Bug 147749 - enable execmod/execmem by default
enable execmod/execmem by default
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted (Show other bugs)
rawhide
All Linux
medium Severity medium
: ---
: ---
Assigned To: Daniel Walsh
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2005-02-10 17:22 EST by Paul Nasrat
Modified: 2007-11-30 17:11 EST (History)
6 users (show)

See Also:
Fixed In Version: 1.21.13-1
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2005-09-04 19:34:19 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Paul Nasrat 2005-02-10 17:22:29 EST
Description of problem:

terminate called after throwing an instance of 'std::bad_alloc'
  what():  St9bad_alloc
/usr/lib/openoffice.org1.9.75/program/soffice.bin: error while loading shared
libraries: /usr/lib/openoffice.org1.9.75/program/libicudata.so.26: cannot
restore segment prot after reloc: Permission denied


Version-Release number of selected component (if applicable):

1.1.3-5.7.0 and 1.9.73-2 1.9.75-2


How reproducible:

Always

glibc-2.3.4-7
kernel 2.6.10-1.1134_FC4

Steps to Reproduce:
1. Update to latest rawhide
2. oowriter or oowriter2

  
Actual results:

Fails

Expected results:

Works


Additional info:

type=KERNEL msg=audit(1108073842.013:279577): avc:  denied  { execmod } for 
pid=3141 comm=soffice.bin
path=/usr/lib/openoffice.org1.9.75/program/libicudata.so.26.0 dev=hda2
ino=2427125 scontext=user_u:system_r:unconfined_t
tcontext=system_u:object_r:lib_t tclass=filele

setenforce 0 works around

contexts seem ok rpm -V openoffice.org2-core

selinux-policy-targeted-1.21.11-3
Comment 1 Colin Walters 2005-02-11 10:32:47 EST
This is a bug in the selinux-policy-targeted package; this permission should
have been enabled by default.

However - it is desirable to if possible eliminate the requirement for writable
and executable memory areas.  This is likely fixable in libicudata.  I'll clone
a new bug on this issue.
Comment 2 Alexandre Oliva 2005-02-12 09:10:53 EST
I have this one executable (gtimer) that, when started as
/usr/bin/gtimer, fails with:
gtimer: error while loading shared libraries: /lib/ld-linux.so.2:
cannot apply additional memory protection after relocation: Permission
denied

even with both execmod and execmem set to true.  However, if I start
it as /lib/ld-linux.so.2 /usr/bin/gtimer, it works.  ?!?

Oddly, the only system call that fails is:

mprotect(0x5556e000, 4096, PROT_READ)   = -1 EACCES (Permission denied)

See, it's not attempting to grant exec permission on anything, it's
actually taking out write permission from a page that contained data
that needed relocation, but that is read-only (relro in binutilspeak).  

type=KERNEL msg=audit(1108217207.401:4003324): avc:  denied  { execmod
} for  pid=5249 comm=gtimer path=/lib/ld-2.3.4.so dev=dm-2 ino=753730
scontext=user_u:system_r:unconfined_t
tcontext=system_u:object_r:ld_so_t tclass=file
type=KERNEL msg=audit(1108217207.401:4003324): syscall=125 per=400000
exit=-13 a0=5556f300 a1=5556f300 a2=1 a3=0 items=0 pid=5249
loginuid=-1 uid=404 gid=404 euid=404 suid=404 fsuid=404 egid=404
sgid=404 fsgid=404

It appears to me that execmod/execmem are a bit too strict, since
they're denying not only the addition of exec permission, but also at
removal of other permissions.
Comment 3 Alexandre Oliva 2005-02-12 09:25:43 EST
So, it looks like this older program of mine is qualified as a
`legacy' binary per the policy, because it has no GNU stack header. 
Still, it's a bit odd that I can run it fine using the ld.so wrapper,
but not the program by itself.  Unfortunately, rebuilding this program
on a recent system is not much of an option.  Any ideas of how to get
it to work without resorting to wrappers?
Comment 4 Daniel Walsh 2005-02-14 09:44:26 EST
The execmod for ld_so_t should be back in unconfined_t in the latest
policy selinux-policy-targeted-1.21.12-2
Comment 5 Deji 2005-02-14 17:57:42 EST
With selinux-policy-targeted-1.21.12-2, i'm still experiencing this
problem. However it seems to be happening only to 3rd party apps.
Eg:
[deji@rhema2 ~]$ mplayer
mplayer: error while loading shared libraries:
/usr/lib/libSDL-1.2.so.0: cannot restore segment prot after reloc:
Permission denied

[deji@rhema2 mars1d-w]$ make main
ifort -c main.f
/opt/intel/bin/ifort: error while loading shared libraries:
/lib/tls/libc.so.6: cannot apply additional memory protection after
relocation: Permission denied
make: *** [main.o] Error 127

Also nomachine's NX's client failed with the 'cannot restore segment
prot after reloc: Permission denied' error message.

All the above works fine after issuing 'setenforce 0'.
Comment 6 Daniel Walsh 2005-02-15 09:05:58 EST
restorecon /usr/lib/libSDL* should fix that one.

What avc messages are you seeing on the tls?

Dan
Comment 7 Deji 2005-02-15 10:26:06 EST
(In reply to comment #6)

> What avc messages are you seeing on the tls?
> 
Feb 14 18:02:58 rhema2 dbus: avc:  received setenforce notice (enforcing=0) 
Feb 14 18:02:58 rhema2 dbus: avc:  received setenforce notice (enforcing=0) 
Feb 14 18:03:08 rhema2 kernel: audit(1108422188.698:0): avc:  denied  { execmod
} for  pid=3273 comm=ifortbin path=/lib/tls/libc-2.3.4.so dev=hda6 ino=1778917
scontext=user_u:system_r:unconfined_t tcontext=system_u:object_r:lib_t tclass=file
Feb 14 18:03:08 rhema2 kernel: audit(1108422188.699:0): avc:  denied  { execmod
} for  pid=3273 comm=ifortbin path=/lib/ld-2.3.4.so dev=hda6 ino=1778895
scontext=user_u:system_r:unconfined_t tcontext=system_u:object_r:ld_so_t tclass=file

Deji

Comment 8 Daniel Walsh 2005-02-15 10:33:24 EST
setsebool -P allow_execmod=1 allow_execmem=1

Should eliminate this.
Comment 9 Alexandre Oliva 2005-02-15 14:58:59 EST
The legacy binary works fine with today's (and yesterday's) rawhide,
with the setsebool settings above.  Thanks,
Comment 10 Colin Walters 2005-02-16 10:03:58 EST
Dan, I thought we agreed these booleans were going to be on by default?  This is
just a temporary workaround until a new policy is uploaded, right?
Comment 11 Colin Walters 2005-02-16 10:20:16 EST
Actually though, perhaps it would be be best to change this to an auditallow in
rawhide for a while, so that we can still gather a list of problematic libraries
and programs while allowing them to continue to work?
Comment 12 Daniel Walsh 2005-02-17 09:58:32 EST
The allow_execmod/execmem is defaulted to true for unconfined_t for a while now.
Comment 13 Deji 2005-02-17 20:03:10 EST
selinux-policy-targeted-1.21.13-1 works for me without any need to apply the
setsebool settings.
Thanks.

Note You need to log in before you can comment on or make changes to this bug.