Bug 706781

Summary: SELinux is preventing /home/rm3/parallel_studio_xe_2011_update1/pset/tools/cpu_check/64/cpu_check from using the 'execstack' accesses on a process.
Product: [Fedora] Fedora Reporter: Robert McBroom <mcbroomrc>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED CANTFIX QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 14CC: dominick.grift, dwalsh, metherid, mgrepl
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard: setroubleshoot_trace_hash:f622114fb92d12928dcb0157ca1503d7ae6e894d8d7d60c7aeb4451f71536bc0
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-05-23 08:21:42 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Robert McBroom 2011-05-23 00:01:27 UTC
SELinux is preventing /home/rm3/parallel_studio_xe_2011_update1/pset/tools/cpu_check/64/cpu_check from using the 'execstack' accesses on a process.

*****  Plugin allow_execstack (53.1 confidence) suggests  ********************

If you believe that 
None
should not require execstack
Then you should clear the execstack flag and see if /home/rm3/parallel_studio_xe_2011_update1/pset/tools/cpu_check/64/cpu_check works correctly.
Report this as a bug on None.
You can clear the exestack flag by executing:
Do
execstack -c None

*****  Plugin catchall_boolean (42.6 confidence) suggests  *******************

If you want to allow unconfined executables to make their stack executable.  This should never, ever be necessary. Probably indicates a badly coded executable, but could indicate an attack. This executable should be reported in bugzilla
Then you must tell SELinux about this by enabling the 'allow_execstack' boolean.
Do
setsebool -P allow_execstack 1

*****  Plugin catchall (5.76 confidence) suggests  ***************************

If you believe that cpu_check should be allowed execstack access on processes labeled unconfined_t by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep cpu_check /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1
                              023
Target Context                unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1
                              023
Target Objects                Unknown [ process ]
Source                        cpu_check
Source Path                   /home/rm3/parallel_studio_xe_2011_update1/pset/too
                              ls/cpu_check/64/cpu_check
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.9.7-40.fc14
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Permissive
Host Name                     (removed)
Platform                      Linux (removed)
                              2.6.35.13-91.fc14.x86_64 #1 SMP Tue May 3 13:23:06
                              UTC 2011 x86_64 x86_64
Alert Count                   1
First Seen                    Sun 22 May 2011 06:23:26 PM EDT
Last Seen                     Sun 22 May 2011 06:23:26 PM EDT
Local ID                      57aef77d-628e-41f4-afad-ddc91a00bcb8

Raw Audit Messages
type=AVC msg=audit(1306103006.464:28722): avc:  denied  { execstack } for  pid=11882 comm="cpu_check" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process


type=SYSCALL msg=audit(1306103006.464:28722): arch=x86_64 syscall=mprotect success=yes exit=0 a0=7fffe6009000 a1=1000 a2=1000007 a3=307f41f000 items=0 ppid=9871 pid=11882 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm=cpu_check exe=/home/rm3/parallel_studio_xe_2011_update1/pset/tools/cpu_check/64/cpu_check subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)

Hash: cpu_check,unconfined_t,unconfined_t,process,execstack

audit2allow

#============= unconfined_t ==============
#!!!! This avc can be allowed using the boolean 'allow_execstack'

allow unconfined_t self:process execstack;

audit2allow -R

#============= unconfined_t ==============
#!!!! This avc can be allowed using the boolean 'allow_execstack'

allow unconfined_t self:process execstack;

Comment 1 Robert McBroom 2011-05-23 00:08:57 UTC
Installation of INTEL parallel_studio_xe_2011_update1 on HP Pavilion p6621c Desktop PC.  Admitted that INTEL does not declare support for AMD processors.

Comment 2 Rahul Sundaram 2011-05-23 00:15:42 UTC
The software you are trying to run has a potential security issue that SELinux is warning you about.  Although it is possible to override the policy as suggested within the notification itself, it should be reported to the vendor.  You can find the technical details at

http://www.akkadia.org/drepper/selinux-mem.html

Comment 3 Miroslav Grepl 2011-05-23 08:21:42 UTC
If you want to trust applications that you download to your machine you might
as well turn this check off.

setsebool -P allow_execstack 1