Bug 205496 - Improvements to error reporting: executable stacks
Improvements to error reporting: executable stacks
Status: CLOSED WONTFIX
Product: Fedora
Classification: Fedora
Component: setroubleshoot (Show other bugs)
10
All Linux
medium Severity medium
: ---
: ---
Assigned To: Daniel Walsh
bzcl34nup
: Reopened, Triaged
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2006-09-06 14:56 EDT by Dave Malcolm
Modified: 2009-12-18 00:53 EST (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2009-12-18 00:53:13 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Dave Malcolm 2006-09-06 14:56:56 EDT
Description of problem:
The test for executable stacks should handle a binary that comes from a
Fedora/RHEL RPM and allow the filing of a bug against that package.  It should
also detect the library that's causing the problem

Version-Release number of selected component (if applicable):
setroubleshoot-0.41-1

Steps to Reproduce:
1. Start epiphany
  
Actual results:
"Summary: SELinux is preventing /usr/bin/epiphany from making the program stack
executable.
The /usr/bin/epiphany application attempted to make the its stack executable.
This is a potential security problem. This should never ever be necessary. stack
memory is not executable on most OSes these days and this will not change.
Executable stack memory is one of the biggest security problems. An execstack
error might in fact be most likely raised by malicious code. Applications are
sometimes coded incorrectly and request this permission. The SELinux Memory
Protection Tests web page explains how to remove this requirement. If
/usr/bin/epiphany does not work and you need it to work, you can configure
SELinux temporarily to allow this access until the application is fixed."

"Affected RPM Packages: (blank)"

Running eu-readelf -l /usr/bin/epiphany | grep STACK
shows:
  GNU_STACK      0x000000 0x00000000 0x00000000 0x000000 0x000000 RW  0x4

So epiphany itself doesn't need an executable stack, but one of the libraries
it's pulling in does.  I don't know an easy way to locate this.  Suggestions
welcome.

Expected results:
setroubleshoot should have performed an rpm -qf on the binary, determined that
it's from the epiphany package.  It should then look at the DSOs loaded by
epiphany, and detect the library that was at fault - I don't know an easy way to
implement this, though.  If the library(s) is part of Fedora or RHEL it should
have an easy option to file a bug against the package(s) containing them.
Comment 1 Bug Zapper 2008-04-03 14:10:19 EDT
Based on the date this bug was created, it appears to have been reported
against rawhide during the development of a Fedora release that is no
longer maintained. In order to refocus our efforts as a project we are
flagging all of the open bugs for releases which are no longer
maintained. If this bug remains in NEEDINFO thirty (30) days from now,
we will automatically close it.

If you can reproduce this bug in a maintained Fedora version (7, 8, or
rawhide), please change this bug to the respective version and change
the status to ASSIGNED. (If you're unable to change the bug's version
or status, add a comment to the bug and someone will change it for you.)

Thanks for your help, and we apologize again that we haven't handled
these issues to this point.

The process we're following is outlined here:
http://fedoraproject.org/wiki/BugZappers/F9CleanUp

We will be following the process here:
http://fedoraproject.org/wiki/BugZappers/HouseKeeping to ensure this
doesn't happen again.
Comment 2 Bug Zapper 2008-05-06 20:49:41 EDT
This bug has been in NEEDINFO for more than 30 days since feedback was
first requested. As a result we are closing it.

If you can reproduce this bug in the future against a maintained Fedora
version please feel free to reopen it against that version.

The process we're following is outlined here:
http://fedoraproject.org/wiki/BugZappers/F9CleanUp
Comment 3 Dave Malcolm 2008-05-12 15:46:02 EDT
Reopening; did this ever get implemented?
Comment 4 Bug Zapper 2008-05-13 22:20:03 EDT
Changing version to '9' as part of upcoming Fedora 9 GA.
More information and reason for this action is here:
http://fedoraproject.org/wiki/BugZappers/HouseKeeping
Comment 5 Joachim Frieben 2008-10-04 07:43:04 EDT
This issue still affects the current rawhide/koji tree including:
- epiphany-2.24.0.1-3.fc10.i386
- selinux-policy-targeted-3.5.10-2.fc10.noarch
- xulrunner-1.9.0.2-2.fc10.i386

Summary
SELinux is preventing epiphany from making the program stack executable. 

Detailed Description
[SELinux is in permissive mode, the operation would have been denied but was permitted due to permissive mode.]
The epiphany application attempted to make its stack executable. This is a potential security problem. This should never ever be necessary. Stack memory is not executable on most OSes these days and this will not change. Executable stack memory is one of the biggest security problems. An execstack error might in fact be most likely raised by malicious code. Applications are sometimes coded incorrectly and request this permission. The SELinux Memory Protection Tests web page explains how to remove this requirement. If epiphany does not work and you need it to work, you can configure SELinux temporarily to allow this access until the application is fixed. Please file a bug report against this package.

Allowing Access
Sometimes a library is accidentally marked with the execstack flag, if you find a library with this flag you can clear it with the execstack -c LIBRARY_PATH. Then retry your application. If the app continues to not work, you can turn the flag back on with execstack -s LIBRARY_PATH. Otherwise, if you trust epiphany to run correctly, you can change the context of the executable to unconfined_execmem_exec_t. "chcon -t unconfined_execmem_exec_t '/usr/bin/epiphany'" You must also change the default file context files on the system in order to preserve them even on a full relabel. "semanage fcontext -a -t unconfined_execmem_exec_t '/usr/bin/epiphany'"

Fix Command
chcon -t unconfined_execmem_exec_t '/usr/bin/epiphany'

Additional Information
Source Context:  unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
Target Context:  unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
Target Objects:  None [ process ]
Source:  epiphany
Source Path:  /usr/bin/epiphany
Port:  <Unknown>
Host:  fedora
Source RPM Packages:  epiphany-2.24.0.1-3.fc10
Target RPM Packages:
Policy RPM:  selinux-policy-3.5.10-2.fc10
Selinux Enabled:  True
Policy Type:  targeted
MLS Enabled:  True
Enforcing Mode:  Permissive
Plugin Name:  allow_execstack
Host Name:  fedora
Platform:  Linux fedora 2.6.27-0.382.rc8.git4.fc10.i686 #1 SMP Thu Oct 2 21:36:18 EDT 2008 i686 i686
Alert Count:  1
First Seen:  Sat 04 Oct 2008 01:26:12 PM CEST
Last Seen:  Sat 04 Oct 2008 01:26:12 PM CEST
Local ID:  c6c6e600-4815-497b-8342-95125eb61fef
Line Numbers:

Raw Audit Messages :

node=fedora type=AVC msg=audit(1223119572.959:34): avc: denied { execstack } for pid=3405 comm="epiphany" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process

node=fedora type=AVC msg=audit(1223119572.959:34): avc: denied { execmem } for pid=3405 comm="epiphany" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process

node=fedora type=SYSCALL msg=audit(1223119572.959:34): arch=40000003 syscall=125 success=yes exit=0 a0=bfe6b000 a1=1000 a2=1000007 a3=fffff000 items=0 ppid=1 pid=3405 auid=501 uid=501 gid=100 euid=501 suid=501 fsuid=501 egid=100 sgid=100 fsgid=100 tty=(none) ses=1 comm="epiphany" exe="/usr/bin/epiphany" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
Comment 6 Bug Zapper 2009-06-09 18:16:47 EDT
This message is a reminder that Fedora 9 is nearing its end of life.
Approximately 30 (thirty) days from now Fedora will stop maintaining
and issuing updates for Fedora 9.  It is Fedora's policy to close all
bug reports from releases that are no longer maintained.  At that time
this bug will be closed as WONTFIX if it remains open with a Fedora 
'version' of '9'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version prior to Fedora 9's end of life.

Bug Reporter: Thank you for reporting this issue and we are sorry that 
we may not be able to fix it before Fedora 9 is end of life.  If you 
would still like to see this bug fixed and are able to reproduce it 
against a later version of Fedora please change the 'version' of this 
bug to the applicable version.  If you are unable to change the version, 
please add a comment here and someone will do it for you.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events.  Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.

The process we are following is described here: 
http://fedoraproject.org/wiki/BugZappers/HouseKeeping
Comment 7 Dave Malcolm 2009-06-29 11:21:26 EDT
Bumping version from 9 to 10, based on comment #5 (and comment #6)
Comment 9 Bug Zapper 2009-11-18 03:07:48 EST
This message is a reminder that Fedora 10 is nearing its end of life.
Approximately 30 (thirty) days from now Fedora will stop maintaining
and issuing updates for Fedora 10.  It is Fedora's policy to close all
bug reports from releases that are no longer maintained.  At that time
this bug will be closed as WONTFIX if it remains open with a Fedora 
'version' of '10'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version prior to Fedora 10's end of life.

Bug Reporter: Thank you for reporting this issue and we are sorry that 
we may not be able to fix it before Fedora 10 is end of life.  If you 
would still like to see this bug fixed and are able to reproduce it 
against a later version of Fedora please change the 'version' of this 
bug to the applicable version.  If you are unable to change the version, 
please add a comment here and someone will do it for you.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events.  Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.

The process we are following is described here: 
http://fedoraproject.org/wiki/BugZappers/HouseKeeping
Comment 10 Bug Zapper 2009-12-18 00:53:13 EST
Fedora 10 changed to end-of-life (EOL) status on 2009-12-17. Fedora 10 is 
no longer maintained, which means that it will not receive any further 
security or bug fix updates. As a result we are closing this bug.

If you can reproduce this bug against a currently maintained version of 
Fedora please feel free to reopen this bug against that version.

Thank you for reporting this bug and we are sorry it could not be fixed.

Note You need to log in before you can comment on or make changes to this bug.