Description of problem: 1. dnf install tor privoxy 2. In /etc/privoxy/config set: listen-address 127.0.0.1:8118 forward-socks5t / 127.0.0.1:9050 . 3. systemctl start tor privoxy SELinux is preventing privoxy from using the 'execmem' accesses on a process. ***** Plugin allow_execmem (91.4 confidence) suggests ********************* If this issue occurred during normal system operation. Then this alert could be a serious issue and your system could be compromised. Do contact your security administrator and report this issue ***** Plugin catchall (9.59 confidence) suggests ************************** Если вы считаете, что privoxy должно быть разрешено execmem доступ к процессам с меткой privoxy_t по умолчанию. Then рекомендуется создать отчет об ошибке. Чтобы разрешить доступ, можно создать локальный модуль политики. Do разрешить этот доступ сейчас, выполнив: # ausearch -c 'privoxy'--raw | audit2allow -M my-privoxy # semodule -X 300 -i my-privoxy.pp Additional Information: Source Context system_u:system_r:privoxy_t:s0 Target Context system_u:system_r:privoxy_t:s0 Target Objects Неизвестно [ process ] Source privoxy Source Path privoxy Port <Неизвестно> Host (removed) Source RPM Packages Target RPM Packages SELinux Policy RPM selinux-policy-targeted-3.14.6-33.fc33.noarch Local Policy RPM selinux-policy-targeted-3.14.6-33.fc33.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 5.9.16-200.fc33.x86_64 #1 SMP Mon Dec 21 14:08:22 UTC 2020 x86_64 x86_64 Alert Count 422 First Seen 2021-01-12 19:50:00 MSK Last Seen 2021-01-16 16:32:28 MSK Local ID fc7a6d86-7755-4eb7-b498-13253a26ab40 Raw Audit Messages type=AVC msg=audit(1610803948.132:3270): avc: denied { execmem } for pid=1863 comm="privoxy" scontext=system_u:system_r:privoxy_t:s0 tcontext=system_u:system_r:privoxy_t:s0 tclass=process permissive=0 Hash: privoxy,privoxy_t,privoxy_t,process,execmem Version-Release number of selected component: selinux-policy-targeted-3.14.6-33.fc33.noarch Additional info: component: selinux-policy reporter: libreport-2.14.0 hashmarkername: setroubleshoot kernel: 5.9.16-200.fc33.x86_64 type: libreport
Hi, The execmem permission is required for mapping a memory region as executable which is not common and is possibly insecure so it is disabled by default. For more information about the execmem permission, refer to the following articles: * https://akkadia.org/drepper/selinux-mem.html * https://danwalsh.livejournal.com/6117.html Changing the component for the maintainer to assess if this permission is required. Please switch it back to selinux-policy if further action is required.
---- type=PROCTITLE msg=audit(01/18/2021 04:20:32.984:707) : proctitle=/usr/sbin/privoxy --pidfile /run/privoxy.pid --user privoxy /etc/privoxy/config type=SYSCALL msg=audit(01/18/2021 04:20:32.984:707) : arch=x86_64 syscall=mmap success=no exit=EACCES(Permission denied) a0=0x0 a1=0x10000 a2=PROT_READ|PROT_WRITE|PROT_EXEC a3=MAP_PRIVATE|MAP_ANONYMOUS items=0 ppid=1377 pid=1378 auid=unset uid=privoxy gid=privoxy euid=privoxy suid=privoxy fsuid=privoxy egid=privoxy sgid=privoxy fsgid=privoxy tty=(none) ses=unset comm=privoxy exe=/usr/sbin/privoxy subj=system_u:system_r:privoxy_t:s0 key=(null) type=AVC msg=audit(01/18/2021 04:20:32.984:707) : avc: denied { execmem } for pid=1378 comm=privoxy scontext=system_u:system_r:privoxy_t:s0 tcontext=system_u:system_r:privoxy_t:s0 tclass=process permissive=0 ----
The same SELinux denial appeared in permissive mode: ---- type=PROCTITLE msg=audit(01/18/2021 04:24:57.144:716) : proctitle=/usr/sbin/privoxy --pidfile /run/privoxy.pid --user privoxy /etc/privoxy/config type=SYSCALL msg=audit(01/18/2021 04:24:57.144:716) : arch=x86_64 syscall=mmap success=yes exit=140399402266624 a0=0x0 a1=0x10000 a2=PROT_READ|PROT_WRITE|PROT_EXEC a3=MAP_PRIVATE|MAP_ANONYMOUS items=0 ppid=1394 pid=1395 auid=unset uid=privoxy gid=privoxy euid=privoxy suid=privoxy fsuid=privoxy egid=privoxy sgid=privoxy fsgid=privoxy tty=(none) ses=unset comm=privoxy exe=/usr/sbin/privoxy subj=system_u:system_r:privoxy_t:s0 key=(null) type=AVC msg=audit(01/18/2021 04:24:57.144:716) : avc: denied { execmem } for pid=1395 comm=privoxy scontext=system_u:system_r:privoxy_t:s0 tcontext=system_u:system_r:privoxy_t:s0 tclass=process permissive=1 ----
Hi! I've used tor and privoxy with the same configuration as now for about 5 years, with several Fedora releases. All this time I've used SELinux running in enforcing mode and I had no issues with privoxy. This error started happening about 2 or 3 days ago. I hope this will be helpful for finding and fixing the error.
*** Bug 1917021 has been marked as a duplicate of this bug. ***
Asking upstream: https://sourceforge.net/p/ijbswa/bugs/924/
Upstream says this is likely caused by JIT pcre filter compilation. I can either rebuild with it disabled, or we can update the SELinux policy. I vote the latter.
If the feature is necessary for you project, we surely can add it to policy, but document properly - can you make sure what is the reason?
Yes, it's for a new feature, JIT filter compilation. https://www.privoxy.org/announce.txt
*** Bug 1927329 has been marked as a duplicate of this bug. ***
*** Bug 1932676 has been marked as a duplicate of this bug. ***
I've submitted a Fedora PR to address the issue: https://github.com/fedora-selinux/selinux-policy/pull/728
FEDORA-2021-e2de9e9e55 has been submitted as an update to Fedora 33. https://bodhi.fedoraproject.org/updates/FEDORA-2021-e2de9e9e55
FEDORA-2021-e2de9e9e55 has been pushed to the Fedora 33 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2021-e2de9e9e55` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2021-e2de9e9e55 See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
FEDORA-2021-e2de9e9e55 has been pushed to the Fedora 33 stable repository. If problem still persists, please make note of it in this bug report.