Bug 194452 - Grub fails with execmem AVC denied
Grub fails with execmem AVC denied
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted (Show other bugs)
rawhide
All Linux
medium Severity medium
: ---
: ---
Assigned To: Daniel Walsh
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2006-06-08 06:24 EDT by Mark McLoughlin
Modified: 2007-11-30 17:11 EST (History)
3 users (show)

See Also:
Fixed In Version: Current
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-08-22 10:14:39 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Mark McLoughlin 2006-06-08 06:24:02 EDT
Doing the following:

    $> cat > grubscript.tmp << EOF
    root (hd1,0)
    install /grub/stage1 d (hd1) /grub/stage2 p /grub/grub.conf
    EOF
    $> grub --batch --no-floppy --device-map=device.map < grubscript.tmp
    grub: asmstub.c:214: grub_stage2: Assertion `simstack_alloc_base != ((void
*) -1)' failed.
    Aborted

Fails with this AVC denied:

    avc:  denied  { execmem } for  pid=3093 comm="grub"
scontext=root:system_r:unconfined_t:s0-s0:c0.c255
tcontext=root:system_r:unconfined_t:s0-s0:c0.c255 tclass=process

Running with allow_execmem set to 1 makes it work.

Best I can make out is that our grub simulates an executable stack my mmaping a
chunk of memory and marking it executable ... presumably so grub can be built
without an executable stack.

CVS log of the patch:

    $> cvs log grub-0.95-nxstack.patch
    date: 2005/02/11 08:16:53;  author: pjones;  state: Exp;
    vroomfondel:~$ eu-readelf -l /sbin/grub | grep STACK
      GNU_STACK      0x000000 0x00000000 0x00000000 0x000000 0x000000 RW  0x4
                                                                    ^ yay

    This may be one of the worst atrocities I've ever committed to disk.

:-)

Do we need to modify the policy to allow_execmem for grub?
Comment 1 Daniel Walsh 2006-06-08 10:47:18 EDT
Is this required by grub?  IE Is there another way to do this.  We can define a
context of uncofined_execmem_exec_t for grub which would allow this.

chcon -t uncofined_execmem_exec_t /sbin/grub
Comment 2 Daniel Walsh 2006-06-15 21:29:20 EDT
Fixed in 2.2.47-3
Comment 3 Piete Brooks 2006-07-07 01:48:20 EDT
I still see this problem on FC6 T1

Vigor14:~: rpm -q selinux-policy-targeted 
selinux-policy-targeted-2.3.1-1
Vigor14:~: 

audit(1152250446.486:6): avc:  denied  { execmem } for  pid=2177 comm="grub"
scontext=system_u:system_r:unconfined_t:s0
tcontext=system_u:system_r:unconfined_t:s0 tclass=process
Comment 4 Daniel Walsh 2006-07-11 09:38:01 EDT
Fixed in selinux-policy-targeted-2.3.2-2
Comment 5 Daniel Walsh 2007-08-22 10:14:39 EDT
Should be fixed in the current release

Note You need to log in before you can comment on or make changes to this bug.