2014228 – libffi: Python scripts crash with ANOM_ABEND when SELinux is enabled

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 2014228 - libffi: Python scripts crash with ANOM_ABEND when SELinux is enabled

Summary: libffi: Python scripts crash with ANOM_ABEND when SELinux is enabled

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 8
Classification:	Red Hat
Component:	libffi
Sub Component:
Version:	8.4
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	rc
Target Release:	---
Assignee:	DJ Delorie
QA Contact:	Lenka Špačková
Docs Contact:	Jacob Taylor Valdez
URL:
Whiteboard:
Depends On:
Blocks:	2152228
TreeView+	depends on / blocked

Reported:	2021-10-14 16:23 UTC by Paulo Andrade
Modified:	2023-05-16 11:17 UTC (History)
CC List:	5 users (show)
Fixed In Version:	libffi-3.1-24.el8
Doc Type:	Bug Fix
Doc Text:	.`libffi` can now probe for executable memory with SELinux enabled By default, `libffi` does not probe for executable memory when SELinux is enabled. As a consequence, programs which use `libffi` closures and `fork()` without immediately executing some other processes terminate unexpectedly when SELinux is enabled. With this update, `libffi` looks for a `/etc/sysconfig/libffi-force-shared-memory-check-first` file and, if it exists, probes for executable memory regardless of if SELinux is enabled. As a result, programs using `libffi` can safely `fork()` without crashing with SELinux enabled.
Clone Of:
Clones:	2152228 (view as bug list)
Environment:
Last Closed:	2023-05-16 09:10:24 UTC
Type:	Bug
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Bugzilla	1977410	1	high	CLOSED	Python scripts crash with ANOM_ABEND when SELinux is enabled	2023-10-13 12:33:24 UTC
Red Hat Issue Tracker	RHELPLAN-101393	0	None	None	None	2021-11-01 20:20:10 UTC
Red Hat Product Errata	RHBA-2023:3014	0	None	None	None	2023-05-16 09:10:27 UTC

Description Paulo Andrade 2021-10-14 16:23:47 UTC

This bug was initially created as a copy of Bug #1977410

I am copying this bug because: 



Description of problem:
When SELinux is enabled, even in permissive mode, the attached code crashes.  When SELinux is disabled, it runs fine.  The only message I see in audit.log is:

type=ANOM_ABEND msg=audit(1624551198.965:416): auid=47927 uid=47927 gid=47927 ses=14 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 pid=4090 comm="test.py" reason="memory violation" sig=6

I'm not seeing any AVC messages, even after running "semodule -DB".  I spotted a Bugzilla report (1249685) from a few years back which mentioned python-cffi, the system doesn't have that package installed.  Adjusting the deny_execmem boolean didn't have any effect either - which I'm taking as a good thing, as the warnings about that were sufficiently dire.

Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1. Enable SELinux, in either enforcing or permissive mode.
2. Run attached code.
3. Code crashes.

Actual results:


Expected results:


Additional info:
I have talked with the Red Hat SELinux Userspace team, who have reproduced the issue on Fedora 34 with Python 3.9.  They suspect the issue may be in the Python _ctypes module.

Comment 17 errata-xmlrpc 2023-05-16 09:10:24 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (libffi bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2023:3014

Note You need to log in before you can comment on or make changes to this bug.