Bug 1275007 - SELinux is preventing mprotheap from using the 'execheap' accesses on a process.
SELinux is preventing mprotheap from using the 'execheap' accesses on a process.
Status: CLOSED NOTABUG
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
22
x86_64 Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Miroslav Grepl
Fedora Extras Quality Assurance
abrt_hash:5d6d12117143709ed7fcaa7dfe8...
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2015-10-24 15:46 EDT by Justin W. Flory
Modified: 2015-10-27 11:38 EDT (History)
5 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2015-10-27 11:28:11 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Justin W. Flory 2015-10-24 15:46:21 EDT
Description of problem:
I was running kernel regression tests on my system - I was away from keyboard during tests and saw this error when I returned.
SELinux is preventing mprotheap from using the 'execheap' accesses on a process.

*****  Plugin allow_execheap (53.1 confidence) suggests   ********************

If you do not think mprotheap should need to map heap memory that is both writable and executable.
Then you need to report a bug. This is a potentially dangerous access.
Do
contact your security administrator and report this issue.

*****  Plugin catchall_boolean (42.6 confidence) suggests   ******************

If you want to allow selinuxuser to execheap
Then you must tell SELinux about this by enabling the 'selinuxuser_execheap' boolean.
You can read 'None' man page for more details.
Do
setsebool -P selinuxuser_execheap 1

*****  Plugin catchall (5.76 confidence) suggests   **************************

If you believe that mprotheap should be allowed execheap access on processes labeled unconfined_t by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep mprotheap /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1
                              023
Target Context                unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1
                              023
Target Objects                Unknown [ process ]
Source                        mprotheap
Source Path                   mprotheap
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.13.1-128.16.fc22.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 4.2.3-200.fc22.x86_64 #1 SMP Thu
                              Oct 8 03:23:55 UTC 2015 x86_64 x86_64
Alert Count                   1
First Seen                    2015-10-24 15:42:20 EDT
Last Seen                     2015-10-24 15:42:20 EDT
Local ID                      dec02114-8f65-4671-8fc3-0a8fa2e18c27

Raw Audit Messages
type=AVC msg=audit(1445715740.254:612): avc:  denied  { execheap } for  pid=4852 comm="mprotheap" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process permissive=0


Hash: mprotheap,unconfined_t,unconfined_t,process,execheap

Version-Release number of selected component:
selinux-policy-3.13.1-128.16.fc22.noarch

Additional info:
reporter:       libreport-2.6.2
hashmarkername: setroubleshoot
kernel:         4.2.3-200.fc22.x86_64
type:           libreport

Potential duplicate: bug 1194645
Comment 1 Justin W. Flory 2015-10-24 16:38:12 EDT
Description of problem:
I was running kernel regression tests and left my keyboard - when I returned, I saw these errors.

Version-Release number of selected component:
selinux-policy-3.13.1-128.16.fc22.noarch

Additional info:
reporter:       libreport-2.6.2
hashmarkername: setroubleshoot
kernel:         4.2.3-200.fc22.x86_64
type:           libreport
Comment 2 Daniel Walsh 2015-10-27 11:28:11 EDT
Looks like that test should trigger this AVC.  You need to turn on the boolean selinux_execheap to not have this happen.


*****  Plugin allow_execheap (53.1 confidence) suggests   ********************

If you do not think mprotheap should need to map heap memory that is both writable and executable.
Then you need to report a bug. This is a potentially dangerous access.
Do
contact your security administrator and report this issue.

*****  Plugin catchall_boolean (42.6 confidence) suggests   ******************

If you want to allow selinuxuser to execheap
Then you must tell SELinux about this by enabling the 'selinuxuser_execheap' boolean.
You can read 'None' man page for more details.
Do
setsebool -P selinuxuser_execheap 1
Comment 3 Justin W. Flory 2015-10-27 11:38:20 EDT
(In reply to Daniel Walsh from comment #2)
> Looks like that test should trigger this AVC.  You need to turn on the
> boolean selinux_execheap to not have this happen.
> 
> 
> *****  Plugin allow_execheap (53.1 confidence) suggests  
> ********************
> 
> If you do not think mprotheap should need to map heap memory that is both
> writable and executable.
> Then you need to report a bug. This is a potentially dangerous access.
> Do
> contact your security administrator and report this issue.
> 
> *****  Plugin catchall_boolean (42.6 confidence) suggests  
> ******************
> 
> If you want to allow selinuxuser to execheap
> Then you must tell SELinux about this by enabling the 'selinuxuser_execheap'
> boolean.
> You can read 'None' man page for more details.
> Do
> setsebool -P selinuxuser_execheap 1

Thanks for the info, sorry to waste your time. Wasn't sure if it was an issue or not.

Note You need to log in before you can comment on or make changes to this bug.