Bug 427161 - denial setting heap access protection in ld-27.so
Summary: denial setting heap access protection in ld-27.so
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted   
(Show other bugs)
Version: 8
Hardware: i686
OS: Linux
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact: Ben Levenson
Depends On:
TreeView+ depends on / blocked
Reported: 2008-01-01 17:29 UTC by kincaid
Modified: 2008-02-26 22:38 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2008-02-26 22:38:59 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

Description kincaid 2008-01-01 17:29:05 UTC
Description of problem:

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
Actual results:

Expected results:

Additional info:

    SELinux is preventing /lib/ld-2.7.so from changing the access protection of
    memory on the heap.

Detailed Description
    The /lib/ld-2.7.so application attempted to change the access protection of
    memory on the heap (e.g., allocated using malloc).  This is a potential
    security problem.  Applications should not be doing this. Applications are
    sometimes coded incorrectly and request this permission.  The
    http://people.redhat.com/drepper/selinux-mem.html web page explains how to
    remove this requirement.  If /lib/ld-2.7.so does not work and you need it to
    work, you can configure SELinux temporarily to allow this access until the
    application is fixed. Please file a
    http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this package.

Allowing Access
    If you want /lib/ld-2.7.so to continue, you must turn on the allow_execheap
    boolean.  Note: This boolean will affect all applications on the system.

    The following command will allow this access:
    setsebool -P allow_execheap=1

Additional Information        

Source Context                unconfined_u:unconfined_r:unconfined_crond_t:s0
Target Context                unconfined_u:unconfined_r:unconfined_crond_t:s0
Target Objects                None [ process ]
Affected RPM Packages         glibc-2.7-2 [application]
Policy RPM                    selinux-policy-3.0.8-44.fc8
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   plugins.allow_execheap
Host Name                     localhost.localdomain
Platform                      Linux localhost.localdomain #1 SMP
                              Tue Oct 30 13:55:12 EDT 2007 i686 i686
Alert Count                   1
First Seen                    Tue 01 Jan 2008 08:18:12 AM EST
Last Seen                     Tue 01 Jan 2008 08:18:12 AM EST
Local ID                      3cc8eab5-96d0-4f36-9dc3-3df15b37b320
Line Numbers                  

Raw Audit Messages            

avc: denied { execheap } for comm=ld-linux.so.2 egid=0 euid=0 exe=/lib/ld-2.7.so
exit=-13 fsgid=0 fsuid=0 gid=0 items=0 pid=20957
scontext=unconfined_u:unconfined_r:unconfined_crond_t:s0 sgid=0
subj=unconfined_u:unconfined_r:unconfined_crond_t:s0 suid=0 tclass=process
tcontext=unconfined_u:unconfined_r:unconfined_crond_t:s0 tty=(none) uid=0

Comment 1 Jon Stanley 2008-01-01 17:37:23 UTC
Making subject sane, reassigning to policy.

Did you implement the workaround suggested in the error message?  This should
allow whatever was denied to succeed.

Moreover, what exactly is the cron job that you are attempting to execute (i.e.
what are you trying to do).  This may help.

Comment 2 Daniel Walsh 2008-01-03 16:14:42 UTC
Is this a cron job run by a user?

Comment 3 kincaid 2008-01-09 07:31:38 UTC
download then apply updates

is when it happen

Comment 4 Daniel Walsh 2008-02-26 22:38:59 UTC
I am going to mark this as fixed in the latest release.  I have not heard of
this happening since.

Note You need to log in before you can comment on or make changes to this bug.