1802479 – allow_execstack and allow execmem should be off

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1802479 - allow_execstack and allow execmem should be off

Summary: allow_execstack and allow execmem should be off

Keywords:
Status:	CLOSED WONTFIX
Alias:	None
Product:	Red Hat Enterprise Linux 8
Classification:	Red Hat
Component:	selinux-policy
Sub Component:
Version:	8.4
Hardware:	x86_64
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	rc
Target Release:	---
Assignee:	Zdenek Pytela
QA Contact:	Milos Malik
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	2013629
TreeView+	depends on / blocked

Reported:	2020-02-13 09:40 UTC by Julie Pichon
Modified:	2023-09-07 21:50 UTC (History)
CC List:	9 users (show)
Fixed In Version:
Doc Type:	No Doc Update
Doc Text:
Clone Of:	1801314
Clones:	2013629 (view as bug list)
Environment:
Last Closed:	2020-06-25 13:35:43 UTC
Type:	Bug
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)
CONFIGURATION RECOMMENDATIONS OF A GNU/LINUX SYSTEM (ANSSI GUIDELINE) (1.29 MB, application/pdf) 2020-02-13 09:40 UTC, Julie Pichon	no flags	Details
View All

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Knowledge Base (Article)	4854201	0	None	None	None	2020-06-25 13:35:42 UTC

Description Julie Pichon 2020-02-13 09:40:30 UTC

Created attachment 1662917 [details]
CONFIGURATION RECOMMENDATIONS OF A GNU/LINUX SYSTEM (ANSSI GUIDELINE)

+++ This bug was initially created as a clone of Bug #1801314 +++

Description of problem:
As describe in CONFIGURATION RECOMMENDATIONS OF A GNU/LINUX SYSTEM (ANSSI GUIDELINE), there is a security issue to have:
allow_execstack: on
Allow unconfined executables to map a memory region as both executable and writable, this is dangerous

allow execmem: on
Allow unconfined executables to make their stack executable. 

Steps to Reproduce:
1. semanage boolean -l | grep deny_execmem
2. semanage boolean -l | grep execstack

Actual results:
[root@controller-0 ~]# semanage boolean -l | grep deny_execmem
deny_execmem                   (off  ,  off)  Allow deny to execmem 

[root@controller-0 ~]# semanage boolean -l | grep selinuxuser_execstack
selinuxuser_execstack          (on   ,   on)  Allow selinuxuser to execstack  

Expected results:
[root@controller-0 ~]# semanage boolean -l | grep deny_execmem
deny_execmem                   (on  ,  on)  Allow deny to execmem 

[root@controller-0 ~]# semanage boolean -l | grep selinuxuser_execstack
selinuxuser_execstack          (off ,  off)  Allow selinuxuser to execstack  

Additional info:

[1] https://lists.fedoraproject.org/pipermail/scm-commits/2011-November/681342.html


--- Additional comment from Julie Pichon on 2020-02-11 15:25:49 UTC ---

Hi Lukas,

I would like to ask for your thoughts on the two following booleans mentioned in the bug description:

deny_execmem                   (off  ,  off)  Allow deny to execmem
selinuxuser_execstack          (on   ,   on)  Allow selinuxuser to execstack

According to recent security guidelines (cf. ANSSI document in the attachments), the recommendation is for these to always be set to on (deny_execmem) and off (selinuxuser_execstack) respectively. Would it make sense for the default selinux-policy to change to match the guidelines, do you think? Thank you.

Comment 3 Milos Malik 2020-04-27 15:24:07 UTC

If the deny_execmem boolean is enabled by default then we need to instruct the cluster team to enable the cluster_use_execmem boolean. Otherwise following SELinux denials will appear:

----
type=PROCTITLE msg=audit(04/27/2020 17:15:51.461:189) : proctitle=/usr/bin/ruby /usr/lib/pcsd/pcsd 
type=SYSCALL msg=audit(04/27/2020 17:15:51.461:189) : arch=x86_64 syscall=mprotect success=no exit=EACCES(Permission denied) a0=0x7fe8a4990000 a1=0x1000 a2=PROT_READ|PROT_EXEC a3=0x22 items=0 ppid=1 pid=1794 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=pcsd exe=/usr/bin/ruby subj=system_u:system_r:cluster_t:s0 key=(null) 
type=AVC msg=audit(04/27/2020 17:15:51.461:189) : avc:  denied  { execmem } for  pid=1794 comm=pcsd scontext=system_u:system_r:cluster_t:s0 tcontext=system_u:system_r:cluster_t:s0 tclass=process permissive=0 
----

# getsebool -a | grep -e selinuxuser_execstack -e deny_execmem
deny_execmem --> on
selinuxuser_execstack --> off
# service pcsd start

Comment 4 Milos Malik 2020-04-28 08:30:32 UTC

If the deny_execmem boolean should be enabled by default then we need to instruct the desktop team to enable the xserver_execmem boolean. Otherwise following SELinux denials will appear:

----
type=PROCTITLE msg=audit(04/28/2020 10:24:42.377:313) : proctitle=/usr/bin/gnome-shell 
type=SYSCALL msg=audit(04/28/2020 10:24:42.377:313) : arch=x86_64 syscall=mmap success=no exit=EACCES(Permission denied) a0=0x0 a1=0x1000 a2=PROT_READ|PROT_WRITE|PROT_EXEC a3=MAP_PRIVATE|MAP_ANONYMOUS items=0 ppid=3668 pid=3893 auid=unset uid=gdm gid=gdm euid=gdm suid=gdm fsuid=gdm egid=gdm sgid=gdm fsgid=gdm tty=tty1 ses=unset comm=gnome-shell exe=/usr/bin/gnome-shell subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(04/28/2020 10:24:42.377:313) : avc:  denied  { execmem } for  pid=3893 comm=gnome-shell scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tclass=process permissive=0 
----

The gnome-shell is not able to start.

Comment 6 Zdenek Pytela 2020-06-25 13:35:43 UTC

Julie,

Thank you for bringing this issue on improving security of our products.

RHEL with SELinux is widely used in various customer environments. We cannot predict all of the impact of such important change though, so I am afraid we cannot afford to make such a change during the RHEL 8 development cycle. To declare stability and reliability, we have published the following document:

  Stability of the SELinux Policy API 
  https://access.redhat.com/articles/4854201

I am closing the bz for now. However, as both suggestions seem to be reasonable, we can participate on a wider discussion if the default value can be changed in Fedora and in future RHEL major versions, and even include more booleans of similar kind to the discussion.

Note You need to log in before you can comment on or make changes to this bug.