Description of problem: libk5crypto.so.3.1 uses an executable stack. This is causing too many problems on my system - it breaks sshd, firewalld and other applications. I see messages like "avc: denied { execstack } for pid=30601 comm=sshd" all the time. I tried to blame OpenStack (and the "cloud" stuff I have installed) initially but that didn't pan out (unfortunately) ;( Version-Release number of selected component (if applicable): krb5-libs-1.12-6.fc21.x86_64.rpm How reproducible: $ ~/checksec/scanner.py krb5-libs-1.12-6.fc21.x86_64.rpm ... /usr/lib64/libk5crypto.so.3.1,mode=0100755,NX=Disabled ... Expected results: This problem should have been caught easily. Moreover, "checksec-ng" / RpmGrill could have caught this problem very easily. We need to adopt them in Fedora land ;)
Created attachment 839953 [details] patch to disable executable stack
Created attachment 839954 [details] fixed .spec file (trivial change)
This patch is a good upstream candidate. Also, it appears that it might be a good idea to enforce "-Wa,--noexecstack" flags for such critical system components. Please give it a thought. See https://wiki.ubuntu.com/SecurityTeam/Roadmap/ExecutableStacks URL.
*** Bug 1047281 has been marked as a duplicate of this bug. ***
*** Bug 1047947 has been marked as a duplicate of this bug. ***
*** Bug 1047314 has been marked as a duplicate of this bug. ***
*** Bug 1047313 has been marked as a duplicate of this bug. ***
*** Bug 1046112 has been marked as a duplicate of this bug. ***
*** Bug 1046349 has been marked as a duplicate of this bug. ***
*** Bug 1047283 has been marked as a duplicate of this bug. ***
*** Bug 1047286 has been marked as a duplicate of this bug. ***
*** Bug 1047285 has been marked as a duplicate of this bug. ***
*** Bug 1047284 has been marked as a duplicate of this bug. ***
*** Bug 1047287 has been marked as a duplicate of this bug. ***
*** Bug 1047291 has been marked as a duplicate of this bug. ***
*** Bug 1047290 has been marked as a duplicate of this bug. ***
*** Bug 1047288 has been marked as a duplicate of this bug. ***
*** Bug 1047294 has been marked as a duplicate of this bug. ***
*** Bug 1047293 has been marked as a duplicate of this bug. ***
*** Bug 1047292 has been marked as a duplicate of this bug. ***
*** Bug 1047295 has been marked as a duplicate of this bug. ***
*** Bug 1047310 has been marked as a duplicate of this bug. ***
*** Bug 1047309 has been marked as a duplicate of this bug. ***
*** Bug 1047308 has been marked as a duplicate of this bug. ***
*** Bug 1047311 has been marked as a duplicate of this bug. ***
*** Bug 1047312 has been marked as a duplicate of this bug. ***
*** Bug 1047640 has been marked as a duplicate of this bug. ***
*** Bug 1045682 has been marked as a duplicate of this bug. ***
Other services affected are dhcp, cups, and wpa_supplicant.
Thank you for the patch! I'm forwarding it upstream and including it in the next build.
*** Bug 1045793 has been marked as a duplicate of this bug. ***
I guess this may help ? https://github.com/greghudson/krb5/commit/c64e39c69a9a7ee32c00b0cf7918f6274a565544
(In reply to Simo Sorce from comment #32) > I guess this may help ? > > https://github.com/greghudson/krb5/commit/ > c64e39c69a9a7ee32c00b0cf7918f6274a565544 NVM, should have read the whole bug first :)
krb5-libs-1.12-8.fc21.x86_64 fixes it for me. Thanks.
*** Bug 1046481 has been marked as a duplicate of this bug. ***
I still get this when booting in enforcing more with krb5-libs-1.12-8.fc21.i686: Jan 4 12:43:32 bruno kernel: [ 69.249984] type=1400 audit(1388861012.659:7): avc: denied { execmod } for pid=1259 comm="kdm_greet" path="/usr/lib/libk5crypto.so.3.1" dev="dm-0" ino=970375 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:lib_t:s0 tclass=file Jan 4 12:43:32 bruno kdm: :0[1256]: Received unknown or unexpected command -2 from greeter Jan 4 12:43:32 bruno kdm: :0[1256]: Abnormal termination of greeter for display :0, code 127, signal 0
Try a 'fixfiles onboot' and reboot? (to relabel)
I have relabelled since that issue started, but I'll try it again. I'll also rebuild my initramfs in case something there is labelled incorrectly. A relabel takes a while, so it will probably be a few hours before I report back.
SSDs are getting cheaper, you know :)
After doing a relabel via restorecon (in permissive mode), I still see the problem with kdm. (But not with a lot of other stuff that was throwing AVCs in the earlier version of krb5-libs.) An enforcing mode boot results in the following AVCs and kdm crashes. Jan 5 09:12:05 bruno kernel: [ 44.077339] type=1400 audit(1388934708.487:4): avc: denied { execmod } for pid=974 comm="auditd" path="/usr/lib/libk5crypto.so.3.1" dev="dm-0" ino=970375 scontext=system_u:system_r:auditd_t:s0 tcontext=system_u:object_r:lib_t:s0 tclass=file Jan 5 09:12:05 bruno kernel: [ 45.306836] type=1400 audit(1388934709.715:5): avc: denied { setattr } for pid=971 comm="systemd-tmpfile" name=".XIM-unix" dev="dm-0" ino=1975828 scontext=system_u:system_r:systemd_tmpfiles_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=dir Jan 5 09:12:05 bruno kernel: [ 45.344000] type=1400 audit(1388934709.752:6): avc: denied { setattr } for pid=971 comm="systemd-tmpfile" name=".Test-unix" dev="dm-0" ino=1976748 scontext=system_u:system_r:systemd_tmpfiles_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=dir Jan 5 09:12:17 bruno kernel: [ 73.211853] type=1400 audit(1388934737.621:7): avc: denied { execmod } for pid=1300 comm="kdm_greet" path="/usr/lib/libk5crypto.so.3.1" dev="dm-0" ino=970375 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:lib_t:s0 tclass=file
On last Rawhide live image Fedora-Live-KDE-i686-rawhide-20140105.iso with krb5-libs-1.12-8.fc21 still problem: dhclient: error while loading shared libraries: /lib/libk5crypto.so.3: cannot restore segment prot after reloc: Permission denied But dhclient works after 'setenforce 0'.
This sounds like not strictly the same issue as the execstack one, but also due to the assembly code: It sounds like there are text relocations, probably from non-PIC assembly code.
execstack /lib/libk5crypto.so.3 If it shows output with a X then it is asking for execstack privs.
eu-findtextrel seems to be rather handy for finding execmod problems, and I've cobbled together a patch which seems to give us the expected behavior without them. Additional pairs of eyes would be appreciated: http://pkgs.fedoraproject.org/cgit/krb5.git/commit/?id=75edc7c7ca7caf48f10272b0e7f6c37f3a9cf8c0 https://github.com/krb5/krb5/blob/master/src/lib/crypto/builtin/aes/iaesx86.s
dhclient works with krb5-1.12-9.fc21 on last Rawhide live images.
What's the current status on this? Do we still need more fixes?
krb5-libs-1.12.1-6.fc21 in libk5crypto.so.3.1 looks okay on armv7hl, i686, x86_64.
Cool. Let's close this; if someone finds further issues, re-open or file a new bug. Thanks!