Bug 693143 - Selinux has detcted a problem in simple go program.
Summary: Selinux has detcted a problem in simple go program.
Keywords:
Status: CLOSED WONTFIX
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 15
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Miroslav Grepl
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
: 712918 (view as bug list)
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2011-04-03 03:39 UTC by sangu
Modified: 2012-08-07 19:58 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2012-08-07 19:58:31 UTC
Type: ---
Embargoed:


Attachments (Terms of Use)

Description sangu 2011-04-03 03:39:23 UTC
Description of problem:
$ cat hello.go 
package main

import "fmt"

func main() {
	fmt.Println("Hello, 世界")
}

$ gccgo hello.go
$ ./a.out 

./a.out: error while loading shared libraries: libgo.so.0: cannot enable executable stack as shared object requires: Permission denied

Version-Release number of selected component (if applicable):
4.6.0-2.fc15.x86_64

How reproducible:
always

Steps to Reproduce:
1.
2.
3.
  
Actual results:


Expected results:


Additional info:

Comment 1 Jakub Jelinek 2011-04-05 15:08:12 UTC
libgo requires executable stack (well, in particular executable heap), so you need to chcon -t the binaries.

Comment 2 sangu 2011-04-05 15:53:16 UTC
selinux-policy-3.9.16-10.fc15.noarch

$ chcon -t execmem_exec_t a.out  
$ ./a.out 


setrobleshoot message

If you believe that a.out should be allowed mmap_zero access on the Unknown memprotect by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep a.out /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
소스 문맥                         unconfined_u:unconfined_r:unconfined_execmem_t:s0-
                              s0:c0.c1023
대상 문맥                         unconfined_u:unconfined_r:unconfined_execmem_t:s0-
                              s0:c0.c1023
대상 객체                         Unknown [ memprotect ]
소스                            a.out
소스 경로                         /home/sangu/문서/a.out
포트                            <알려지지 않음>
호스트                           localhost.localdomain
소스 RPM 패키지                    
대상 RPM 패키지                    
정책 RPM                        selinux-policy-3.9.16-10.fc15
Selinux 활성화                   True
정책 유형                         targeted
강제 모드                         Enforcing
호스트명                          localhost.localdomain
플랫폼                           Linux localhost.localdomain 2.6.38.2-9.fc15.x86_64
                              #1 SMP Wed Mar 30 16:55:57 UTC 2011 x86_64 x86_64
통지 카운트                        1
초기 화면                         2011년 04월 06일 (수) 오전 12시 42분 40초
마지막 화면                        2011년 04월 06일 (수) 오전 12시 42분 40초
로컬 ID                         03dfe151-2037-4a54-95bb-8c9752d2f2f8

원 감사 메세지
type=AVC msg=audit(1302018160.293:867): avc:  denied  { mmap_zero } for  pid=12492 comm="a.out" scontext=unconfined_u:unconfined_r:unconfined_execmem_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_execmem_t:s0-s0:c0.c1023 tclass=memprotect


type=SYSCALL msg=audit(1302018160.293:867): arch=x86_64 syscall=mmap success=no exit=EACCES a0=0 a1=1000 a2=0 a3=32 items=0 ppid=6742 pid=12492 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=pts0 ses=1 comm=a.out exe=2F686F6D652F73616E67752FEBACB8EC849C2F612E6F7574 subj=unconfined_u:unconfined_r:unconfined_execmem_t:s0-s0:c0.c1023 key=(null)

Hash: a.out,unconfined_execmem_t,unconfined_execmem_t,memprotect,mmap_zero

audit2allow

#============= unconfined_execmem_t ==============
#!!!! This avc can be allowed using the boolean 'mmap_low_allowed'

allow unconfined_execmem_t self:memprotect mmap_zero;

audit2allow -R

#============= unconfined_execmem_t ==============
#!!!! This avc can be allowed using the boolean 'mmap_low_allowed'

allow unconfined_execmem_t self:memprotect mmap_zero;

Comment 3 Daniel Walsh 2011-04-05 20:09:55 UTC
mmap_zero is a very dangerous access and is only allowed for root apps by default.

Comment 4 Jakub Jelinek 2011-04-05 20:22:49 UTC
I can't reproduce that it would try to mmap zero:

strace -f ./hello 2>&1 | grep MAP_FIXED
mmap(0x7fbf3bb9a000, 2084864, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x6c7000) = 0x7fbf3bb9a000
mmap(0x7fbf3bd97000, 33779064, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x7fbf3bd97000
mmap(0x3323e82000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x82000) = 0x3323e82000
mmap(0x3325e15000, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x15000) = 0x3325e15000
mmap(0x3322b74000, 20480, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x174000) = 0x3322b74000
mmap(0x3322b79000, 18632, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x3322b79000
mmap(0x3322e16000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x16000) = 0x3322e16000
mmap(0x3322e18000, 13216, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x3322e18000

Comment 5 Eric Paris 2011-04-05 20:44:52 UTC
a3=32 is the flags.

#define MAP_FIXED       0x10            /* Interpret addr exactly */
#define MAP_ANONYMOUS   0x20            /* don't use a file */

Given 32 == 0x20 we know this is not a bad program.

Looks like https://bugzilla.redhat.com/show_bug.cgi?id=490753 which was fixed in RHEL6 but doesn't look like the patch made it upstream   :(

So consider the mmap_zero part of this bug a dupe of 490753.  But as to gccgo + execmem I have no help   :)

Comment 6 Daniel Walsh 2011-06-14 15:36:45 UTC
*** Bug 712918 has been marked as a duplicate of this bug. ***

Comment 7 Fedora End Of Life 2012-08-07 19:58:33 UTC
This message is a notice that Fedora 15 is now at end of life. Fedora
has stopped maintaining and issuing updates for Fedora 15. It is
Fedora's policy to close all bug reports from releases that are no
longer maintained. At this time, all open bugs with a Fedora 'version'
of '15' have been closed as WONTFIX.

(Please note: Our normal process is to give advanced warning of this
occurring, but we forgot to do that. A thousand apologies.)

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, feel free to reopen
this bug and simply change the 'version' to a later Fedora version.

Bug Reporter: Thank you for reporting this issue and we are sorry that
we were unable to fix it before Fedora 15 reached end of life. If you
would still like to see this bug fixed and are able to reproduce it
against a later version of Fedora, you are encouraged to click on
"Clone This Bug" (top right of this page) and open it against that
version of Fedora.

Although we aim to fix as many bugs as possible during every release's
lifetime, sometimes those efforts are overtaken by events. Often a
more recent Fedora release includes newer upstream software that fixes
bugs or makes them obsolete.

The process we are following is described here:
http://fedoraproject.org/wiki/BugZappers/HouseKeeping


Note You need to log in before you can comment on or make changes to this bug.