Bug 694342 - SELinux is preventing /bin/bash from making the program stack executable.
Summary: SELinux is preventing /bin/bash from making the program stack executable.
Keywords:
Status: CLOSED DUPLICATE of bug 652297
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 14
Hardware: i386
OS: Linux
unspecified
medium
Target Milestone: ---
Assignee: Miroslav Grepl
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: setroubleshoot_trace_hash:6107308db2e...
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2011-04-07 02:26 UTC by ddbug
Modified: 2011-04-08 18:20 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Vmware 7.1.4
Last Closed: 2011-04-07 12:34:39 UTC
Type: ---

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Description ddbug 2011-04-07 02:26:29 UTC 
The file ctl.sh was installed by Trac+svn binary package from Bitnami.org.
It looks ok.
Text below created by selinux:

~~~
Summary:

SELinux is preventing /bin/bash from making the program stack executable.

Detailed Description:

[SELinux is in permissive mode. This access was not denied.]

......

Fix Command:

chcon -t execmem_exec_t '/bin/bash'

Additional Information:

Source Context                unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1
                              023
Target Context                unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1
                              023
Target Objects                None [ process ]
Source                        ctl.sh
Source Path                   /bin/bash
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           bash-4.1.7-3.fc14
Target RPM Packages           
Policy RPM                    selinux-policy-3.9.7-37.fc14
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Permissive
Plugin Name                   allow_execstack
Host Name                     (removed)
Platform                      Linux devpc4.vmw 2.6.35.6-45.fc14.i686 #1 SMP Mon
                              Oct 18 23:56:17 UTC 2010 i686 i686
Alert Count                   4
First Seen                    Thu 07 Apr 2011 04:40:07 AM IDT
Last Seen                     Thu 07 Apr 2011 05:03:58 AM IDT
Local ID                      11591499-00e0-45b4-88ba-653491238a8c
Line Numbers                  

Raw Audit Messages            

node=devpc4.vmw type=AVC msg=audit(1302141838.650:23): avc:  denied  { execstack } for  pid=2322 comm="ctl.sh" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process

node=devpc4.vmw type=SYSCALL msg=audit(1302141838.650:23): arch=40000003 syscall=125 success=yes exit=0 a0=bfb47000 a1=1000 a2=1000007 a3=bfb47150 items=0 ppid=2316 pid=2322 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="ctl.sh" exe="/bin/bash" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)

~~~end~~~


Hash String generated from  allow_execstack,ctl.sh,unconfined_t,unconfined_t,process,execstack
audit2allow suggests:

#============= unconfined_t ==============
#!!!! This avc can be allowed using the boolean 'allow_execstack'

allow unconfined_t self:process execstack;
Comment 1 Miroslav Grepl 2011-04-07 12:34:39 UTC 
Turn on the 'allow_execstack' boolean.

# setsebool -P allow_execstack 1

What is your version of setroubleshoot

# rpm -qa setroubleshoot\*
Comment 2 ddbug 2011-04-08 01:17:02 UTC 
Output of rpm -qa setroubleshoot\*:

setroubleshoot-server-2.2.102-1.fc14.i686
setroubleshoot-2.2.102-1.fc14.i686
setroubleshoot-plugins-2.1.61-1.fc14.noarch

Thanks for your reply. If executable stack in bash is ok, so let it be.

-- P.
Comment 3 Daniel Walsh 2011-04-08 18:20:05 UTC 
Well it is not executable stack in bash, the avc is probably caused by a shared library you have installed.

I am going to close this bug as a dup of another that tells you how to look for the bad library.

*** This bug has been marked as a duplicate of bug 652297 ***
Note You need to log in before you can comment on or make changes to this bug.