2294760 – SELinux is preventing ThreadPoolForeg from using the 'execheap' accesses on a process.

Bug 2294760 - SELinux is preventing ThreadPoolForeg from using the 'execheap' accesses on a process.

Summary: SELinux is preventing ThreadPoolForeg from using the 'execheap' accesses on a...

Keywords:
Status:	CLOSED DUPLICATE of bug 2254434
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy
Sub Component:
Version:	40
Hardware:	x86_64
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Zdenek Pytela
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:	abrt_hash:99d25e7dda8cd2fc8c6ea7cf180...
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2024-06-28 21:00 UTC by Subhendu Ghosh
Modified:	2024-07-11 17:27 UTC (History)
CC List:	8 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:	2024-07-01 07:11:41 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)
File: description (2.63 KB, text/plain) 2024-06-28 21:00 UTC, Subhendu Ghosh	no flags	Details
File: os_info (734 bytes, text/plain) 2024-06-28 21:00 UTC, Subhendu Ghosh	no flags	Details
View All

Description Subhendu Ghosh 2024-06-28 21:00:27 UTC

Description of problem:
started Draw.io Flathub image
SELinux is preventing ThreadPoolForeg from using the 'execheap' accesses on a process.

*****  Plugin allow_execheap (53.1 confidence) suggests   ********************

If you do not think ThreadPoolForeg should need to map heap memory that is both writable and executable.
Then you need to report a bug. This is a potentially dangerous access.
Do
contact your security administrator and report this issue.

*****  Plugin catchall_boolean (42.6 confidence) suggests   ******************

If you want to allow selinuxuser to execheap
Then you must tell SELinux about this by enabling the 'selinuxuser_execheap' boolean.

Do
setsebool -P selinuxuser_execheap 1

*****  Plugin catchall (5.76 confidence) suggests   **************************

If you believe that ThreadPoolForeg should be allowed execheap access on processes labeled unconfined_t by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'ThreadPoolForeg' --raw | audit2allow -M my-ThreadPoolForeg
# semodule -X 300 -i my-ThreadPoolForeg.pp

Additional Information:
Source Context                unconfined_u:unconfined_r:unconfined_t:s0-
                              s0:c0.c1023
Target Context                unconfined_u:unconfined_r:unconfined_t:s0-
                              s0:c0.c1023
Target Objects                Unknown [ process ]
Source                        ThreadPoolForeg
Source Path                   ThreadPoolForeg
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           
Target RPM Packages           
SELinux Policy RPM            selinux-policy-targeted-40.23-1.fc40.noarch
Local Policy RPM              selinux-policy-targeted-40.23-1.fc40.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 6.9.5-200.fc40.x86_64 #1 SMP
                              PREEMPT_DYNAMIC Sun Jun 16 15:47:09 UTC 2024
                              x86_64
Alert Count                   440
First Seen                    2024-06-28 16:56:47 EDT
Last Seen                     2024-06-28 16:56:50 EDT
Local ID                      44cef487-58f2-458b-9a54-b1866eeb1a6c

Raw Audit Messages
type=AVC msg=audit(1719608210.681:1527): avc:  denied  { execheap } for  pid=168745 comm="drawio" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process permissive=0


Hash: ThreadPoolForeg,unconfined_t,unconfined_t,process,execheap

Version-Release number of selected component:
selinux-policy-targeted-40.23-1.fc40.noarch

Additional info:
reporter:       libreport-2.17.15
component:      selinux-policy
comment:        started Draw.io Flathub image
reason:         SELinux is preventing ThreadPoolForeg from using the 'execheap' accesses on a process.
type:           libreport
kernel:         6.9.5-200.fc40.x86_64
package:        selinux-policy-targeted-40.23-1.fc40.noarch
hashmarkername: setroubleshoot
component:      selinux-policy

Comment 1 Subhendu Ghosh 2024-06-28 21:00:29 UTC

Created attachment 2038485 [details]
File: description

Comment 2 Subhendu Ghosh 2024-06-28 21:00:31 UTC

Created attachment 2038486 [details]
File: os_info

Comment 3 Zdenek Pytela 2024-07-01 07:11:41 UTC

The Linux implementation of mprotect (unlike POSIX) allows changing the access protection of memory on the heap, e. g. allocated using malloc. This AVC denial indicates that heap memory was supposed to be made executable. While the permission can be granted turning the selinuxuser_execheap boolean on as suggested by setroubleshoot, it should not be done without a thorough code review as in most cases it indicates a bug in the code and you should consider reporting a bug on the related component. If anonymous executable memory is needed, another method should be considered, e. g. allocating memory using mmap.

Please refer to the boolean description:

  # semanage boolean -l|grep execheap
selinuxuser_execheap           (off  ,  off)  Allow unconfined executables to make their heap memory executable.  Doing this is a really bad idea. Probably indicates a badly coded executable, but could indicate an attack. This executable should be reported in bugzilla

Comment 4 Zdenek Pytela 2024-07-11 17:27:07 UTC


*** This bug has been marked as a duplicate of bug 2254434 ***

Note You need to log in before you can comment on or make changes to this bug.