2275476 – SELinux is preventing code from using the 'execheap' accesses on a process.

Bug 2275476 - SELinux is preventing code from using the 'execheap' accesses on a process.

Summary: SELinux is preventing code from using the 'execheap' accesses on a process.

Keywords:
Status:	CLOSED NOTABUG
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy
Sub Component:
Version:	39
Hardware:	x86_64
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Zdenek Pytela
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:	abrt_hash:9e8e1018a7f89f9eae5b0693b0a...
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2024-04-17 11:08 UTC by Brian J. Murrell
Modified:	2024-05-02 12:06 UTC (History)
CC List:	9 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:	2024-05-02 12:06:02 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)
File: os_info (734 bytes, text/plain) 2024-04-17 11:08 UTC, Brian J. Murrell	no flags	Details
File: description (2.50 KB, text/plain) 2024-04-17 11:08 UTC, Brian J. Murrell	no flags	Details
View All

Description Brian J. Murrell 2024-04-17 11:08:15 UTC

Description of problem:
Working in VS Code.
SELinux is preventing code from using the 'execheap' accesses on a process.

*****  Plugin allow_execheap (53.1 confidence) suggests   ********************

If you do not think code should need to map heap memory that is both writable and executable.
Then you need to report a bug. This is a potentially dangerous access.
Do
contact your security administrator and report this issue.

*****  Plugin catchall_boolean (42.6 confidence) suggests   ******************

If you want to allow selinuxuser to execheap
Then you must tell SELinux about this by enabling the 'selinuxuser_execheap' boolean.

Do
setsebool -P selinuxuser_execheap 1

*****  Plugin catchall (5.76 confidence) suggests   **************************

If you believe that code should be allowed execheap access on processes labeled unconfined_t by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'code' --raw | audit2allow -M my-code
# semodule -X 300 -i my-code.pp

Additional Information:
Source Context                unconfined_u:unconfined_r:unconfined_t:s0-
                              s0:c0.c1023
Target Context                unconfined_u:unconfined_r:unconfined_t:s0-
                              s0:c0.c1023
Target Objects                Unknown [ process ]
Source                        code
Source Path                   code
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           
Target RPM Packages           
SELinux Policy RPM            selinux-policy-targeted-39.5-1.fc39.noarch
Local Policy RPM              selinux-policy-targeted-39.5-1.fc39.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 6.7.9-200.fc39.x86_64 #1 SMP
                              PREEMPT_DYNAMIC Wed Mar 6 19:35:04 UTC 2024 x86_64
Alert Count                   128
First Seen                    2024-04-17 07:05:37 EDT
Last Seen                     2024-04-17 07:05:37 EDT
Local ID                      94d0ef0c-2b2b-463f-89e6-e8a8659973c4

Raw Audit Messages
type=AVC msg=audit(1713351937.412:150807): avc:  denied  { execheap } for  pid=3995534 comm="code" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process permissive=0


Hash: code,unconfined_t,unconfined_t,process,execheap

Version-Release number of selected component:
selinux-policy-targeted-39.5-1.fc39.noarch

Additional info:
reporter:       libreport-2.17.11
package:        selinux-policy-targeted-39.5-1.fc39.noarch
comment:        Working in VS Code.
kernel:         6.7.9-200.fc39.x86_64
component:      selinux-policy
reason:         SELinux is preventing code from using the 'execheap' accesses on a process.
hashmarkername: setroubleshoot
type:           libreport
component:      selinux-policy

Comment 1 Brian J. Murrell 2024-04-17 11:08:17 UTC

Created attachment 2027390 [details]
File: os_info

Comment 2 Brian J. Murrell 2024-04-17 11:08:19 UTC

Created attachment 2027391 [details]
File: description

Comment 3 Zdenek Pytela 2024-05-02 12:06:02 UTC

The Linux implementation of mprotect (unlike POSIX) allows changing the access protection of memory on the heap, e. g. allocated using malloc. This AVC denial indicates that heap memory was supposed to be made executable. While the permission can be granted turning the selinuxuser_execheap boolean on as suggested by setroubleshoot, it should not be done without a thorough code review as in most cases it indicates a bug in the code and you should consider reporting a bug on the related component. If anonymous executable memory is needed, another method should be considered, e. g. allocating memory using mmap.

Please refer to the boolean description:

  # semanage boolean -l|grep execheap
selinuxuser_execheap           (off  ,  off)  Allow unconfined executables to make their heap memory executable.  Doing this is a really bad idea. Probably indicates a badly coded executable, but could indicate an attack. This executable should be reported in bugzilla

Note You need to log in before you can comment on or make changes to this bug.