156393 – execmod/execmem denied at boot, only boots in permissive mode

Bugzilla (bugzilla.redhat.com) will be under maintenance for infrastructure upgrades and will not be available on July 31st between 12:30 AM - 05:30 AM UTC. We appreciate your understanding and patience. You can follow status.redhat.com for details.

Bug 156393 - execmod/execmem denied at boot, only boots in permissive mode

Summary: execmod/execmem denied at boot, only boots in permissive mode

Keywords:
Status:	CLOSED NOTABUG
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy-targeted
Sub Component:
Version:	rawhide
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Daniel Walsh
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2005-04-29 17:31 UTC by Orion Poplawski
Modified:	2007-11-30 22:11 UTC (History)
CC List:	0 users
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2005-05-02 16:08:31 UTC
Type:	---
Dependent Products:

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Description Orion Poplawski 2005-04-29 17:31:53 UTC

Description of problem:
System is a FC3 system with selinux components from
ftp://people.redhat.com/dwalsh/SELinux/Fedora/ and with some additions to the
default policy in order to work around some apache and other issues.  In trying
to boot to a new kernel, init crashed due to an selinux denial.  Booting in
permissive mode shows:

audit(1114772493.755:0): avc:  denied  { execmod } for  pid=1 comm=init
path=/lib/tls/libc-2.3.5.so dev=dm-1 ino=32777
scontext=user_u:system_r:unconfined_t tcontext=system_u:object_r:lib_t tclass=file
audit(1114772493.755:0): avc:  denied  { execmod } for  pid=1 comm=init
path=/lib/ld-2.3.5.so dev=dm-1 ino=32775 scontext=user_u:system_r:unconfined_t
tcontext=system_u:object_r:ld_so_t tclass=file
audit(1114772493.799:0): avc:  denied  { execmem } for  pid=1 comm=init
scontext=user_u:system_r:unconfined_t tcontext=user_u:system_r:unconfined_t
tclass=process
audit(1114772502.631:0): avc:  denied  { execmem } for  pid=1491 comm=nash
scontext=user_u:system_r:initrc_t tcontext=user_u:system_r:initrc_t tclass=process


Version-Release number of selected component (if applicable):
selinux-policy-targeted-1.21.16-4

How reproducible:
Everytime

Comment 1 Daniel Walsh 2005-04-29 18:14:44 UTC

setsebool -P allow_execmem=1 allow_execmod=1

Should fix the problem

Comment 2 Colin Walters 2005-04-29 21:13:43 UTC

So we're still defaulting to allow_execmem and allow_execmod as false?

Comment 3 Orion Poplawski 2005-04-29 21:25:01 UTC

Didn't have any effect in either case.

Comment 4 Daniel Walsh 2005-04-30 23:57:20 UTC

Update to the latest policy.  We default to allow_execmem/allow_execmod true on
Targeted policy.  Problem is they did not exist in FC3.  Try updating to policy
1.23.13-4 or later.

Dan

Comment 5 Orion Poplawski 2005-05-02 15:38:57 UTC

As mentioned, this is with selinux-policy-targeted-1.21.16-4.  Is there anything
else that would need to be done after setting the boolean?  Also, I'm not sure
if this is correct, seems new to me:

[root@hawk targeted]# grep exec bool*
booleans:allow_execmem=0
booleans:allow_execmod=0
booleans:httpd_ssi_exec=1
booleans.local:allow_execmem=1
booleans.local:allow_execmod=1

Comment 6 Daniel Walsh 2005-05-02 15:42:53 UTC

The problem you have is that you have partially updated to some interim policy,
perhaps and interim policycoreutils and a later kernel.  Please  get up to date
on  your policy, policycoreutils, libselinux, and libsepol.

Load_policy and the rest of selinux now uses booleans.local to override the
defaults in the booleans file.    So this looks correct.

Dan

Comment 7 Orion Poplawski 2005-05-02 16:08:16 UTC

Did another yum update and all seems to be well now.  Thanks.

Note You need to log in before you can comment on or make changes to this bug.