Bug 253374 - Selinux runs after being disabled?
Summary: Selinux runs after being disabled?
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy   
(Show other bugs)
Version: 8
Hardware: x86_64 Linux
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact: Fedora Extras Quality Assurance
Depends On:
TreeView+ depends on / blocked
Reported: 2007-08-18 14:36 UTC by Troy Deierling
Modified: 2007-11-30 22:12 UTC (History)
0 users

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2007-08-18 18:21:09 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

Description Troy Deierling 2007-08-18 14:36:28 UTC
Running rawhide on Dell 64bit Vostro 1500 notebook.  I've disabled selinux but
it still runs?  Went to install IE6 via crossover and it popped up still. 
Here's a copy of the alert and my config file.

    SELinux is preventing /home/troy/cxoffice/bin/cxglibc-check from changing a
    writable memory segment executable.

Detailed Description
    The /home/troy/cxoffice/bin/cxglibc-check application attempted to change
    the access protection of memory (e,g., allocated using malloc).  This is a
    potential security problem.  Applications should not be doing this.
    Applications are sometimes coded incorrectly and request this permission.
    The http://people.redhat.com/drepper/selinux-mem.html web page explains how
    to remove this requirement.  If /home/troy/cxoffice/bin/cxglibc-check does
    not work and you need it to work, you can configure SELinux temporarily to
    allow this access until the application is fixed. Please file a
    http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this package.

Allowing Access
    If you trust /home/troy/cxoffice/bin/cxglibc-check to run correctly, you can
    change the context of the executable to unconfined_execmem_exec_t. "chcon -t
    unconfined_execmem_exec_t /home/troy/cxoffice/bin/cxglibc-check". You must
    also change the default file context files on the system in order to
    preserve them even on a full relabel.  "semanage fcontext -a -t
    unconfined_execmem_exec_t /home/troy/cxoffice/bin/cxglibc-check"

    The following command will allow this access:
    chcon -t unconfined_execmem_exec_t /home/troy/cxoffice/bin/cxglibc-check

Additional Information        

Source Context                system_u:system_r:unconfined_t
Target Context                system_u:system_r:unconfined_t
Target Objects                None [ process ]
Affected RPM Packages         
Policy RPM                    selinux-policy-3.0.5-7.fc8
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Permissive
Plugin Name                   plugins.allow_execmem
Host Name                     localhost.localdomain
Platform                      Linux localhost.localdomain
                              2.6.23-0.110.rc3.git1.fc8 #1 SMP Wed Aug 15
                              17:59:11 EDT 2007 x86_64 x86_64
Alert Count                   3
First Seen                    Fri 17 Aug 2007 08:49:11 PM EDT
Last Seen                     Sat 18 Aug 2007 10:02:37 AM EDT
Local ID                      e3a67a24-53ed-4a03-874d-adb0b1bc4337
Line Numbers                  

Raw Audit Messages            

avc: denied { execmem } for comm="cxglibc-check" egid=500 euid=500
exe="/home/troy/cxoffice/bin/cxglibc-check" exit=0 fsgid=500 fsuid=500 gid=500
items=0 pid=3246 scontext=system_u:system_r:unconfined_t:s0 sgid=500
subj=system_u:system_r:unconfined_t:s0 suid=500 tclass=process
tcontext=system_u:system_r:unconfined_t:s0 tty=(none) uid=500

Here's a copy of my config file

# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
#	enforcing - SELinux security policy is enforced.
#	permissive - SELinux prints warnings instead of enforcing.
#	disabled - SELinux is fully disabled.
# SELINUXTYPE= type of policy in use. Possible values are:
#	targeted - Only targeted network daemons are protected.
#	strict - Full SELinux protection.

# SETLOCALDEFS= Check local definition changes

Comment 1 Troy Deierling 2007-08-18 14:41:49 UTC
Install went fine after running
chcon -t unconfined_execmem_exec_t /home/troy/cxoffice/bin/cxglibc-check

Comment 2 Troy Deierling 2007-08-18 18:21:09 UTC
Disregard, it was a typo in the config.  Sorry!

Note You need to log in before you can comment on or make changes to this bug.