Bug 156393 – execmod/execmem denied at boot, only boots in permissive mode

Bug 156393 - execmod/execmem denied at boot, only boots in permissive mode

Summary:	execmod/execmem denied at boot, only boots in permissive mode

Status:	CLOSED NOTABUG

Aliases:	None

Product:	Fedora
Classification:	Fedora
Component:	selinux-policy-targeted (Show other bugs)
Sub Component:
Version:	rawhide
Hardware:	All Linux

Priority	medium Severity medium
Target Milestone:	---
Target Release:	---
Assigned To:	Daniel Walsh
QA Contact:
Docs Contact:

URL:
Whiteboard:
Keywords:

Depends On:
Blocks:
	Show dependency tree / graph

Reported:	2005-04-29 13:31 EDT by Orion Poplawski
Modified:	2007-11-30 17:11 EST (History)
CC List:	0 users

See Also:
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Story Points:	---
Clone Of:
Environment:
Last Closed:	2005-05-02 12:08:31 EDT
Type:	---
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Groups: None (edit)

Description Orion Poplawski 2005-04-29 13:31:53 EDT

Description of problem:
System is a FC3 system with selinux components from
ftp://people.redhat.com/dwalsh/SELinux/Fedora/ and with some additions to the
default policy in order to work around some apache and other issues.  In trying
to boot to a new kernel, init crashed due to an selinux denial.  Booting in
permissive mode shows:

audit(1114772493.755:0): avc:  denied  { execmod } for  pid=1 comm=init
path=/lib/tls/libc-2.3.5.so dev=dm-1 ino=32777
scontext=user_u:system_r:unconfined_t tcontext=system_u:object_r:lib_t tclass=file
audit(1114772493.755:0): avc:  denied  { execmod } for  pid=1 comm=init
path=/lib/ld-2.3.5.so dev=dm-1 ino=32775 scontext=user_u:system_r:unconfined_t
tcontext=system_u:object_r:ld_so_t tclass=file
audit(1114772493.799:0): avc:  denied  { execmem } for  pid=1 comm=init
scontext=user_u:system_r:unconfined_t tcontext=user_u:system_r:unconfined_t
tclass=process
audit(1114772502.631:0): avc:  denied  { execmem } for  pid=1491 comm=nash
scontext=user_u:system_r:initrc_t tcontext=user_u:system_r:initrc_t tclass=process


Version-Release number of selected component (if applicable):
selinux-policy-targeted-1.21.16-4

How reproducible:
Everytime

Comment 1 Daniel Walsh 2005-04-29 14:14:44 EDT

setsebool -P allow_execmem=1 allow_execmod=1

Should fix the problem

Comment 2 Colin Walters 2005-04-29 17:13:43 EDT

So we're still defaulting to allow_execmem and allow_execmod as false?

Comment 3 Orion Poplawski 2005-04-29 17:25:01 EDT

Didn't have any effect in either case.

Comment 4 Daniel Walsh 2005-04-30 19:57:20 EDT

Update to the latest policy.  We default to allow_execmem/allow_execmod true on
Targeted policy.  Problem is they did not exist in FC3.  Try updating to policy
1.23.13-4 or later.

Dan

Comment 5 Orion Poplawski 2005-05-02 11:38:57 EDT

As mentioned, this is with selinux-policy-targeted-1.21.16-4.  Is there anything
else that would need to be done after setting the boolean?  Also, I'm not sure
if this is correct, seems new to me:

[root@hawk targeted]# grep exec bool*
booleans:allow_execmem=0
booleans:allow_execmod=0
booleans:httpd_ssi_exec=1
booleans.local:allow_execmem=1
booleans.local:allow_execmod=1

Comment 6 Daniel Walsh 2005-05-02 11:42:53 EDT

The problem you have is that you have partially updated to some interim policy,
perhaps and interim policycoreutils and a later kernel.  Please  get up to date
on  your policy, policycoreutils, libselinux, and libsepol.

Load_policy and the rest of selinux now uses booleans.local to override the
defaults in the booleans file.    So this looks correct.

Dan

Comment 7 Orion Poplawski 2005-05-02 12:08:16 EDT

Did another yum update and all seems to be well now.  Thanks.

Note You need to log in before you can comment on or make changes to this bug.