| Summary: | SELinux is preventing /usr/bin/amule from using the 'execstack' accesses on a process. | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | antonio montagnani <antonio.montagnani> |
| Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> |
| Status: | CLOSED DUPLICATE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | medium | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 14 | CC: | dwalsh, mgrepl |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | i386 | ||
| OS: | Linux | ||
| Whiteboard: | setroubleshoot_trace_hash:8b19572cf594014bbeecefc132660b05664f3341dc7c08ebceb1fd1e99f996d2 | ||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2011-02-22 11:34:44 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
What kind of app is /usr/bin/amule? Java? Mono? You could label it execmem_exec_t if it really needs this access. amule comes from RPMFusion. It was working before last updates of selinux-policy coming from Fedora-updates-testing AFAIK aMule is no Java or Mono apps. *** This bug has been marked as a duplicate of bug 652297 *** Well there was no change in policy that would cause this to break, either amule changed or something strange is going on. You might want to search for libraries with the execstack flag turned on. You can look at the bugzilla this app is closed as a dup to figure out how to look. [antonio@Acer ~]$ find /lib -exec execstack -q {} \; -print 2> /dev/null | grep ^X
[antonio@Acer ~]$ find /usr/lib -exec execstack -q {} \; -print 2> /dev/null | grep ^X
X /usr/lib/libSDL-1.2.so.0
X /usr/lib/libSDL-1.2.so.0.11.3
downgrading SDL from the installed rpm coming from updates-testing makes everything work I think you could have just removed the execstack flag on these shared libraries and it would have worked also. |
SELinux is preventing /usr/bin/amule from using the 'execstack' accesses on a process. ***** Plugin allow_execstack (53.1 confidence) suggests ******************** If you believe that None should not require execstack Then you should clear the execstack flag and see if /usr/bin/amule works correctly. Report this as a bug on None. You can clear the exestack flag by executing: Do execstack -c None ***** Plugin catchall_boolean (42.6 confidence) suggests ******************* If you want to allow unconfined executables to make their stack executable. This should never, ever be necessary. Probably indicates a badly coded executable, but could indicate an attack. This executable should be reported in bugzilla Then you must tell SELinux about this by enabling the 'allow_execstack' boolean. Do setsebool -P allow_execstack 1 ***** Plugin catchall (5.76 confidence) suggests *************************** If you believe that amule should be allowed execstack access on processes labeled unconfined_t by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep amule /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1 023 Target Context unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1 023 Target Objects Unknown [ process ] Source amule Source Path /usr/bin/amule Port <Sconosciuto> Host (removed) Source RPM Packages amule-2.2.6-3.fc14 Target RPM Packages Policy RPM selinux-policy-3.9.7-29.fc14 Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 2.6.35.11-83.fc14.i686.PAE #1 SMP Mon Feb 7 06:57:55 UTC 2011 i686 i686 Alert Count 1 First Seen lun 21 feb 2011 22:10:50 CET Last Seen lun 21 feb 2011 22:10:50 CET Local ID c81b0fe0-0612-46ad-9534-bafd12db677f Raw Audit Messages type=AVC msg=audit(1298322650.653:22): avc: denied { execstack } for pid=2498 comm="amule" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process type=SYSCALL msg=audit(1298322650.653:22): arch=i386 syscall=mprotect success=no exit=EACCES a0=bfa93000 a1=1000 a2=1000007 a3=bfa924e4 items=0 ppid=1 pid=2498 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm=amule exe=/usr/bin/amule subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null) Hash: amule,unconfined_t,unconfined_t,process,execstack audit2allow #============= unconfined_t ============== #!!!! This avc can be allowed using the boolean 'allow_execstack' allow unconfined_t self:process execstack; audit2allow -R #============= unconfined_t ============== #!!!! This avc can be allowed using the boolean 'allow_execstack' allow unconfined_t self:process execstack;