Bug 191972 - selinux denies libgcj execmem PROT_READ|PROT_WRITE|PROT_EXEC
selinux denies libgcj execmem PROT_READ|PROT_WRITE|PROT_EXEC
Status: CLOSED NOTABUG
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted (Show other bugs)
rawhide
All Linux
medium Severity medium
: ---
: ---
Assigned To: Daniel Walsh
:
Depends On:
Blocks: 191689
  Show dependency treegraph
 
Reported: 2006-05-16 12:54 EDT by Caolan McNamara
Modified: 2007-11-30 17:11 EST (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2006-05-23 16:29:28 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
demo source (389 bytes, text/x-c++src)
2006-05-16 12:54 EDT, Caolan McNamara
no flags Details

  None (edit)
Description Caolan McNamara 2006-05-16 12:54:12 EDT
Description of problem: Take attached c++ code and run it with
/usr/sbin/setenforce 1 

/usr/sbin/sestatus output is...
SELinux status:                 enabled
SELinuxfs mount:                /selinux
Current mode:                   enforcing
Mode from config file:          permissive
Policy version:                 20
Policy from config file:        targeted

Version-Release number of selected component (if applicable):
libgcj-4.1.0-16
selinux-policy-2.2.38-6
How reproducible: always


Steps to Reproduce:
1. take simple c++ source
2. ./a.out
  
Actual results:
SEGV, strace attached...
mmap2(0x1000, 65536, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_ANONYMOUS,
-1, 0) = -1 EACCES (Permission denied)
mmap2(0x1000, 8192, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_ANONYMOUS,
-1, 0) = -1 EACCES (Permission denied)
Comment 1 Caolan McNamara 2006-05-16 12:54:12 EDT
Created attachment 129232 [details]
demo source
Comment 2 Jakub Jelinek 2006-05-17 08:06:26 EDT
I believe you need to label such program specially before it is allowed to do so.
Comment 3 Daniel Walsh 2006-05-17 09:26:08 EDT
If you label it unconfined_execmem_exec_t it should work.

Note You need to log in before you can comment on or make changes to this bug.