Bug 185339 - avc: denied { execheap } comm="ld-linux.so.2" scontext=system_u:system_r:crond_t:s0 tcontext=system_u:system_r:crond_t:s0
avc: denied { execheap } comm="ld-linux.so.2" scontext=system_u:system_r:cr...
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted (Show other bugs)
5
All Linux
medium Severity medium
: ---
: ---
Assigned To: Daniel Walsh
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2006-03-13 15:31 EST by Orion Poplawski
Modified: 2007-11-30 17:11 EST (History)
1 user (show)

See Also:
Fixed In Version: selinux-policy-2.2.38-1.FC5
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2006-05-16 11:23:37 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Orion Poplawski 2006-03-13 15:31:12 EST
Description of problem:

On a freshly installed rawhide system:

audit(1142281782.485:707): avc:  denied  { execheap } for  pid=32722
comm="ld-linux.so.2" scontext=system_u:system_r:crond_t:s0
tcontext=system_u:system_r:crond_t:s0 tclass=process

Also:

lots of:

audit(1142282037.478:751): avc:  granted  { execstack } for  pid=1048
comm="ld-linux.so.2" scontext=system_u:system_r:crond_t:s0
tcontext=system_u:system_r:crond_t:s0 tclass=process
audit(1142282037.478:752): avc:  granted  { execmem } for  pid=1048
comm="ld-linux.so.2" scontext=system_u:system_r:crond_t:s0
tcontext=system_u:system_r:crond_t:s0 tclass=process

Version-Release number of selected component (if applicable):
selinux-policy-targeted-2.2.23-15
Comment 1 Orion Poplawski 2006-03-28 11:55:46 EST
Can you tell me what I should be doing about the following?

audit(1142282037.478:751): avc:  granted  { execstack } for  pid=1048
comm="ld-linux.so.2" scontext=system_u:system_r:crond_t:s0
tcontext=system_u:system_r:crond_t:s0 tclass=process
audit(1142282037.478:752): avc:  granted  { execmem } for  pid=1048
comm="ld-linux.so.2" scontext=system_u:system_r:crond_t:s0
tcontext=system_u:system_r:crond_t:s0 tclass=process

Presumably some program needs to get fixed so that it doesn't need execstack and
execmem priviledges, but how do I find out which one?

These messages trigger daily logwatch emails:

--------------------- Selinux Audit Begin ------------------------ 

  *** Grants ***
    user_u user_u (process): 81 times
 
so it's an annoyance.  But before I configure logwatch to ignore grant messages,
I figured I'd try to see if I can fix them properly.
Comment 2 Tim Püschel 2006-04-08 05:42:03 EDT
The 

audit(1144487527.582:5): avc:  denied  { execheap } for  pid=8497
comm="ld-linux.so.2" scontext=system_u:system_r:crond_t:s0
tcontext=system_u:system_r:crond_t:s0 tclass=process

message also appears on fc5 with glibc-2.4-4 and selinux-policy-2.2.29-3.

It appears a few times everytime prelink is run.
Comment 5 Daniel Walsh 2006-05-09 12:27:04 EDT
Added prelink policy fixed in current policy
Comment 6 Orion Poplawski 2006-05-16 11:23:37 EDT
Confirmed.

Note You need to log in before you can comment on or make changes to this bug.