RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 2034320 - various services trigger { execmem } denials in FIPS mode
Summary: various services trigger { execmem } denials in FIPS mode
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 9
Classification: Red Hat
Component: openssl
Version: 9.0
Hardware: All
OS: Linux
medium
medium
Target Milestone: rc
: 9.0
Assignee: Dmitry Belyavskiy
QA Contact: Alicja Kario
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2021-12-20 16:34 UTC by Alicja Kario
Modified: 2022-05-17 15:39 UTC (History)
7 users (show)

Fixed In Version: openssl-3.0.1-4.el9
Doc Type: No Doc Update
Doc Text:
Clone Of:
Environment:
Last Closed: 2022-05-17 15:36:34 UTC
Type: Bug
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Issue Tracker CRYPTO-6106 0 None None None 2022-01-28 15:36:45 UTC
Red Hat Issue Tracker RHELPLAN-106271 0 None None None 2021-12-20 16:40:33 UTC
Red Hat Product Errata RHBA-2022:3900 0 None None None 2022-05-17 15:37:03 UTC

Description Alicja Kario 2021-12-20 16:34:24 UTC 
Description of problem:
When system is configured to execute in FIPS mode SELinux reports AVC denials for execmem for applications using openssl like sshd, NetworkManager or gssproxy. 

Version-Release number of selected component (if applicable):
selinux-policy-34.1.19-1.el9.noarch
openssl-3.0.0-5.el9.x86_64
NetworkManager-1.36.0-0.2.el9.x86_64

How reproducible:
always

Steps to Reproduce:
1. Install system
2. switch to FIPS mode
3. inspect SELinux logs

Actual results:
time->Mon Dec 20 11:23:05 2021
type=PROCTITLE msg=audit(1640017385.295:23): proctitle=2F7573722F7362696E2F67737370726F7879002D44
type=SYSCALL msg=audit(1640017385.295:23): arch=80000016 syscall=90 success=no exit=-13 a0=3ffd5b7bbf8 a1=fc1b8 a2=7 a3=802 items=0 ppid=1 pid=1103 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="gssproxy" exe="/usr/sbin/gssproxy" subj=system_u:system_r:gssproxy_t:s0 key=(null)
type=AVC msg=audit(1640017385.295:23): avc:  denied  { execmem } for  pid=1103 comm="gssproxy" scontext=system_u:system_r:gssproxy_t:s0 tcontext=system_u:system_r:gssproxy_t:s0 tclass=process permissive=0
----
time->Mon Dec 20 11:23:05 2021
type=PROCTITLE msg=audit(1640017385.445:29): proctitle=2F7573722F7362696E2F73736864002D44
type=SYSCALL msg=audit(1640017385.445:29): arch=80000016 syscall=90 success=no exit=-13 a0=3ffc077d028 a1=fc1b8 a2=7 a3=802 items=0 ppid=1 pid=1108 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="sshd" exe="/usr/sbin/sshd" subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1640017385.445:29): avc:  denied  { execmem } for  pid=1108 comm="sshd" scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tclass=process permissive=0
----
time->Mon Dec 20 11:23:05 2021
type=PROCTITLE msg=audit(1640017385.565:42): proctitle=2F7573722F7362696E2F4E6574776F726B4D616E61676572002D2D6E6F2D6461656D6F6E
type=SYSCALL msg=audit(1640017385.565:42): arch=80000016 syscall=90 success=no exit=-13 a0=3fffbafcb18 a1=fc1b8 a2=7 a3=802 items=0 ppid=1 pid=1067 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="NetworkManager" exe="/usr/sbin/NetworkManager" subj=system_u:system_r:NetworkManager_t:s0 key=(null)
type=AVC msg=audit(1640017385.565:42): avc:  denied  { execmem } for  pid=1067 comm="NetworkManager" scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:system_r:NetworkManager_t:s0 tclass=process permissive=0


Expected results:
No denials

Additional info:
This is likely caused because OpenSSL loads and executes the /usr/lib64/ossl-modules/fips.so file that is the FIPS module.
Comment 2 Alicja Kario 2021-12-20 17:23:46 UTC 
Looks like it is non-x86_64 specific. I.e. fails on s390x, aarch64, ppc64le.
Comment 10 Milos Malik 2022-01-19 08:22:35 UTC 
SELinux Memory Protection Tests:
 * https://akkadia.org/drepper/selinux-mem.html

The execmem permission is nothing that SELinux policy allows without asking, because it is a dangerous operation.
Comment 17 Florian Weimer 2022-01-20 16:43:20 UTC 
annocheck actually falgs this:

Hardened: /usr/lib64/ossl-modules/fips.so: FAIL: rwx-seg test because segment has Read, Write and eXecute flags set 

The build log unfortunately does not show the linker flags. The only unusual thing I can see is the objcopy call.

Could you check if the RWE LOAD segment is present even before the objcopy call?
Comment 20 Simo Sorce 2022-01-20 17:14:14 UTC 
Testing can proceed with selinux in permissive mode, so this is not an immediate blocker.

However we'd like to find the cause asap so we know how difficult it will be to address it.
Comment 22 Florian Weimer 2022-01-20 17:43:36 UTC 
Without machines to experiment with, my guess is this:

Due to the const volatile specifier, the section is created as:

	.section	.rodata1,"aw"

That is, it is allocated and writable. This means that the entire segment needs to be writable. On non-x86 targets, -z noseparate-code is the default, so .rodata1 overlaps with .text, and you end up with a RWE load segment. On x86-64, you still lose some security hardening because more data becomes writable.

If that's true, the objcopy doesn't matter: fips.so should be in a bad state before that.

Presumably you added the volatile as a compiler barrier. I suggest to use this instead (completely untested):

extern unsigned char __attribute__ ((visiblity ("hidden"))) fips_hmac_container[32];

__asm(".hidden fips_hmac_container\n\t"
      ".type fips_hmac_container, %object\n\t"
      ".size fips_hmac_container, 32\n\t"
      ".section .rodata.fips_hmac_container,\"a\"\n\t"
      ".balign 16\n"
      "fips_hmac_container:\n\t"
      ".zero 32\n\t"
      ".previous");

And switch to .rodata.fips_hmac_container in the objcopy call. This way, you avoid corrupting fips.so in case the toolchain uses .rodata1 for some reason.
Comment 23 Dmitry Belyavskiy 2022-01-21 09:10:42 UTC 
This is a part of my downstream patch. I had to use volatile because otherwise there were some problems with moving it to the correct section. I'll try your solution and let you know if I succeed.
Comment 24 Dmitry Belyavskiy 2022-01-21 10:05:23 UTC 
Unfortnately, I don't get any .rodata.fips_hmac_container in the binary I build. Replacing it back with .rodata1 helps, the necessary section is seen via objdump -t
Comment 25 Dmitry Belyavskiy 2022-01-21 12:13:01 UTC 
I removed the `volatile` attribute for embedded hmac value. Currently the section attribute is preserved so hopefully the issue will go away.
Comment 26 Florian Weimer 2022-01-21 12:18:57 UTC 
(In reply to Dmitry Belyavskiy from comment #25)
> I removed the `volatile` attribute for embedded hmac value. Currently the
> section attribute is preserved so hopefully the issue will go away.

The volatile was presumably added to avoid constant propagation because the intent is to change the constant under the covers.
Comment 27 Dmitry Belyavskiy 2022-01-21 12:22:54 UTC 
Yes. Without volatile the variable didn't fit into a requested section, so we couldn't embed the value.
Comment 37 errata-xmlrpc 2022-05-17 15:36:34 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (new packages: openssl), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2022:3900
Note You need to log in before you can comment on or make changes to this bug.