Bug 147749 - enable execmod/execmem by default
Summary: enable execmod/execmem by default
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted
Version: rawhide
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact:
URL:
Whiteboard:
Keywords:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2005-02-10 22:22 UTC by Paul Nasrat
Modified: 2007-11-30 22:11 UTC (History)
6 users (show)

(edit)
Clone Of:
(edit)
Last Closed: 2005-09-04 23:34:19 UTC


Attachments (Terms of Use)

Description Paul Nasrat 2005-02-10 22:22:29 UTC
Description of problem:

terminate called after throwing an instance of 'std::bad_alloc'
  what():  St9bad_alloc
/usr/lib/openoffice.org1.9.75/program/soffice.bin: error while loading shared
libraries: /usr/lib/openoffice.org1.9.75/program/libicudata.so.26: cannot
restore segment prot after reloc: Permission denied


Version-Release number of selected component (if applicable):

1.1.3-5.7.0 and 1.9.73-2 1.9.75-2


How reproducible:

Always

glibc-2.3.4-7
kernel 2.6.10-1.1134_FC4

Steps to Reproduce:
1. Update to latest rawhide
2. oowriter or oowriter2

  
Actual results:

Fails

Expected results:

Works


Additional info:

type=KERNEL msg=audit(1108073842.013:279577): avc:  denied  { execmod } for 
pid=3141 comm=soffice.bin
path=/usr/lib/openoffice.org1.9.75/program/libicudata.so.26.0 dev=hda2
ino=2427125 scontext=user_u:system_r:unconfined_t
tcontext=system_u:object_r:lib_t tclass=filele

setenforce 0 works around

contexts seem ok rpm -V openoffice.org2-core

selinux-policy-targeted-1.21.11-3

Comment 1 Colin Walters 2005-02-11 15:32:47 UTC
This is a bug in the selinux-policy-targeted package; this permission should
have been enabled by default.

However - it is desirable to if possible eliminate the requirement for writable
and executable memory areas.  This is likely fixable in libicudata.  I'll clone
a new bug on this issue.

Comment 2 Alexandre Oliva 2005-02-12 14:10:53 UTC
I have this one executable (gtimer) that, when started as
/usr/bin/gtimer, fails with:
gtimer: error while loading shared libraries: /lib/ld-linux.so.2:
cannot apply additional memory protection after relocation: Permission
denied

even with both execmod and execmem set to true.  However, if I start
it as /lib/ld-linux.so.2 /usr/bin/gtimer, it works.  ?!?

Oddly, the only system call that fails is:

mprotect(0x5556e000, 4096, PROT_READ)   = -1 EACCES (Permission denied)

See, it's not attempting to grant exec permission on anything, it's
actually taking out write permission from a page that contained data
that needed relocation, but that is read-only (relro in binutilspeak).  

type=KERNEL msg=audit(1108217207.401:4003324): avc:  denied  { execmod
} for  pid=5249 comm=gtimer path=/lib/ld-2.3.4.so dev=dm-2 ino=753730
scontext=user_u:system_r:unconfined_t
tcontext=system_u:object_r:ld_so_t tclass=file
type=KERNEL msg=audit(1108217207.401:4003324): syscall=125 per=400000
exit=-13 a0=5556f300 a1=5556f300 a2=1 a3=0 items=0 pid=5249
loginuid=-1 uid=404 gid=404 euid=404 suid=404 fsuid=404 egid=404
sgid=404 fsgid=404

It appears to me that execmod/execmem are a bit too strict, since
they're denying not only the addition of exec permission, but also at
removal of other permissions.

Comment 3 Alexandre Oliva 2005-02-12 14:25:43 UTC
So, it looks like this older program of mine is qualified as a
`legacy' binary per the policy, because it has no GNU stack header. 
Still, it's a bit odd that I can run it fine using the ld.so wrapper,
but not the program by itself.  Unfortunately, rebuilding this program
on a recent system is not much of an option.  Any ideas of how to get
it to work without resorting to wrappers?

Comment 4 Daniel Walsh 2005-02-14 14:44:26 UTC
The execmod for ld_so_t should be back in unconfined_t in the latest
policy selinux-policy-targeted-1.21.12-2

Comment 5 Deji 2005-02-14 22:57:42 UTC
With selinux-policy-targeted-1.21.12-2, i'm still experiencing this
problem. However it seems to be happening only to 3rd party apps.
Eg:
[deji@rhema2 ~]$ mplayer
mplayer: error while loading shared libraries:
/usr/lib/libSDL-1.2.so.0: cannot restore segment prot after reloc:
Permission denied

[deji@rhema2 mars1d-w]$ make main
ifort -c main.f
/opt/intel/bin/ifort: error while loading shared libraries:
/lib/tls/libc.so.6: cannot apply additional memory protection after
relocation: Permission denied
make: *** [main.o] Error 127

Also nomachine's NX's client failed with the 'cannot restore segment
prot after reloc: Permission denied' error message.

All the above works fine after issuing 'setenforce 0'.

Comment 6 Daniel Walsh 2005-02-15 14:05:58 UTC
restorecon /usr/lib/libSDL* should fix that one.

What avc messages are you seeing on the tls?

Dan

Comment 7 Deji 2005-02-15 15:26:06 UTC
(In reply to comment #6)

> What avc messages are you seeing on the tls?
> 
Feb 14 18:02:58 rhema2 dbus: avc:  received setenforce notice (enforcing=0) 
Feb 14 18:02:58 rhema2 dbus: avc:  received setenforce notice (enforcing=0) 
Feb 14 18:03:08 rhema2 kernel: audit(1108422188.698:0): avc:  denied  { execmod
} for  pid=3273 comm=ifortbin path=/lib/tls/libc-2.3.4.so dev=hda6 ino=1778917
scontext=user_u:system_r:unconfined_t tcontext=system_u:object_r:lib_t tclass=file
Feb 14 18:03:08 rhema2 kernel: audit(1108422188.699:0): avc:  denied  { execmod
} for  pid=3273 comm=ifortbin path=/lib/ld-2.3.4.so dev=hda6 ino=1778895
scontext=user_u:system_r:unconfined_t tcontext=system_u:object_r:ld_so_t tclass=file

Deji



Comment 8 Daniel Walsh 2005-02-15 15:33:24 UTC
setsebool -P allow_execmod=1 allow_execmem=1

Should eliminate this.

Comment 9 Alexandre Oliva 2005-02-15 19:58:59 UTC
The legacy binary works fine with today's (and yesterday's) rawhide,
with the setsebool settings above.  Thanks,

Comment 10 Colin Walters 2005-02-16 15:03:58 UTC
Dan, I thought we agreed these booleans were going to be on by default?  This is
just a temporary workaround until a new policy is uploaded, right?

Comment 11 Colin Walters 2005-02-16 15:20:16 UTC
Actually though, perhaps it would be be best to change this to an auditallow in
rawhide for a while, so that we can still gather a list of problematic libraries
and programs while allowing them to continue to work?

Comment 12 Daniel Walsh 2005-02-17 14:58:32 UTC
The allow_execmod/execmem is defaulted to true for unconfined_t for a while now.

Comment 13 Deji 2005-02-18 01:03:10 UTC
selinux-policy-targeted-1.21.13-1 works for me without any need to apply the
setsebool settings.
Thanks.


Note You need to log in before you can comment on or make changes to this bug.