need
this permission. Libraries are sometimes coded incorrectly and request this
permission. The SELinux Memory Protection Tests
(http://people.redhat.com/drepper/selinux-mem.html) web page explains how to
remove this requirement. You can configure SELinux temporarily to allow
/usr/sbin/squid to use relocation as a workaround, until the library is fixed.
Please file a bug report.

Allowing Access:

If you trust /usr/sbin/squid to run correctly, you can change the file context
to textrel_shlib_t. "chcon -t textrel_shlib_t '/usr/sbin/squid'" You must also
change the default file context files on the system in order to preserve them
even on a full relabel. "semanage fcontext -a -t textrel_shlib_t
'/usr/sbin/squid'"

Fix Command:

chcon -t textrel_shlib_t '/usr/sbin/squid'

Additional Information:

Source Context                unconfined_u:system_r:squid_t:s0
Target Context                system_u:object_r:squid_exec_t:s0
Target Objects                /usr/sbin/squid [ file ]
Source                        squid
Source Path                   /usr/sbin/squid
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           squid-3.1.7-1.fc12
Target RPM Packages           squid-3.1.7-1.fc12
Policy RPM                    selinux-policy-3.6.32-121.fc12
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Plugin Name                   allow_execmod
Host Name                     (removed)
Platform                      Linux (removed) 2.6.32.18-159.fc12.x86_64
                              #1 SMP Tue Aug 10 20:43:59 UTC 2010 x86_64 x86_64
Alert Count                   12
First Seen                    Tue 24 Aug 2010 11:03:01 AM EEST
Last Seen                     Wed 25 Aug 2010 02:51:34 AM EEST
Local ID                      c4218357-7dcc-4576-b81a-0ea0c800cba7
Line Numbers                  

Raw Audit Messages            

node=(removed) type=AVC msg=audit(1282693894.480:14369): avc:  denied  { execmod } for  pid=8903 comm="squid" path="/usr/sbin/squid" dev=sda8 ino=22703 scontext=unconfined_u:system_r:squid_t:s0 tcontext=system_u:object_r:squid_exec_t:s0 tclass=file

node=(removed) type=SYSCALL msg=audit(1282693894.480:14369): arch=c000003e syscall=10 success=yes exit=128 a0=7f9ea0bdc000 a1=2d8000 a2=5 a3=7f9ea0c985e0 items=0 ppid=8902 pid=8903 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts3 ses=1 comm="squid" exe="/usr/sbin/squid" subj=unconfined_u:system_r:squid_t:s0 key=(null)



Hash String generated from  allow_execmod,squid,squid_t,squid_exec_t,file,execmod
audit2allow suggests:

#============= squid_t ==============
allow squid_t squid_exec_t:file execmod;
Comment 1 Daniel Walsh 2010-08-25 02:44:02 UTC 
Did you install a different version of squid?  This is very strange access.
Comment 2 Gabriel Sfestarof 2010-08-25 02:54:34 UTC 
(In reply to comment #1)
> Did you install a different version of squid?  This is very strange access.

Actually no. I've had this behaviour using the last two koji available packages. Here's the log:

grep squid /var/log/yum.log 
May 27 13:41:27 Installed: 7:squid-3.1.3-2.fc12.x86_64
May 27 13:41:32 Installed: squidGuard-1.4-8.fc12.x86_64
Jun 01 03:33:32 Updated: 7:squid-3.1.4-1.fc12.x86_64
Jun 02 08:00:15 Updated: 7:squid-3.1.4-2.fc12.x86_64
Aug 24 11:02:54 Updated: 7:squid-3.1.6-1.fc12.x86_64
Aug 25 02:50:09 Updated: 7:squid-3.1.7-1.fc12.x86_64
Comment 3 Gabriel Sfestarof 2010-08-25 03:02:41 UTC 
Reverting to 4-2 and all works as expected. What I don't get is how simple bugfixes trigger textrell issues.
Comment 4 Henrik Nordström 2010-08-25 15:09:51 UTC 
one of the changes is to use system provided libtool instead of bundled version. 

libtool.autoconf integration also updated from libtool-1.x style to libtool-2.x
Comment 5 Henrik Nordström 2010-08-25 18:58:11 UTC 
The F13 update to same version do not show this problem.
Comment 6 Henrik Nordström 2010-08-25 19:02:12 UTC 
Looking closely what is more odd is why this complaint were not seen before on F12.

The F12 and F13 packages differ slightly in how they set the compiler flags which may be the reason.
Comment 7 Jiri Skala 2010-08-26 07:21:09 UTC 
I've observed same behaviour. Selinux-policy don't complain same version of squid in F13.

Dan what's the difference between selinux-policy in F12 & F13? What exactly is complained by selinux-policy?
Comment 8 Daniel Walsh 2010-08-26 11:37:18 UTC 
Nothing as far as this denial.  execmod on an executable is very rare.  I think this is a build issue.
Comment 9 Henrik Nordström 2010-08-26 13:17:44 UTC 
f13 srpm rebuilt on f12 seems to work.
Comment 10 Jiri Skala 2010-08-26 14:42:31 UTC 
Great, you are right Henrik.

Exporting flags before building affects build that it produces this issue. Commenting this part of spec fixes the issue.

Unfortunately I think f13 settings should be 'tuned' too.
Comment 11 Henrik Nordström 2010-08-26 14:54:33 UTC 
you know these much better. please fix up.

i did not backport the changes as it seems in conflict with earlier changelog entries for ppc.
Comment 12 Jiri Skala 2010-08-27 07:09:18 UTC 
Well, the issue is generated when -fPIE option is used. I don't think this is correct.

Dan, I suppose selinux-policy should be updated. Then I'll correct spec files for F13+. There is incorrect placing flags exportation. Therefore the issue is currently only generated by F12.

I suppose Henrik's comment #4 is also important. This is probably a trigger.
Comment 13 Daniel Walsh 2010-08-27 15:36:14 UTC 
Huh, what selinux-policy change is necessary?  We are not going to allow execmod of an executable.
Comment 14 Henrik Nordström 2010-08-27 19:00:28 UTC 
Is GCC flags -fPIC / -fPIE / -pic / -pie related to execmod requirement somehow?

Not sure what would trigger a execmod requirement.
Comment 15 Henrik Nordström 2010-09-02 08:28:02 UTC 
http://www.akkadia.org/drepper/textrelocs.html explains the issue quite well. Thanks Michal Schmidt for the pointer.

Do we need to force these flags in the spec file?
Comment 16 Jiri Skala 2010-09-03 08:10:52 UTC 
> Do we need to force these flags in the spec file?

Usage of these flags is better but not necessary. Well, I'll remove these flags.
Comment 17 Henrik Nordström 2010-09-03 09:15:05 UTC 
Have removed the flags from F12 in squid-3.1.7-1.fc12.1

Will be removed from F13+ in next update. Have no effect there.
Comment 18 Fedora Update System 2010-09-03 09:27:34 UTC 
squid-3.1.7-1.fc12.1 has been submitted as an update for Fedora 12.
https://admin.fedoraproject.org/updates/squid-3.1.7-1.fc12.1
Comment 19 Fedora Update System 2010-09-04 05:01:15 UTC 
squid-3.1.7-1.fc12.1 has been pushed to the Fedora 12 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update squid'.  You can provide feedback for this update here: https://admin.fedoraproject.org/updates/squid-3.1.7-1.fc12.1
Comment 20 Gabriel Sfestarof 2010-09-04 21:46:52 UTC 
Confirming the new build works fine. No more AVC denials. Thank you
Comment 21 Henrik Nordström 2010-09-05 09:50:19 UTC 
Have figured out why the -PIE flags failed. Is libtool that strips them from the compile line by default.
Comment 22 Fedora Update System 2010-09-05 17:20:49 UTC 
squid-3.1.8-1.fc13 has been submitted as an update for Fedora 13.
https://admin.fedoraproject.org/updates/squid-3.1.8-1.fc13
Comment 23 Fedora Update System 2010-09-05 17:21:11 UTC 
squid-3.1.8-1.fc14 has been submitted as an update for Fedora 14.
https://admin.fedoraproject.org/updates/squid-3.1.8-1.fc14
Comment 24 Fedora Update System 2010-09-05 17:21:33 UTC 
squid-3.1.8-1.fc12 has been submitted as an update for Fedora 12.
https://admin.fedoraproject.org/updates/squid-3.1.8-1.fc12
Comment 25 Fedora Update System 2010-09-15 07:10:37 UTC 
squid-3.1.8-1.fc14 has been pushed to the Fedora 14 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 26 Fedora Update System 2010-09-15 22:27:46 UTC 
squid-3.1.8-1.fc13 has been pushed to the Fedora 13 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 27 Fedora Update System 2010-09-15 22:34:06 UTC 
squid-3.1.8-1.fc12 has been pushed to the Fedora 12 stable repository.  If problems still persist, please make note of it in this bug report.