Bugzilla (bugzilla.redhat.com) will be under maintenance for infrastructure upgrades and will not be available on July 31st between 12:30 AM - 05:30 AM UTC. We appreciate your understanding and patience. You can follow status.redhat.com for details.
Bug 156393 - execmod/execmem denied at boot, only boots in permissive mode
Summary: execmod/execmem denied at boot, only boots in permissive mode
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted
Version: rawhide
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2005-04-29 17:31 UTC by Orion Poplawski
Modified: 2007-11-30 22:11 UTC (History)
0 users

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2005-05-02 16:08:31 UTC
Type: ---


Attachments (Terms of Use)

Description Orion Poplawski 2005-04-29 17:31:53 UTC
Description of problem:
System is a FC3 system with selinux components from
ftp://people.redhat.com/dwalsh/SELinux/Fedora/ and with some additions to the
default policy in order to work around some apache and other issues.  In trying
to boot to a new kernel, init crashed due to an selinux denial.  Booting in
permissive mode shows:

audit(1114772493.755:0): avc:  denied  { execmod } for  pid=1 comm=init
path=/lib/tls/libc-2.3.5.so dev=dm-1 ino=32777
scontext=user_u:system_r:unconfined_t tcontext=system_u:object_r:lib_t tclass=file
audit(1114772493.755:0): avc:  denied  { execmod } for  pid=1 comm=init
path=/lib/ld-2.3.5.so dev=dm-1 ino=32775 scontext=user_u:system_r:unconfined_t
tcontext=system_u:object_r:ld_so_t tclass=file
audit(1114772493.799:0): avc:  denied  { execmem } for  pid=1 comm=init
scontext=user_u:system_r:unconfined_t tcontext=user_u:system_r:unconfined_t
tclass=process
audit(1114772502.631:0): avc:  denied  { execmem } for  pid=1491 comm=nash
scontext=user_u:system_r:initrc_t tcontext=user_u:system_r:initrc_t tclass=process


Version-Release number of selected component (if applicable):
selinux-policy-targeted-1.21.16-4

How reproducible:
Everytime

Comment 1 Daniel Walsh 2005-04-29 18:14:44 UTC
setsebool -P allow_execmem=1 allow_execmod=1

Should fix the problem



Comment 2 Colin Walters 2005-04-29 21:13:43 UTC
So we're still defaulting to allow_execmem and allow_execmod as false?

Comment 3 Orion Poplawski 2005-04-29 21:25:01 UTC
Didn't have any effect in either case.

Comment 4 Daniel Walsh 2005-04-30 23:57:20 UTC
Update to the latest policy.  We default to allow_execmem/allow_execmod true on
Targeted policy.  Problem is they did not exist in FC3.  Try updating to policy
1.23.13-4 or later.

Dan

Comment 5 Orion Poplawski 2005-05-02 15:38:57 UTC
As mentioned, this is with selinux-policy-targeted-1.21.16-4.  Is there anything
else that would need to be done after setting the boolean?  Also, I'm not sure
if this is correct, seems new to me:

[root@hawk targeted]# grep exec bool*
booleans:allow_execmem=0
booleans:allow_execmod=0
booleans:httpd_ssi_exec=1
booleans.local:allow_execmem=1
booleans.local:allow_execmod=1


Comment 6 Daniel Walsh 2005-05-02 15:42:53 UTC
The problem you have is that you have partially updated to some interim policy,
perhaps and interim policycoreutils and a later kernel.  Please  get up to date
on  your policy, policycoreutils, libselinux, and libsepol.

Load_policy and the rest of selinux now uses booleans.local to override the
defaults in the booleans file.    So this looks correct.

Dan

Comment 7 Orion Poplawski 2005-05-02 16:08:16 UTC
Did another yum update and all seems to be well now.  Thanks.


Note You need to log in before you can comment on or make changes to this bug.