Bug 156393 - execmod/execmem denied at boot, only boots in permissive mode
execmod/execmem denied at boot, only boots in permissive mode
Status: CLOSED NOTABUG
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted (Show other bugs)
rawhide
All Linux
medium Severity medium
: ---
: ---
Assigned To: Daniel Walsh
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2005-04-29 13:31 EDT by Orion Poplawski
Modified: 2007-11-30 17:11 EST (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2005-05-02 12:08:31 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Orion Poplawski 2005-04-29 13:31:53 EDT
Description of problem:
System is a FC3 system with selinux components from
ftp://people.redhat.com/dwalsh/SELinux/Fedora/ and with some additions to the
default policy in order to work around some apache and other issues.  In trying
to boot to a new kernel, init crashed due to an selinux denial.  Booting in
permissive mode shows:

audit(1114772493.755:0): avc:  denied  { execmod } for  pid=1 comm=init
path=/lib/tls/libc-2.3.5.so dev=dm-1 ino=32777
scontext=user_u:system_r:unconfined_t tcontext=system_u:object_r:lib_t tclass=file
audit(1114772493.755:0): avc:  denied  { execmod } for  pid=1 comm=init
path=/lib/ld-2.3.5.so dev=dm-1 ino=32775 scontext=user_u:system_r:unconfined_t
tcontext=system_u:object_r:ld_so_t tclass=file
audit(1114772493.799:0): avc:  denied  { execmem } for  pid=1 comm=init
scontext=user_u:system_r:unconfined_t tcontext=user_u:system_r:unconfined_t
tclass=process
audit(1114772502.631:0): avc:  denied  { execmem } for  pid=1491 comm=nash
scontext=user_u:system_r:initrc_t tcontext=user_u:system_r:initrc_t tclass=process


Version-Release number of selected component (if applicable):
selinux-policy-targeted-1.21.16-4

How reproducible:
Everytime
Comment 1 Daniel Walsh 2005-04-29 14:14:44 EDT
setsebool -P allow_execmem=1 allow_execmod=1

Should fix the problem

Comment 2 Colin Walters 2005-04-29 17:13:43 EDT
So we're still defaulting to allow_execmem and allow_execmod as false?
Comment 3 Orion Poplawski 2005-04-29 17:25:01 EDT
Didn't have any effect in either case.
Comment 4 Daniel Walsh 2005-04-30 19:57:20 EDT
Update to the latest policy.  We default to allow_execmem/allow_execmod true on
Targeted policy.  Problem is they did not exist in FC3.  Try updating to policy
1.23.13-4 or later.

Dan
Comment 5 Orion Poplawski 2005-05-02 11:38:57 EDT
As mentioned, this is with selinux-policy-targeted-1.21.16-4.  Is there anything
else that would need to be done after setting the boolean?  Also, I'm not sure
if this is correct, seems new to me:

[root@hawk targeted]# grep exec bool*
booleans:allow_execmem=0
booleans:allow_execmod=0
booleans:httpd_ssi_exec=1
booleans.local:allow_execmem=1
booleans.local:allow_execmod=1
Comment 6 Daniel Walsh 2005-05-02 11:42:53 EDT
The problem you have is that you have partially updated to some interim policy,
perhaps and interim policycoreutils and a later kernel.  Please  get up to date
on  your policy, policycoreutils, libselinux, and libsepol.

Load_policy and the rest of selinux now uses booleans.local to override the
defaults in the booleans file.    So this looks correct.

Dan
Comment 7 Orion Poplawski 2005-05-02 12:08:16 EDT
Did another yum update and all seems to be well now.  Thanks.

Note You need to log in before you can comment on or make changes to this bug.