Bug 253374 - Selinux runs after being disabled?
Selinux runs after being disabled?
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
x86_64 Linux
medium Severity medium
: ---
: ---
Assigned To: Daniel Walsh
Fedora Extras Quality Assurance
Depends On:
  Show dependency treegraph
Reported: 2007-08-18 10:36 EDT by Troy Deierling
Modified: 2007-11-30 17:12 EST (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2007-08-18 14:21:09 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Troy Deierling 2007-08-18 10:36:28 EDT
Running rawhide on Dell 64bit Vostro 1500 notebook.  I've disabled selinux but
it still runs?  Went to install IE6 via crossover and it popped up still. 
Here's a copy of the alert and my config file.

    SELinux is preventing /home/troy/cxoffice/bin/cxglibc-check from changing a
    writable memory segment executable.

Detailed Description
    The /home/troy/cxoffice/bin/cxglibc-check application attempted to change
    the access protection of memory (e,g., allocated using malloc).  This is a
    potential security problem.  Applications should not be doing this.
    Applications are sometimes coded incorrectly and request this permission.
    The http://people.redhat.com/drepper/selinux-mem.html web page explains how
    to remove this requirement.  If /home/troy/cxoffice/bin/cxglibc-check does
    not work and you need it to work, you can configure SELinux temporarily to
    allow this access until the application is fixed. Please file a
    http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this package.

Allowing Access
    If you trust /home/troy/cxoffice/bin/cxglibc-check to run correctly, you can
    change the context of the executable to unconfined_execmem_exec_t. "chcon -t
    unconfined_execmem_exec_t /home/troy/cxoffice/bin/cxglibc-check". You must
    also change the default file context files on the system in order to
    preserve them even on a full relabel.  "semanage fcontext -a -t
    unconfined_execmem_exec_t /home/troy/cxoffice/bin/cxglibc-check"

    The following command will allow this access:
    chcon -t unconfined_execmem_exec_t /home/troy/cxoffice/bin/cxglibc-check

Additional Information        

Source Context                system_u:system_r:unconfined_t
Target Context                system_u:system_r:unconfined_t
Target Objects                None [ process ]
Affected RPM Packages         
Policy RPM                    selinux-policy-3.0.5-7.fc8
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Permissive
Plugin Name                   plugins.allow_execmem
Host Name                     localhost.localdomain
Platform                      Linux localhost.localdomain
                              2.6.23-0.110.rc3.git1.fc8 #1 SMP Wed Aug 15
                              17:59:11 EDT 2007 x86_64 x86_64
Alert Count                   3
First Seen                    Fri 17 Aug 2007 08:49:11 PM EDT
Last Seen                     Sat 18 Aug 2007 10:02:37 AM EDT
Local ID                      e3a67a24-53ed-4a03-874d-adb0b1bc4337
Line Numbers                  

Raw Audit Messages            

avc: denied { execmem } for comm="cxglibc-check" egid=500 euid=500
exe="/home/troy/cxoffice/bin/cxglibc-check" exit=0 fsgid=500 fsuid=500 gid=500
items=0 pid=3246 scontext=system_u:system_r:unconfined_t:s0 sgid=500
subj=system_u:system_r:unconfined_t:s0 suid=500 tclass=process
tcontext=system_u:system_r:unconfined_t:s0 tty=(none) uid=500

Here's a copy of my config file

# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
#	enforcing - SELinux security policy is enforced.
#	permissive - SELinux prints warnings instead of enforcing.
#	disabled - SELinux is fully disabled.
# SELINUXTYPE= type of policy in use. Possible values are:
#	targeted - Only targeted network daemons are protected.
#	strict - Full SELinux protection.

# SETLOCALDEFS= Check local definition changes
Comment 1 Troy Deierling 2007-08-18 10:41:49 EDT
Install went fine after running
chcon -t unconfined_execmem_exec_t /home/troy/cxoffice/bin/cxglibc-check

Comment 2 Troy Deierling 2007-08-18 14:21:09 EDT
Disregard, it was a typo in the config.  Sorry!

Note You need to log in before you can comment on or make changes to this bug.