Bug 474152 - SELinux denial for ia32el
SELinux denial for ia32el
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: ia32el (Show other bugs)
5.3
ia64 Linux
high Severity medium
: rc
: ---
Assigned To: Petr Machata
BaseOS QE
: ReleaseNotes, Reopened
: 660691 (view as bug list)
Depends On:
Blocks: RHEL5u3_relnotes 5.4/TechnicalNotes
  Show dependency treegraph
 
Reported: 2008-12-02 09:54 EST by Alexander Todorov
Modified: 2015-05-04 21:34 EDT (History)
6 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
On Intel Itanium-based systems running SELinux in enforcing mode, the "allow_unconfined_execmem_dyntrans", "allow_execmem" and "allow_execstack" Booleans must be turned on to allow the IA-32 Execution Layer (the ia32el service) to operate correctly. If either the "allow_execmem" or "allow_execstack" Booleans are on, the ia32el service will still be able to support the emulation, but an AVC denial may occur.
Story Points: ---
Clone Of:
Environment:
Last Closed: 2009-09-02 05:24:36 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Alexander Todorov 2008-12-02 09:54:47 EST
Description of problem:
SELinux denial for ia32el service

Version-Release number of selected component (if applicable):
selinux-policy-targeted-2.4.6-188.el5

How reproducible:
Always

Steps to Reproduce:
1. Install RHEL 5.3 snap #4 on ia64
2. Install ia32el from the supplementary CD
3. start ia32el service
  
Actual results:
/sbin/ausearch -sv no -m AVC -m USER_AVC -m SELINUX_ERR -ts 12/2/2008 8:55:3
----
time->Tue Dec  2 08:55:17 2008
type=SYSCALL msg=audit(1228226117.016:19): arch=c0000032 syscall=1027 success=no exit=-13 a0=5 a1=200000000000c000 a2=1e a3=220 items=0 ppid=4187 pid=4192 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="is_ia32el" exe="/usr/lib/ia32el/ia32x_loader" subj=system_u:system_r:initrc_t:s0 key=(null)
type=AVC msg=audit(1228226117.016:19): avc:  denied  { dyntransition } for  pid=4192 comm="is_ia32el" scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:system_r:initrc_t:s0 tclass=process

Expected results:
No SELinux denials 

Additional info:
ia32el is used to provide 32bit emulation layer on ia64 machines.
Comment 2 Daniel Walsh 2008-12-02 10:46:26 EST
Is the allow_unconfined_execmem_dyntrans boolean turned on?

getsebool allow_unconfined_execmem_dyntrans

setsebool -P allow_unconfined_execmem_dyntrans 1
Comment 3 Alexander Todorov 2008-12-03 03:47:32 EST
# getsebool allow_unconfined_execmem_dyntrans
allow_unconfined_execmem_dyntrans --> off

this is the default behavior.

ia32el package doesn't contain any documentation and I'm not aware of such that mentions we need to turn on this boolean flag.
Comment 4 Daniel Walsh 2008-12-03 08:26:35 EST
The package should either turn this on or at least document it needs to be turned on.
Comment 5 Eric Lin 2008-12-04 00:46:04 EST
I'm wondering why the policy allow_exemem is 'off'.
I think on RHEL5, by default this value is 'on'.
Does you turn this policy off explictlity?
  check by
  #getsebool allow_execmem
Comment 6 Alexander Todorov 2008-12-04 03:23:52 EST
# getsebool allow_execmem
allow_execmem --> on

This is the default.
Comment 7 Eric Lin 2008-12-04 04:50:38 EST
Oh,the story is like this:
By default on EL5, the allow_execmem is 'on', so 
even the 'allow_unconfined_execmem_dyntrans' is 'off' and 
dynamic transistion of ia32el failed like you find,
there will be no problem for ia32el to support 32bit emulation.
  Only if both allow_execmem & allow_unconfined_execmem_dyntrans 
are 'off', ia32el will be failed to support 32bit emulation.

We will include this in documents for new release.
Comment 8 Daniel Walsh 2008-12-04 08:41:35 EST
Or put the changing of the boolean in the post install of your package.  I don't want to change this for all of policy since it can be considered dangerous.
Comment 9 Petr Machata 2008-12-04 09:31:17 EST
Well, if we put setsebool into the post-install script, and the admin changes the setting later, we are back to square one.  So while it would be good to do that, the documentation should cover this in any case.  Given how late in release cycle we are, going with the documentation only may be the sane way out.
Comment 10 Petr Machata 2008-12-04 09:52:34 EST
... also it might be a good idea to include the documentation bit into release notes.  I seem to recall there was a bugzilla keyword to be used if there was a release notes-worthy material, but can't find it on the intranet or in my mail archives.  Anyone knows what that was?

I'll attach proposed wording itself shortly.
Comment 11 Petr Machata 2008-12-04 09:54:01 EST
Aha, ReleaseNotes.  Why not look into Keywords link in the first place.
Comment 12 Petr Machata 2008-12-04 10:17:14 EST
Proposed wording of release note attached.  This will obviously have to be reviewed by technical writer person to be polished.

Tim Burke has expressed an opinion that the right thing to do at this point in time is to only document the behaviour in release notes, so that we don't have to pass the package through QA.  That makes sense, to publish the documentation fix you would have to rebuild the whole package anyway, and proper QA would therefore be required.
Comment 13 Petr Machata 2008-12-04 10:17:14 EST
Release note added. If any revisions are required, please set the 
"requires_release_notes" flag to "?" and edit the "Release Notes" field accordingly.
All revisions will be proofread by the Engineering Content Services team.

New Contents:
For IA-32 Execution Layer platform to operate properly on SELinux-enabled machine, either allow_unconfined_execmem_dyntrans, or allow_execmem SELinux booleans need to be turned on.  If the former is turned off, but the latter is on, you will be getting AVC denials, but IA-32 Execution Layer will have no problem supporting emulation of 32-bit applications.  Only if both of the above booleans are turned off, the emulation will fail to work.
Comment 15 Ryan Lerch 2008-12-04 18:42:57 EST
Release note updated. If any revisions are required, please set the 
"requires_release_notes"  flag to "?" and edit the "Release Notes" field accordingly.
All revisions will be proofread by the Engineering Content Services team.

Diffed Contents:
@@ -1 +1 @@
-For IA-32 Execution Layer platform to operate properly on SELinux-enabled machine, either allow_unconfined_execmem_dyntrans, or allow_execmem SELinux booleans need to be turned on.  If the former is turned off, but the latter is on, you will be getting AVC denials, but IA-32 Execution Layer will have no problem supporting emulation of 32-bit applications.  Only if both of the above booleans are turned off, the emulation will fail to work.+On Intel Itanium-based systems running SELinux in enforcing mode, either the "allow_unconfined_execmem_dyntrans" or "allow_execmem" Booleans must be turned on to allow the IA-32 Execution Layer (the ia32el service) to operate correctly. If the "allow_unconfined_execmem_dyntrans" Boolean is off, but the "allow_execmem" Boolean is on, which it is by default in Red Hat Enterprise Linux 5, the ia32el service supports 32-bit emulation; however, if both Booleans are off, emulation fails.
Comment 16 Eric Lin 2008-12-04 21:46:34 EST
Intel will also includes this content in ia-32el release note.
Comment 17 Petr Machata 2009-02-17 12:03:41 EST
Since we are doing a rebase, we may just as well document the solution in README of the new package, and also switch that boolean in post-install script.

Or maybe rather change the startup script of ia32el so that it checks if any of the two booleans mentioned in comment #7 are on, and writes a warning if not.  I don't really like the idea that the package changes something like this on a whim, and really, if the admin changes it back after the installation is done, we still need a way to diagnose the condition.

In any case, release note then will not be necessary.
Comment 20 Petr Machata 2009-06-23 08:28:28 EDT
To Eric Lin:

Our QE revealed that the only boolean that, in fact, influences whether or not the AVC will be generated, is allow_unconfined_execmem_dyntrans.  If that one is turned on, no AVC will be generated.  But allow_execmem can be on or off, and the result (whether the AVC is generated or not) is the same.

Also, even in Enforcing mode, and when both booleans are off, the binaries that the QE tested worked (albeit with AVCs).  Are there any special conditions that must be met for wrong boolean setting to prevent the emulation?

# getsebool allow_execmem allow_unconfined_execmem_dyntrans
allow_execmem --> off
allow_unconfined_execmem_dyntrans --> off
# getenforce 
Enforcing
# file ./a.out 
./a.out: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), for GNU/Linux 2.6.9, statically linked, for GNU/Linux 2.6.9, not stripped
# uname -i
ia64
# ./a.out 
yay
Comment 21 Eric Lin 2009-06-24 22:40:56 EDT
I did experiment on RHEL5.2 and find the switch allow_execstack has some addtional interference with the two other swicths, 
if allow_execstack is on, then ia32el can always work regardless the values of other switchs, this means allow_exectack=on implies allow_execmem=on.

So the last problem maybe is that the allow_execstack is turn on.can u please check on this?
Comment 25 Petr Machata 2009-07-13 18:34:11 EDT
Release note updated. If any revisions are required, please set the 
"requires_release_notes"  flag to "?" and edit the "Release Notes" field accordingly.
All revisions will be proofread by the Engineering Content Services team.

Diffed Contents:
@@ -1 +1,3 @@
-On Intel Itanium-based systems running SELinux in enforcing mode, either the "allow_unconfined_execmem_dyntrans" or "allow_execmem" Booleans must be turned on to allow the IA-32 Execution Layer (the ia32el service) to operate correctly. If the "allow_unconfined_execmem_dyntrans" Boolean is off, but the "allow_execmem" Boolean is on, which it is by default in Red Hat Enterprise Linux 5, the ia32el service supports 32-bit emulation; however, if both Booleans are off, emulation fails.+On Intel Itanium-based systems running SELinux in enforcing mode, the "allow_unconfined_execmem_dyntrans", "allow_execmem" and "allow_execstack" Booleans must be turned on to allow the IA-32 Execution Layer (the ia32el service) to operate correctly. 
+
+If either the "allow_execmem" or "allow_execstack" Booleans are on, the ia32el service will still be able to support the emulation, but an AVC denial may occur.
Comment 28 errata-xmlrpc 2009-09-02 05:24:36 EDT
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2009-1271.html
Comment 29 Alexander Todorov 2010-12-07 11:00:05 EST
*** Bug 660691 has been marked as a duplicate of this bug. ***

Note You need to log in before you can comment on or make changes to this bug.