1613056 – BUG: SELinux does not skip mmap/PROT_EXEC checks for internal files when invoking shmat(2)

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1613056 - BUG: SELinux does not skip mmap/PROT_EXEC checks for internal files when invoking shmat(2)

Summary: BUG: SELinux does not skip mmap/PROT_EXEC checks for internal files when invo...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	kernel
Sub Component:
Version:	7.6
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	rc
Target Release:	---
Assignee:	Ondrej Mosnacek
QA Contact:	Milos Malik
Docs Contact:
URL:
Whiteboard:
Depends On:	1600850
Blocks:	1622032
TreeView+	depends on / blocked

Reported:	2018-08-06 21:44 UTC by Paul Moore
Modified:	2019-08-06 12:08 UTC (History)
CC List:	5 users (show)
Fixed In Version:	kernel-3.10.0-972.el7
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:	1600850
Environment:
Last Closed:	2019-08-06 12:08:16 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Bugzilla	1458535	1	None	None	None	2021-03-11 15:17:04 UTC
Red Hat Product Errata	RHSA-2019:2029	0	None	None	None	2019-08-06 12:08:38 UTC

Internal Links: 1458535

Description Paul Moore 2018-08-06 21:44:41 UTC

+++ This bug was initially created as a clone of Bug #1600850 +++

Description of problem:
Test Summary Report
-------------------
shm/test                  (Wstat: 0 Tests: 16 Failed: 1)
  Failed test:  15
mmap/test                 (Wstat: 0 Tests: 47 Failed: 1)
  Failed test:  46
extended_socket_class/test (Wstat: 0 Tests: 16 Failed: 15)
  Failed tests:  1-3, 5-16
Files=48, Tests=512, 73 wallclock secs ( 0.21 usr  0.04 sys +  1.07 cusr  2.08 csys =  3.40 CPU)
Result: FAIL
Failed 3/48 test programs. 17/512 subtests failed.

Version-Release number of selected component (if applicable):
kernel-3.10.0-919.el7.x86_64
kernel-devel-3.10.0-919.el7.x86_64
kernel-headers-3.10.0-919.el7.x86_64
kernel-tools-3.10.0-919.el7.x86_64
kernel-tools-libs-3.10.0-919.el7.x86_64
selinux-policy-3.13.1-207.el7.noarch
selinux-policy-devel-3.13.1-207.el7.noarch
selinux-policy-doc-3.13.1-207.el7.noarch
selinux-policy-minimum-3.13.1-207.el7.noarch
selinux-policy-mls-3.13.1-207.el7.noarch
selinux-policy-sandbox-3.13.1-207.el7.noarch
selinux-policy-targeted-3.13.1-207.el7.noarch

How reproducible:
 * always

Steps to Reproduce:
1. get a RHEL-7.6 (targeted policy is active)
2. git clone git://github.com/SELinuxProject/selinux-testsuite
3. run the test suite

Actual results:
 * the selinux-testsuite fails

Expected results:
 * the selinux-testsuite passes

--- Additional comment from Milos Malik on 2018-07-13 04:03:30 EDT ---

Compiling targeted test_policy module
/usr/bin/checkmodule:  loading policy configuration from tmp/test_policy.tmp
/usr/bin/checkmodule:  policy configuration loaded
/usr/bin/checkmodule:  writing binary representation (version 19) to tmp/test_policy.mod
Creating targeted test_policy.pp policy package
Running as user root with context unconfined_u:unconfined_r:unconfined_t

domain_trans/test ........... ok   
entrypoint/test ............. ok   
execshare/test .............. ok   
exectrace/test .............. ok   
execute_no_trans/test ....... ok   
fdreceive/test .............. ok   
inherit/test ................ ok   
link/test ................... ok   
mkdir/test .................. ok   
msg/test .................... ok     
open/test ................... ok   
ptrace/test ................. ok   
readlink/test ............... ok   
relabel/test ................ ok   
rename/test ................. ok   
rxdir/test .................. ok   
sem/test .................... ok     
setattr/test ................ ok   
setnice/test ................ ok   
shm/test .................... 1/16 # Test 15 got: "65280" (shm/test at line 61)
#    Expected: "0"
#  shm/test line 61 is: ok( $?, 0 );
shm/test .................... Failed 1/16 subtests 
sigkill/test ................ ok     
stat/test ................... ok   
sysctl/test ................. ok   
task_create/test ............ ok   
task_setnice/test ........... ok   
task_setscheduler/test ...... ok   
task_getscheduler/test ...... ok   
task_getsid/test ............ ok   
task_getpgid/test ........... ok   
task_setpgid/test ........... ok   
file/test ................... ok     
ioctl/test .................. ok   
capable_file/test ........... ok     
capable_net/test ............ ok   
capable_sys/test ............ ok   
dyntrans/test ............... ok   
dyntrace/test ............... ok   
bounds/test ................. ok     
nnp_nosuid/test ............. ok     
mmap/test ................... 23/47 shmat SHM_EXEC: Permission denied
# Test 46 got: "256" (mmap/test at line 225)
#    Expected: "0"
#  mmap/test line 225 is: ok( $result, 0 );
mmap/test ................... Failed 1/47 subtests 
unix_socket/test ............ ok   
inet_socket/test ............ ok     
overlay/test ................ ok       
checkreqprot/test ........... ok   
mqueue/test ................. ok     
mac_admin/test .............. ok   
atsecure/test ............... ok   
extended_socket_class/test .. 1/16 # Test 1 got: "256" (extended_socket_class/test at line 15)
#   Expected: "0"
#  extended_socket_class/test line 15 is: ok( $result, 0 );
# Failed test 2 in extended_socket_class/test at line 21
#  extended_socket_class/test line 21 is: ok($result);
# Test 3 got: "256" (extended_socket_class/test at line 27)
#   Expected: "0"
#  extended_socket_class/test line 27 is: ok( $result, 0 );
extended_socket_class/test .. 5/16 # Test 5 got: "256" (extended_socket_class/test at line 42)
#   Expected: "0"
#  extended_socket_class/test line 42 is: ok( $result, 0 );
# Failed test 6 in extended_socket_class/test at line 48
#  extended_socket_class/test line 48 is: ok($result);
# Test 7 got: "256" (extended_socket_class/test at line 54)
#   Expected: "0"
#  extended_socket_class/test line 54 is: ok( $result, 0 );
# Failed test 8 in extended_socket_class/test at line 60
#  extended_socket_class/test line 60 is: ok($result);
# Test 9 got: "256" (extended_socket_class/test at line 66)
#   Expected: "0"
#  extended_socket_class/test line 66 is: ok( $result, 0 );
# Failed test 10 in extended_socket_class/test at line 72
#  extended_socket_class/test line 72 is: ok($result);
# Test 11 got: "256" (extended_socket_class/test at line 78)
#    Expected: "0"
#  extended_socket_class/test line 78 is: ok( $result, 0 );
# Failed test 12 in extended_socket_class/test at line 84
#  extended_socket_class/test line 84 is: ok($result);
# Test 13 got: "256" (extended_socket_class/test at line 90)
#    Expected: "0"
#  extended_socket_class/test line 90 is: ok( $result, 0 );
# Failed test 14 in extended_socket_class/test at line 96
#  extended_socket_class/test line 96 is: ok($result);
# Test 15 got: "256" (extended_socket_class/test at line 102)
#    Expected: "0"
#  extended_socket_class/test line 102 is: ok( $result, 0 );
# Failed test 16 in extended_socket_class/test at line 108
#  extended_socket_class/test line 108 is: ok($result);
extended_socket_class/test .. Failed 15/16 subtests

Comment 2 Paul Moore 2018-08-06 21:46:54 UTC

Cloning the original to BZ so that it can focus on the extended_socket_class test failures and this BZ can focus on the shm/mmap test failures.

Comment 3 Paul Moore 2018-09-13 01:25:49 UTC

Milos, this looks like a duplicate of BZ 1373749, what do you think?

Comment 4 Milos Malik 2018-09-13 06:44:42 UTC

I believe that there were no failures in shm subtests when BZ#1373749 was filed, only mmap subtests were failing. Otherwise they look like duplicates.

Comment 5 Paul Moore 2018-09-13 20:38:05 UTC

True.

Okay, I'll leave them as separate BZs, but I'll put a comment in the other linking back to this BZ.

Comment 14 Ondrej Mosnacek 2018-09-26 07:27:44 UTC

Mystery finally solved!

These failures have apparently been introduced with changes in BZ 1458535, which brought in support for the file:map permission to the RHEL 7.6 kernel. The problem is that shmget(2) internally creates a special invisible file (labeled as tmpfs_t), which shmat(2) then tries to map, triggering an SELinux check.

Since the permissions for doing shared memory operations are already checked separately, this is a bug that has been already addressed upstream by marking the file with the S_PRIVATE flag and skipping the unnecessary access checks for it.

The relevant commits upstream are:

commit 892e8cac99a71f6254f84fc662068d912e1943bf
Author: Stephen Smalley <sds.gov>
Date:   Fri Jul 10 09:40:59 2015 -0400

    selinux: fix mprotect PROT_EXEC regression caused by mm change

commit e1832f2923ec92d0e590e496c8890675457f8568
Author: Stephen Smalley <sds.gov>
Date:   Thu Aug 6 15:46:55 2015 -0700

    ipc: use private shmem or hugetlbfs inodes for shm segments.

The most important is the second commit, which fixes both failing tests. The first commit's log message doesn't sound related, but it adds skipping also EXEC_MEM check for S_PRIVATE files, which fixes the last mmap test (which starts failing after applying only the second commit).

Note that upstream kernels never hit this problem, because the above two fixes had been applied long before the mmap support was added (v4.2 vs. v4.13).

Comment 20 Bruno Meneguele 2018-12-05 09:29:05 UTC

Patch(es) committed on kernel-3.10.0-972.el7

Comment 37 errata-xmlrpc 2019-08-06 12:08:16 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2019:2029

Note You need to log in before you can comment on or make changes to this bug.