Description of problem: $ cat hello.go package main import "fmt" func main() { fmt.Println("Hello, 世界") } $ gccgo hello.go $ ./a.out ./a.out: error while loading shared libraries: libgo.so.0: cannot enable executable stack as shared object requires: Permission denied Version-Release number of selected component (if applicable): 4.6.0-2.fc15.x86_64 How reproducible: always Steps to Reproduce: 1. 2. 3. Actual results: Expected results: Additional info:
libgo requires executable stack (well, in particular executable heap), so you need to chcon -t the binaries.
selinux-policy-3.9.16-10.fc15.noarch $ chcon -t execmem_exec_t a.out $ ./a.out setrobleshoot message If you believe that a.out should be allowed mmap_zero access on the Unknown memprotect by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep a.out /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: 소스 문맥 unconfined_u:unconfined_r:unconfined_execmem_t:s0- s0:c0.c1023 대상 문맥 unconfined_u:unconfined_r:unconfined_execmem_t:s0- s0:c0.c1023 대상 객체 Unknown [ memprotect ] 소스 a.out 소스 경로 /home/sangu/문서/a.out 포트 <알려지지 않음> 호스트 localhost.localdomain 소스 RPM 패키지 대상 RPM 패키지 정책 RPM selinux-policy-3.9.16-10.fc15 Selinux 활성화 True 정책 유형 targeted 강제 모드 Enforcing 호스트명 localhost.localdomain 플랫폼 Linux localhost.localdomain 2.6.38.2-9.fc15.x86_64 #1 SMP Wed Mar 30 16:55:57 UTC 2011 x86_64 x86_64 통지 카운트 1 초기 화면 2011년 04월 06일 (수) 오전 12시 42분 40초 마지막 화면 2011년 04월 06일 (수) 오전 12시 42분 40초 로컬 ID 03dfe151-2037-4a54-95bb-8c9752d2f2f8 원 감사 메세지 type=AVC msg=audit(1302018160.293:867): avc: denied { mmap_zero } for pid=12492 comm="a.out" scontext=unconfined_u:unconfined_r:unconfined_execmem_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_execmem_t:s0-s0:c0.c1023 tclass=memprotect type=SYSCALL msg=audit(1302018160.293:867): arch=x86_64 syscall=mmap success=no exit=EACCES a0=0 a1=1000 a2=0 a3=32 items=0 ppid=6742 pid=12492 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=pts0 ses=1 comm=a.out exe=2F686F6D652F73616E67752FEBACB8EC849C2F612E6F7574 subj=unconfined_u:unconfined_r:unconfined_execmem_t:s0-s0:c0.c1023 key=(null) Hash: a.out,unconfined_execmem_t,unconfined_execmem_t,memprotect,mmap_zero audit2allow #============= unconfined_execmem_t ============== #!!!! This avc can be allowed using the boolean 'mmap_low_allowed' allow unconfined_execmem_t self:memprotect mmap_zero; audit2allow -R #============= unconfined_execmem_t ============== #!!!! This avc can be allowed using the boolean 'mmap_low_allowed' allow unconfined_execmem_t self:memprotect mmap_zero;
mmap_zero is a very dangerous access and is only allowed for root apps by default.
I can't reproduce that it would try to mmap zero: strace -f ./hello 2>&1 | grep MAP_FIXED mmap(0x7fbf3bb9a000, 2084864, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x6c7000) = 0x7fbf3bb9a000 mmap(0x7fbf3bd97000, 33779064, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x7fbf3bd97000 mmap(0x3323e82000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x82000) = 0x3323e82000 mmap(0x3325e15000, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x15000) = 0x3325e15000 mmap(0x3322b74000, 20480, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x174000) = 0x3322b74000 mmap(0x3322b79000, 18632, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x3322b79000 mmap(0x3322e16000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x16000) = 0x3322e16000 mmap(0x3322e18000, 13216, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x3322e18000
a3=32 is the flags. #define MAP_FIXED 0x10 /* Interpret addr exactly */ #define MAP_ANONYMOUS 0x20 /* don't use a file */ Given 32 == 0x20 we know this is not a bad program. Looks like https://bugzilla.redhat.com/show_bug.cgi?id=490753 which was fixed in RHEL6 but doesn't look like the patch made it upstream :( So consider the mmap_zero part of this bug a dupe of 490753. But as to gccgo + execmem I have no help :)
*** Bug 712918 has been marked as a duplicate of this bug. ***
This message is a notice that Fedora 15 is now at end of life. Fedora has stopped maintaining and issuing updates for Fedora 15. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At this time, all open bugs with a Fedora 'version' of '15' have been closed as WONTFIX. (Please note: Our normal process is to give advanced warning of this occurring, but we forgot to do that. A thousand apologies.) Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, feel free to reopen this bug and simply change the 'version' to a later Fedora version. Bug Reporter: Thank you for reporting this issue and we are sorry that we were unable to fix it before Fedora 15 reached end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora, you are encouraged to click on "Clone This Bug" (top right of this page) and open it against that version of Fedora. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete. The process we are following is described here: http://fedoraproject.org/wiki/BugZappers/HouseKeeping