627055 – SELinux is preventing /usr/sbin/squid from loading /usr/sbin/squid which requires text relocation.

Bug 627055 - SELinux is preventing /usr/sbin/squid from loading /usr/sbin/squid which requires text relocation.

Summary: SELinux is preventing /usr/sbin/squid from loading /usr/sbin/squid which requ...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	squid
Sub Component:
Version:	12
Hardware:	x86_64
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Jiri Skala
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:	setroubleshoot_trace_hash:777c85243d7...
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2010-08-24 23:56 UTC by Gabriel Sfestarof
Modified:	2014-11-09 22:33 UTC (History)
CC List:	7 users (show)
Fixed In Version:	squid-3.1.8-1.fc12
Clone Of:
Environment:
Last Closed:	2010-09-15 07:11:01 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Gabriel Sfestarof 2010-08-24 23:56:08 UTC

Summary:

SELinux is preventing /usr/sbin/squid from loading /usr/sbin/squid which
requires text relocation.

Detailed Description:

[squid has a permissive type (squid_t). This access was not denied.]

The squid application attempted to load /usr/sbin/squid which requires text
relocation. This is a potential security problem. Most libraries do not need
this permission. Libraries are sometimes coded incorrectly and request this
permission. The SELinux Memory Protection Tests
(http://people.redhat.com/drepper/selinux-mem.html) web page explains how to
remove this requirement. You can configure SELinux temporarily to allow
/usr/sbin/squid to use relocation as a workaround, until the library is fixed.
Please file a bug report.

Allowing Access:

If you trust /usr/sbin/squid to run correctly, you can change the file context
to textrel_shlib_t. "chcon -t textrel_shlib_t '/usr/sbin/squid'" You must also
change the default file context files on the system in order to preserve them
even on a full relabel. "semanage fcontext -a -t textrel_shlib_t
'/usr/sbin/squid'"

Fix Command:

chcon -t textrel_shlib_t '/usr/sbin/squid'

Additional Information:

Source Context                unconfined_u:system_r:squid_t:s0
Target Context                system_u:object_r:squid_exec_t:s0
Target Objects                /usr/sbin/squid [ file ]
Source                        squid
Source Path                   /usr/sbin/squid
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           squid-3.1.7-1.fc12
Target RPM Packages           squid-3.1.7-1.fc12
Policy RPM                    selinux-policy-3.6.32-121.fc12
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Plugin Name                   allow_execmod
Host Name                     (removed)
Platform                      Linux (removed) 2.6.32.18-159.fc12.x86_64
                              #1 SMP Tue Aug 10 20:43:59 UTC 2010 x86_64 x86_64
Alert Count                   12
First Seen                    Tue 24 Aug 2010 11:03:01 AM EEST
Last Seen                     Wed 25 Aug 2010 02:51:34 AM EEST
Local ID                      c4218357-7dcc-4576-b81a-0ea0c800cba7
Line Numbers                  

Raw Audit Messages            

node=(removed) type=AVC msg=audit(1282693894.480:14369): avc:  denied  { execmod } for  pid=8903 comm="squid" path="/usr/sbin/squid" dev=sda8 ino=22703 scontext=unconfined_u:system_r:squid_t:s0 tcontext=system_u:object_r:squid_exec_t:s0 tclass=file

node=(removed) type=SYSCALL msg=audit(1282693894.480:14369): arch=c000003e syscall=10 success=yes exit=128 a0=7f9ea0bdc000 a1=2d8000 a2=5 a3=7f9ea0c985e0 items=0 ppid=8902 pid=8903 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts3 ses=1 comm="squid" exe="/usr/sbin/squid" subj=unconfined_u:system_r:squid_t:s0 key=(null)



Hash String generated from  allow_execmod,squid,squid_t,squid_exec_t,file,execmod
audit2allow suggests:

#============= squid_t ==============
allow squid_t squid_exec_t:file execmod;

Comment 1 Daniel Walsh 2010-08-25 02:44:02 UTC

Did you install a different version of squid?  This is very strange access.

Comment 2 Gabriel Sfestarof 2010-08-25 02:54:34 UTC

(In reply to comment #1)
> Did you install a different version of squid?  This is very strange access.

Actually no. I've had this behaviour using the last two koji available packages. Here's the log:

grep squid /var/log/yum.log 
May 27 13:41:27 Installed: 7:squid-3.1.3-2.fc12.x86_64
May 27 13:41:32 Installed: squidGuard-1.4-8.fc12.x86_64
Jun 01 03:33:32 Updated: 7:squid-3.1.4-1.fc12.x86_64
Jun 02 08:00:15 Updated: 7:squid-3.1.4-2.fc12.x86_64
Aug 24 11:02:54 Updated: 7:squid-3.1.6-1.fc12.x86_64
Aug 25 02:50:09 Updated: 7:squid-3.1.7-1.fc12.x86_64

Comment 3 Gabriel Sfestarof 2010-08-25 03:02:41 UTC

Reverting to 4-2 and all works as expected. What I don't get is how simple bugfixes trigger textrell issues.

Comment 4 Henrik Nordström 2010-08-25 15:09:51 UTC

one of the changes is to use system provided libtool instead of bundled version. 

libtool.autoconf integration also updated from libtool-1.x style to libtool-2.x

Comment 5 Henrik Nordström 2010-08-25 18:58:11 UTC

The F13 update to same version do not show this problem.

Comment 6 Henrik Nordström 2010-08-25 19:02:12 UTC

Looking closely what is more odd is why this complaint were not seen before on F12.

The F12 and F13 packages differ slightly in how they set the compiler flags which may be the reason.

Comment 7 Jiri Skala 2010-08-26 07:21:09 UTC

I've observed same behaviour. Selinux-policy don't complain same version of squid in F13.

Dan what's the difference between selinux-policy in F12 & F13? What exactly is complained by selinux-policy?

Comment 8 Daniel Walsh 2010-08-26 11:37:18 UTC

Nothing as far as this denial.  execmod on an executable is very rare.  I think this is a build issue.

Comment 9 Henrik Nordström 2010-08-26 13:17:44 UTC

f13 srpm rebuilt on f12 seems to work.

Comment 10 Jiri Skala 2010-08-26 14:42:31 UTC

Great, you are right Henrik.

Exporting flags before building affects build that it produces this issue. Commenting this part of spec fixes the issue.

Unfortunately I think f13 settings should be 'tuned' too.

Comment 11 Henrik Nordström 2010-08-26 14:54:33 UTC

you know these much better. please fix up.

i did not backport the changes as it seems in conflict with earlier changelog entries for ppc.

Comment 12 Jiri Skala 2010-08-27 07:09:18 UTC

Well, the issue is generated when -fPIE option is used. I don't think this is correct.

Dan, I suppose selinux-policy should be updated. Then I'll correct spec files for F13+. There is incorrect placing flags exportation. Therefore the issue is currently only generated by F12.

I suppose Henrik's comment #4 is also important. This is probably a trigger.

Comment 13 Daniel Walsh 2010-08-27 15:36:14 UTC

Huh, what selinux-policy change is necessary?  We are not going to allow execmod of an executable.

Comment 14 Henrik Nordström 2010-08-27 19:00:28 UTC

Is GCC flags -fPIC / -fPIE / -pic / -pie related to execmod requirement somehow?

Not sure what would trigger a execmod requirement.

Comment 15 Henrik Nordström 2010-09-02 08:28:02 UTC

http://www.akkadia.org/drepper/textrelocs.html explains the issue quite well. Thanks Michal Schmidt for the pointer.

Do we need to force these flags in the spec file?

Comment 16 Jiri Skala 2010-09-03 08:10:52 UTC

> Do we need to force these flags in the spec file?

Usage of these flags is better but not necessary. Well, I'll remove these flags.

Comment 17 Henrik Nordström 2010-09-03 09:15:05 UTC

Have removed the flags from F12 in squid-3.1.7-1.fc12.1

Will be removed from F13+ in next update. Have no effect there.

Comment 18 Fedora Update System 2010-09-03 09:27:34 UTC

squid-3.1.7-1.fc12.1 has been submitted as an update for Fedora 12.
https://admin.fedoraproject.org/updates/squid-3.1.7-1.fc12.1

Comment 19 Fedora Update System 2010-09-04 05:01:15 UTC

squid-3.1.7-1.fc12.1 has been pushed to the Fedora 12 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update squid'.  You can provide feedback for this update here: https://admin.fedoraproject.org/updates/squid-3.1.7-1.fc12.1

Comment 20 Gabriel Sfestarof 2010-09-04 21:46:52 UTC

Confirming the new build works fine. No more AVC denials. Thank you

Comment 21 Henrik Nordström 2010-09-05 09:50:19 UTC

Have figured out why the -PIE flags failed. Is libtool that strips them from the compile line by default.

Comment 22 Fedora Update System 2010-09-05 17:20:49 UTC

squid-3.1.8-1.fc13 has been submitted as an update for Fedora 13.
https://admin.fedoraproject.org/updates/squid-3.1.8-1.fc13

Comment 23 Fedora Update System 2010-09-05 17:21:11 UTC

squid-3.1.8-1.fc14 has been submitted as an update for Fedora 14.
https://admin.fedoraproject.org/updates/squid-3.1.8-1.fc14

Comment 24 Fedora Update System 2010-09-05 17:21:33 UTC

squid-3.1.8-1.fc12 has been submitted as an update for Fedora 12.
https://admin.fedoraproject.org/updates/squid-3.1.8-1.fc12

Comment 25 Fedora Update System 2010-09-15 07:10:37 UTC

squid-3.1.8-1.fc14 has been pushed to the Fedora 14 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 26 Fedora Update System 2010-09-15 22:27:46 UTC

squid-3.1.8-1.fc13 has been pushed to the Fedora 13 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 27 Fedora Update System 2010-09-15 22:34:06 UTC

squid-3.1.8-1.fc12 has been pushed to the Fedora 12 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.