Description of problem: mono requires execmem to run. SELinux can not happen because the executable needs execment to even get started. readelf -l /usr/bin/mono Elf file type is EXEC (Executable file) Entry point 0x805c330 There are 9 program headers, starting at offset 52 Program Headers: Type Offset VirtAddr PhysAddr FileSiz MemSiz Flg Align PHDR 0x000034 0x08048034 0x08048034 0x00120 0x00120 R E 0x4 INTERP 0x000154 0x08048154 0x08048154 0x00013 0x00013 R 0x1 [Requesting program interpreter: /lib/ld-linux.so.2] LOAD 0x000000 0x08048000 0x08048000 0x194bab 0x194bab R E 0x1000 LOAD 0x195000 0x081dd000 0x081dd000 0x00ffe 0x0f7fc RWE 0x1000 DYNAMIC 0x1953d8 0x081dd3d8 0x081dd3d8 0x00110 0x00110 RW 0x4 NOTE 0x000168 0x08048168 0x08048168 0x00020 0x00020 R 0x4 TLS 0x195000 0x081dd000 0x081dd000 0x00000 0x00014 R 0x4 GNU_EH_FRAME 0x176624 0x081be624 0x081be624 0x065d4 0x065d4 R 0x4 GNU_STACK 0x000000 0x00000000 0x00000000 0x00000 0x00000 RW 0x4 Section to Segment mapping: Segment Sections... 00 01 .interp 02 .interp .note.ABI-tag .hash .dynsym .dynstr .gnu.version .gnu.version_r .rel.dyn .rel.plt .init .plt .text .fini .rodata .eh_frame_hdr .eh_frame .gcc_except_table 03 .ctors .dtors .jcr .data.rel.ro .dynamic .got .got.plt .data writetext .bss 04 .dynamic 05 .note.ABI-tag 06 .tbss 07 .eh_frame_hdr 08
Basically I get an execmem failure from unconfined_t before mono starts. If I allow execmem in SELinux mono will transition to mono_t but I get an auditallow granted message for unconfined_t.
Nalin and I looked into this further and we think the culprit is the following: ======================================================================= Dan, it looks like the 'mono' binary defines a segment named 'writetext' like so (mono/mini/mini.c:7268, preprocessed): static __thread gpointer mono_lmf_addr __attribute__((tls_model("local-exec"))); gint32 mono_get_lmf_tls_offset (void) { int offset; __asm ("jmp 1f; .section writetext, \"awx\"; 1: movl $" "mono_lmf_addr" "@ntpoff, %0; jmp 2f; .previous; 2:" : "=r" (offset));; return offset; } And the run-time linker is probably just hitting the execmem denial as part of doing its job.
ELF file has a RWE segment, which triggers the denial when the kernel ELF loader tries to mmap it with those protections, IIUC. This happens prior to switching credentials, so it happens in the caller's context rather than the new domain. Build or code problem in mono.
Created attachment 125213 [details] mono-compiler.patch
Applyin jakub's patch to the latest mono and rebuilding seems to have cleaned up the problem. tomboy is working fine with the new vesion.
File upstream here: http://bugzilla.ximian.com/show_bug.cgi?id=77653
Created attachment 125396 [details] amd64 fix You need this additional patch to make mono compile and work on amd64 systems. Thanks.
Yeah, my patch was completely untested, doesn't surprise me I made one typo. Also, IA-64 probably needs similar treatment, i.e. use the current __asm for non-pic and for PIC use __asm ("addl %0 = @ltoff(@tprel(" #var "#)), gp ;; ld8 %0 = [%0]\n" : "=r" (offset))
Created attachment 125569 [details] fully fleshed out patch Hi, Above, is the patch I built into rawhide. It has the x86-64 update and the ia64 update in it. Can you guys verify that it looks correct?
Hey guys, I'm going to close this bug, but if anyone experiences it again, feel free to reopen.