Bug 617030 - SELinux is preventing /usr/bin/dosbox "execmem" access on <Unknown>
SELinux is preventing /usr/bin/dosbox "execmem" access on <Unknown>
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
13
All Linux
low Severity medium
: ---
: ---
Assigned To: Miroslav Grepl
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2010-07-21 20:57 EDT by Adam Williamson
Modified: 2010-08-05 19:39 EDT (History)
2 users (show)

See Also:
Fixed In Version: selinux-policy-3.7.19-41.fc13
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2010-08-05 19:39:51 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Adam Williamson 2010-07-21 20:57:56 EDT
(this is a copy-and-paste report as the 'report to bugzilla' button in sealert seems to be mysteriously missing).

What I did to trigger this was try to run Doom 2 - the old-skool doom2.exe - in dosbox. It causes dosbox to crash. If I go to Permissive mode, I can run the game happily.

SELinux denied access requested by dosbox. The current boolean settings do not
allow this access. If you have not setup dosbox to require this access this may
signal an intrusion attempt. If you do intend this access you need to change the
booleans on this system to allow the access.

Allowing Access:

One of the following booleans is set incorrectly: allow_execstack, allow_execmem

Fix Command:

Choose one of the following to allow access:
Allow unconfined executables to make their stack executable. This should never,
ever be necessary. Probably indicates a badly coded executable, but could
indicate an attack. This executable should be reported in bugzilla")
# setsebool -P allow_execstack 1
Allow unconfined executables to map a memory region as both executable and
writable, this is dangerous and the executable should be reported in bugzilla")
# setsebool -P allow_execmem 1


Additional Information:

Source Context                unconfined_u:unconfined_r:unconfined_t:s0
Target Context                unconfined_u:unconfined_r:unconfined_t:s0
Target Objects                None [ process ]
Source                        dosbox
Source Path                   /usr/bin/dosbox
Port                          <Unknown>
Host                          adam.local.net
Source RPM Packages           dosbox-0.74-1.fc14
Target RPM Packages           
Policy RPM                    selinux-policy-3.8.7-2.fc14
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Permissive
Plugin Name                   catchall_boolean
Host Name                     adam.local.net
Platform                      Linux adam.local.net
                              2.6.35-0.41.rc5.git1.fc14.x86_64 #1 SMP Fri Jul 16
                              21:29:45 UTC 2010 x86_64 x86_64
Alert Count                   2
First Seen                    Wed 21 Jul 2010 05:29:56 PM PDT
Last Seen                     Wed 21 Jul 2010 05:30:36 PM PDT
Local ID                      92367b73-a447-4950-beb6-dde4fab1fe2d
Line Numbers                  

Raw Audit Messages            

node=adam.local.net type=AVC msg=audit(1279758636.896:3549): avc:  denied  { execmem } for  pid=19998 comm="dosbox" scontext=unconfined_u:unconfined_r:unconfined_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0 tclass=process

node=adam.local.net type=SYSCALL msg=audit(1279758636.896:3549): arch=c000003e syscall=10 success=yes exit=0 a0=7f2e550fa000 a1=803000 a2=7 a3=22 items=0 ppid=3188 pid=19998 auid=501 uid=501 gid=501 euid=501 suid=501 fsuid=501 egid=501 sgid=501 fsgid=501 tty=pts1 ses=1 comm="dosbox" exe="/usr/bin/dosbox" subj=unconfined_u:unconfined_r:unconfined_t:s0 key=(null)
Comment 1 Adam Williamson 2010-07-21 20:59:04 EDT
DOSBox dumps the message "Setting excute permission on the code cache has failed" to the console. I can provide the dosbox backtrace if it'd help with anything, too.



-- 
Fedora Bugzappers volunteer triage team
https://fedoraproject.org/wiki/BugZappers
Comment 2 Daniel Walsh 2010-07-22 10:12:47 EDT
chcon -t execmem_exec_t /usr/bin/dosbox

Should fix.

What does dosbox do?
Comment 3 Adam Williamson 2010-07-22 14:36:42 EDT
It's a DOS emulator, rather like DOSEmu. Almost a single-purpose virtual machine, really. It's used to run old DOS software, and games. Running Doom in it would be a pretty typical usage.



-- 
Fedora Bugzappers volunteer triage team
https://fedoraproject.org/wiki/BugZappers
Comment 4 Daniel Walsh 2010-07-22 16:22:35 EDT
Kind of what I thought.  Miroslav the execmem_exec_t labeling is required.
Comment 5 Miroslav Grepl 2010-07-27 08:21:03 EDT
Fixed in selinux-policy-3.7.19-41.fc13
Comment 6 Adam Williamson 2010-07-27 15:26:39 EDT
did you fix this in rawhide too? I didn't file it against rawhide by accident =)



-- 
Fedora Bugzappers volunteer triage team
https://fedoraproject.org/wiki/BugZappers
Comment 7 Daniel Walsh 2010-07-27 16:35:34 EDT
We fix it in all distributions that we support.

F13, F14, RHEL6.
Comment 8 Fedora Update System 2010-07-28 11:11:09 EDT
selinux-policy-3.7.19-41.fc13 has been submitted as an update for Fedora 13.
http://admin.fedoraproject.org/updates/selinux-policy-3.7.19-41.fc13
Comment 9 Fedora Update System 2010-07-30 04:41:06 EDT
selinux-policy-3.7.19-41.fc13 has been pushed to the Fedora 13 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update selinux-policy'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/selinux-policy-3.7.19-41.fc13
Comment 10 Fedora Update System 2010-08-05 19:39:27 EDT
selinux-policy-3.7.19-41.fc13 has been pushed to the Fedora 13 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.