Description of problem: SELinux denial for ia32el service Version-Release number of selected component (if applicable): selinux-policy-targeted-2.4.6-188.el5 How reproducible: Always Steps to Reproduce: 1. Install RHEL 5.3 snap #4 on ia64 2. Install ia32el from the supplementary CD 3. start ia32el service Actual results: /sbin/ausearch -sv no -m AVC -m USER_AVC -m SELINUX_ERR -ts 12/2/2008 8:55:3 ---- time->Tue Dec 2 08:55:17 2008 type=SYSCALL msg=audit(1228226117.016:19): arch=c0000032 syscall=1027 success=no exit=-13 a0=5 a1=200000000000c000 a2=1e a3=220 items=0 ppid=4187 pid=4192 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="is_ia32el" exe="/usr/lib/ia32el/ia32x_loader" subj=system_u:system_r:initrc_t:s0 key=(null) type=AVC msg=audit(1228226117.016:19): avc: denied { dyntransition } for pid=4192 comm="is_ia32el" scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:system_r:initrc_t:s0 tclass=process Expected results: No SELinux denials Additional info: ia32el is used to provide 32bit emulation layer on ia64 machines.
Is the allow_unconfined_execmem_dyntrans boolean turned on? getsebool allow_unconfined_execmem_dyntrans setsebool -P allow_unconfined_execmem_dyntrans 1
# getsebool allow_unconfined_execmem_dyntrans allow_unconfined_execmem_dyntrans --> off this is the default behavior. ia32el package doesn't contain any documentation and I'm not aware of such that mentions we need to turn on this boolean flag.
The package should either turn this on or at least document it needs to be turned on.
I'm wondering why the policy allow_exemem is 'off'. I think on RHEL5, by default this value is 'on'. Does you turn this policy off explictlity? check by #getsebool allow_execmem
# getsebool allow_execmem allow_execmem --> on This is the default.
Oh,the story is like this: By default on EL5, the allow_execmem is 'on', so even the 'allow_unconfined_execmem_dyntrans' is 'off' and dynamic transistion of ia32el failed like you find, there will be no problem for ia32el to support 32bit emulation. Only if both allow_execmem & allow_unconfined_execmem_dyntrans are 'off', ia32el will be failed to support 32bit emulation. We will include this in documents for new release.
Or put the changing of the boolean in the post install of your package. I don't want to change this for all of policy since it can be considered dangerous.
Well, if we put setsebool into the post-install script, and the admin changes the setting later, we are back to square one. So while it would be good to do that, the documentation should cover this in any case. Given how late in release cycle we are, going with the documentation only may be the sane way out.
... also it might be a good idea to include the documentation bit into release notes. I seem to recall there was a bugzilla keyword to be used if there was a release notes-worthy material, but can't find it on the intranet or in my mail archives. Anyone knows what that was? I'll attach proposed wording itself shortly.
Aha, ReleaseNotes. Why not look into Keywords link in the first place.
Proposed wording of release note attached. This will obviously have to be reviewed by technical writer person to be polished. Tim Burke has expressed an opinion that the right thing to do at this point in time is to only document the behaviour in release notes, so that we don't have to pass the package through QA. That makes sense, to publish the documentation fix you would have to rebuild the whole package anyway, and proper QA would therefore be required.
Release note added. If any revisions are required, please set the "requires_release_notes" flag to "?" and edit the "Release Notes" field accordingly. All revisions will be proofread by the Engineering Content Services team. New Contents: For IA-32 Execution Layer platform to operate properly on SELinux-enabled machine, either allow_unconfined_execmem_dyntrans, or allow_execmem SELinux booleans need to be turned on. If the former is turned off, but the latter is on, you will be getting AVC denials, but IA-32 Execution Layer will have no problem supporting emulation of 32-bit applications. Only if both of the above booleans are turned off, the emulation will fail to work.
Release note updated. If any revisions are required, please set the "requires_release_notes" flag to "?" and edit the "Release Notes" field accordingly. All revisions will be proofread by the Engineering Content Services team. Diffed Contents: @@ -1 +1 @@ -For IA-32 Execution Layer platform to operate properly on SELinux-enabled machine, either allow_unconfined_execmem_dyntrans, or allow_execmem SELinux booleans need to be turned on. If the former is turned off, but the latter is on, you will be getting AVC denials, but IA-32 Execution Layer will have no problem supporting emulation of 32-bit applications. Only if both of the above booleans are turned off, the emulation will fail to work.+On Intel Itanium-based systems running SELinux in enforcing mode, either the "allow_unconfined_execmem_dyntrans" or "allow_execmem" Booleans must be turned on to allow the IA-32 Execution Layer (the ia32el service) to operate correctly. If the "allow_unconfined_execmem_dyntrans" Boolean is off, but the "allow_execmem" Boolean is on, which it is by default in Red Hat Enterprise Linux 5, the ia32el service supports 32-bit emulation; however, if both Booleans are off, emulation fails.
Intel will also includes this content in ia-32el release note.
Since we are doing a rebase, we may just as well document the solution in README of the new package, and also switch that boolean in post-install script. Or maybe rather change the startup script of ia32el so that it checks if any of the two booleans mentioned in comment #7 are on, and writes a warning if not. I don't really like the idea that the package changes something like this on a whim, and really, if the admin changes it back after the installation is done, we still need a way to diagnose the condition. In any case, release note then will not be necessary.
To Eric Lin: Our QE revealed that the only boolean that, in fact, influences whether or not the AVC will be generated, is allow_unconfined_execmem_dyntrans. If that one is turned on, no AVC will be generated. But allow_execmem can be on or off, and the result (whether the AVC is generated or not) is the same. Also, even in Enforcing mode, and when both booleans are off, the binaries that the QE tested worked (albeit with AVCs). Are there any special conditions that must be met for wrong boolean setting to prevent the emulation? # getsebool allow_execmem allow_unconfined_execmem_dyntrans allow_execmem --> off allow_unconfined_execmem_dyntrans --> off # getenforce Enforcing # file ./a.out ./a.out: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), for GNU/Linux 2.6.9, statically linked, for GNU/Linux 2.6.9, not stripped # uname -i ia64 # ./a.out yay
I did experiment on RHEL5.2 and find the switch allow_execstack has some addtional interference with the two other swicths, if allow_execstack is on, then ia32el can always work regardless the values of other switchs, this means allow_exectack=on implies allow_execmem=on. So the last problem maybe is that the allow_execstack is turn on.can u please check on this?
Release note updated. If any revisions are required, please set the "requires_release_notes" flag to "?" and edit the "Release Notes" field accordingly. All revisions will be proofread by the Engineering Content Services team. Diffed Contents: @@ -1 +1,3 @@ -On Intel Itanium-based systems running SELinux in enforcing mode, either the "allow_unconfined_execmem_dyntrans" or "allow_execmem" Booleans must be turned on to allow the IA-32 Execution Layer (the ia32el service) to operate correctly. If the "allow_unconfined_execmem_dyntrans" Boolean is off, but the "allow_execmem" Boolean is on, which it is by default in Red Hat Enterprise Linux 5, the ia32el service supports 32-bit emulation; however, if both Booleans are off, emulation fails.+On Intel Itanium-based systems running SELinux in enforcing mode, the "allow_unconfined_execmem_dyntrans", "allow_execmem" and "allow_execstack" Booleans must be turned on to allow the IA-32 Execution Layer (the ia32el service) to operate correctly. + +If either the "allow_execmem" or "allow_execstack" Booleans are on, the ia32el service will still be able to support the emulation, but an AVC denial may occur.
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on therefore solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHBA-2009-1271.html
*** Bug 660691 has been marked as a duplicate of this bug. ***