Description of problem: System is a FC3 system with selinux components from ftp://people.redhat.com/dwalsh/SELinux/Fedora/ and with some additions to the default policy in order to work around some apache and other issues. In trying to boot to a new kernel, init crashed due to an selinux denial. Booting in permissive mode shows: audit(1114772493.755:0): avc: denied { execmod } for pid=1 comm=init path=/lib/tls/libc-2.3.5.so dev=dm-1 ino=32777 scontext=user_u:system_r:unconfined_t tcontext=system_u:object_r:lib_t tclass=file audit(1114772493.755:0): avc: denied { execmod } for pid=1 comm=init path=/lib/ld-2.3.5.so dev=dm-1 ino=32775 scontext=user_u:system_r:unconfined_t tcontext=system_u:object_r:ld_so_t tclass=file audit(1114772493.799:0): avc: denied { execmem } for pid=1 comm=init scontext=user_u:system_r:unconfined_t tcontext=user_u:system_r:unconfined_t tclass=process audit(1114772502.631:0): avc: denied { execmem } for pid=1491 comm=nash scontext=user_u:system_r:initrc_t tcontext=user_u:system_r:initrc_t tclass=process Version-Release number of selected component (if applicable): selinux-policy-targeted-1.21.16-4 How reproducible: Everytime
setsebool -P allow_execmem=1 allow_execmod=1 Should fix the problem
So we're still defaulting to allow_execmem and allow_execmod as false?
Didn't have any effect in either case.
Update to the latest policy. We default to allow_execmem/allow_execmod true on Targeted policy. Problem is they did not exist in FC3. Try updating to policy 1.23.13-4 or later. Dan
As mentioned, this is with selinux-policy-targeted-1.21.16-4. Is there anything else that would need to be done after setting the boolean? Also, I'm not sure if this is correct, seems new to me: [root@hawk targeted]# grep exec bool* booleans:allow_execmem=0 booleans:allow_execmod=0 booleans:httpd_ssi_exec=1 booleans.local:allow_execmem=1 booleans.local:allow_execmod=1
The problem you have is that you have partially updated to some interim policy, perhaps and interim policycoreutils and a later kernel. Please get up to date on your policy, policycoreutils, libselinux, and libsepol. Load_policy and the rest of selinux now uses booleans.local to override the defaults in the booleans file. So this looks correct. Dan
Did another yum update and all seems to be well now. Thanks.