Red Hat Bugzilla – Bug 253374
Selinux runs after being disabled?
Last modified: 2007-11-30 17:12:13 EST
Running rawhide on Dell 64bit Vostro 1500 notebook. I've disabled selinux but it still runs? Went to install IE6 via crossover and it popped up still. Here's a copy of the alert and my config file. Summary SELinux is preventing /home/troy/cxoffice/bin/cxglibc-check from changing a writable memory segment executable. Detailed Description The /home/troy/cxoffice/bin/cxglibc-check application attempted to change the access protection of memory (e,g., allocated using malloc). This is a potential security problem. Applications should not be doing this. Applications are sometimes coded incorrectly and request this permission. The http://people.redhat.com/drepper/selinux-mem.html web page explains how to remove this requirement. If /home/troy/cxoffice/bin/cxglibc-check does not work and you need it to work, you can configure SELinux temporarily to allow this access until the application is fixed. Please file a http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this package. Allowing Access If you trust /home/troy/cxoffice/bin/cxglibc-check to run correctly, you can change the context of the executable to unconfined_execmem_exec_t. "chcon -t unconfined_execmem_exec_t /home/troy/cxoffice/bin/cxglibc-check". You must also change the default file context files on the system in order to preserve them even on a full relabel. "semanage fcontext -a -t unconfined_execmem_exec_t /home/troy/cxoffice/bin/cxglibc-check" The following command will allow this access: chcon -t unconfined_execmem_exec_t /home/troy/cxoffice/bin/cxglibc-check Additional Information Source Context system_u:system_r:unconfined_t Target Context system_u:system_r:unconfined_t Target Objects None [ process ] Affected RPM Packages Policy RPM selinux-policy-3.0.5-7.fc8 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Permissive Plugin Name plugins.allow_execmem Host Name localhost.localdomain Platform Linux localhost.localdomain 2.6.23-0.110.rc3.git1.fc8 #1 SMP Wed Aug 15 17:59:11 EDT 2007 x86_64 x86_64 Alert Count 3 First Seen Fri 17 Aug 2007 08:49:11 PM EDT Last Seen Sat 18 Aug 2007 10:02:37 AM EDT Local ID e3a67a24-53ed-4a03-874d-adb0b1bc4337 Line Numbers Raw Audit Messages avc: denied { execmem } for comm="cxglibc-check" egid=500 euid=500 exe="/home/troy/cxoffice/bin/cxglibc-check" exit=0 fsgid=500 fsuid=500 gid=500 items=0 pid=3246 scontext=system_u:system_r:unconfined_t:s0 sgid=500 subj=system_u:system_r:unconfined_t:s0 suid=500 tclass=process tcontext=system_u:system_r:unconfined_t:s0 tty=(none) uid=500 ============ Here's a copy of my config file # This file controls the state of SELinux on the system. # SELINUX= can take one of these three values: # enforcing - SELinux security policy is enforced. # permissive - SELinux prints warnings instead of enforcing. # disabled - SELinux is fully disabled. SELINUX=diabled # SELINUXTYPE= type of policy in use. Possible values are: # targeted - Only targeted network daemons are protected. # strict - Full SELinux protection. SELINUXTYPE=targeted # SETLOCALDEFS= Check local definition changes SETLOCALDEFS=0
Install went fine after running chcon -t unconfined_execmem_exec_t /home/troy/cxoffice/bin/cxglibc-check
Disregard, it was a typo in the config. Sorry!