529757 – Fix up gcl SELinux code.

Bug 529757 - Fix up gcl SELinux code.

Summary: Fix up gcl SELinux code.

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	gcl
Sub Component:
Version:	12
Hardware:	All
OS:	Linux
Priority:	low
Severity:	medium
Target Milestone:	---
Assignee:	Jerry James
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2009-10-19 19:56 UTC by Daniel Walsh
Modified:	2009-11-19 18:17 UTC (History)
CC List:	3 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2009-11-19 18:17:24 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Daniel Walsh 2009-10-19 19:56:29 UTC

Description of problem:

You gcl policy will not work with confined users.

It will not allow me to disable the unconfined policy module.

Please change it to 

optional_policy(`
	unconfined_domain(gcl_t)
')

Is this really required?

allow gcl_t self:memprotect mmap_zero;

If yes, the policy should be

domain_mmap_low_type(gcl_t)
tunable_policy(`mmap_low_allowed',`
domain_mmap_low(gcl_t)
')

Comment 1 Eric Paris 2009-10-19 20:09:15 UTC

I STRONGLY suggest you figure out what what is requiring mmap_zero

mmap(NULL, ..., MAP_FIXED, ...

and rework your code.  That's a very bad idea to allow for security reasons and something Linux does not allow regular users (even without selinux) do by default.

Comment 2 Eric Paris 2009-10-19 20:15:24 UTC

(unrelated note but dan showed me your policy out of band)

execheap?  you know that isn't POSIX complaint? (it's actually forbidden by POSIX)  You really should be using mmap with PROT_EXEC. 

http://people.redhat.com/drepper/selinux-mem.html 

explains most of the memory potections (not mmap_zero) and how they should be handled in a more secure manor....

Comment 3 Jerry James 2009-10-20 21:58:41 UTC

I made the first change requested in comment #0 and am testing it now.

As for the second change in comment #0 and comment #1, no, it appears that gcl does NOT need mmap_zero, so I have removed that from the policy.

With respect to comment #2, gcl is generating and compiling code on the fly.  The gcl code that does this is VERY complex.  I took a stab at changing it to use mmap with PROT_EXEC last winter, when I took over maintainership of the package.  I failed.  I simply don't have the time I need to study the gcl code enough to understand it deeply enough to edit it in this fashion.  That is not likely to change any time soon.  Upstream is nearly (but not completely) dead, so I do not hold out any hope of convincing them to do the work.  If someone who is able to make it work correctly steps up with a patch, I would be happy to include it in the gcl package.

Comment 4 Fedora Update System 2009-10-20 22:47:05 UTC

gcl-2.6.8-0.6.20090701cvs.fc12 has been submitted as an update for Fedora 12.
http://admin.fedoraproject.org/updates/gcl-2.6.8-0.6.20090701cvs.fc12

Comment 5 Fedora Update System 2009-10-20 22:47:17 UTC

gcl-2.6.8-0.4.20090701cvs.fc11 has been submitted as an update for Fedora 11.
http://admin.fedoraproject.org/updates/gcl-2.6.8-0.4.20090701cvs.fc11

Comment 6 Fedora Update System 2009-11-04 12:18:03 UTC

gcl-2.6.8-0.4.20090701cvs.fc11 has been pushed to the Fedora 11 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 7 Bug Zapper 2009-11-16 13:51:50 UTC

This bug appears to have been reported against 'rawhide' during the Fedora 12 development cycle.
Changing version to '12'.

More information and reason for this action is here:
http://fedoraproject.org/wiki/BugZappers/HouseKeeping

Note You need to log in before you can comment on or make changes to this bug.