Red Hat Bugzilla – Bug 619982
SELinux is preventing lancelot from making the program stack executable.
Last modified: 2010-08-05 14:34:32 EDT
Summary: SELinux is preventing lancelot from making the program stack executable. Detailed Description: [SELinux is in permissive mode. This access was not denied.] The lancelot application attempted to make its stack executable. This is a potential security problem. This should never ever be necessary. Stack memory is not executable on most OSes these days and this will not change. Executable stack memory is one of the biggest security problems. An execstack error might in fact be most likely raised by malicious code. Applications are sometimes coded incorrectly and request this permission. The SELinux Memory Protection Tests (http://people.redhat.com/drepper/selinux-mem.html) web page explains how to remove this requirement. If lancelot does not work and you need it to work, you can configure SELinux temporarily to allow this access until the application is fixed. Please file a bug report. Allowing Access: Sometimes a library is accidentally marked with the execstack flag, if you find a library with this flag you can clear it with the execstack -c LIBRARY_PATH. Then retry your application. If the app continues to not work, you can turn the flag back on with execstack -s LIBRARY_PATH. Otherwise, if you trust lancelot to run correctly, you can change the context of the executable to execmem_exec_t. "chcon -t execmem_exec_t 'lancelot'" You must also change the default file context files on the system in order to preserve them even on a full relabel. "semanage fcontext -a -t execmem_exec_t 'lancelot'" Fix Command: chcon -t execmem_exec_t 'lancelot' Additional Information: Source Context unconfined_u:unconfined_r:unconfined_t:s0 Target Context unconfined_u:unconfined_r:unconfined_t:s0 Target Objects None [ process ] Source ksmserver Source Path ksmserver Port <Unknown> Host (removed) Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.6.32-118.fc12 Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Plugin Name allow_execstack Host Name (removed) Platform Linux (removed) 2.6.32.16-141.fc12.x86_64 #1 SMP Wed Jul 7 04:49:59 UTC 2010 x86_64 x86_64 Alert Count 1076 First Seen Wed 28 Jul 2010 02:23:20 PM EDT Last Seen Sat 31 Jul 2010 02:13:05 AM EDT Local ID 26cbce65-6075-4d92-941f-614b7ada7e28 Line Numbers Raw Audit Messages node=(removed) type=AVC msg=audit(1280556785.298:104): avc: denied { execstack } for pid=3588 comm="lancelot" scontext=unconfined_u:unconfined_r:unconfined_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0 tclass=process Hash String generated from allow_execstack,ksmserver,unconfined_t,unconfined_t,process,execstack audit2allow suggests: #============= unconfined_t ============== #!!!! This avc can be allowed using the boolean 'allow_execstack' allow unconfined_t self:process execstack;
Could you try to execute yum reinstall selinux-policy-targeted and make sure nothing breaks.
Created attachment 436096 [details] Output of Yum from Requested Command This is the output from attempting to reinstall selinux-policy-targeted.
Try this again with #setenforce 0 yum reinstall selinux-policy-targeted
Even after 'setenforce', the reinstall still fails. My machine is having severe issues with SELinux, and I wonder if this (and the other errors I've recently reported) are simply one-off. This particular alert, as you can see, happened more than 1000 times in a four-day period, and I've been running in Permissive mode just so that I can log in. Maybe it's time for a fresh install of F13?
crantila try this. # rm -rf /etc/selinux/targeted # yum reinstall selinux-policy-targeted # fixfiles restore # reboot That should clean it up.
This last command has cleared up everything. I've been able to set SELinux back to "Enforcing" for the first time in weeks! Wonder what I did to cause this in the first place... Thank you for your help.