Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 156393 - execmod/execmem denied at boot, only boots in permissive mode
Summary: execmod/execmem denied at boot, only boots in permissive mode
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted
Version: rawhide
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2005-04-29 17:31 UTC by Orion Poplawski
Modified: 2007-11-30 22:11 UTC (History)
0 users

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2005-05-02 16:08:31 UTC


Attachments (Terms of Use)

Description Orion Poplawski 2005-04-29 17:31:53 UTC
Description of problem:
System is a FC3 system with selinux components from
ftp://people.redhat.com/dwalsh/SELinux/Fedora/ and with some additions to the
default policy in order to work around some apache and other issues.  In trying
to boot to a new kernel, init crashed due to an selinux denial.  Booting in
permissive mode shows:

audit(1114772493.755:0): avc:  denied  { execmod } for  pid=1 comm=init
path=/lib/tls/libc-2.3.5.so dev=dm-1 ino=32777
scontext=user_u:system_r:unconfined_t tcontext=system_u:object_r:lib_t tclass=file
audit(1114772493.755:0): avc:  denied  { execmod } for  pid=1 comm=init
path=/lib/ld-2.3.5.so dev=dm-1 ino=32775 scontext=user_u:system_r:unconfined_t
tcontext=system_u:object_r:ld_so_t tclass=file
audit(1114772493.799:0): avc:  denied  { execmem } for  pid=1 comm=init
scontext=user_u:system_r:unconfined_t tcontext=user_u:system_r:unconfined_t
tclass=process
audit(1114772502.631:0): avc:  denied  { execmem } for  pid=1491 comm=nash
scontext=user_u:system_r:initrc_t tcontext=user_u:system_r:initrc_t tclass=process


Version-Release number of selected component (if applicable):
selinux-policy-targeted-1.21.16-4

How reproducible:
Everytime

Comment 1 Daniel Walsh 2005-04-29 18:14:44 UTC
setsebool -P allow_execmem=1 allow_execmod=1

Should fix the problem



Comment 2 Colin Walters 2005-04-29 21:13:43 UTC
So we're still defaulting to allow_execmem and allow_execmod as false?

Comment 3 Orion Poplawski 2005-04-29 21:25:01 UTC
Didn't have any effect in either case.

Comment 4 Daniel Walsh 2005-04-30 23:57:20 UTC
Update to the latest policy.  We default to allow_execmem/allow_execmod true on
Targeted policy.  Problem is they did not exist in FC3.  Try updating to policy
1.23.13-4 or later.

Dan

Comment 5 Orion Poplawski 2005-05-02 15:38:57 UTC
As mentioned, this is with selinux-policy-targeted-1.21.16-4.  Is there anything
else that would need to be done after setting the boolean?  Also, I'm not sure
if this is correct, seems new to me:

[root@hawk targeted]# grep exec bool*
booleans:allow_execmem=0
booleans:allow_execmod=0
booleans:httpd_ssi_exec=1
booleans.local:allow_execmem=1
booleans.local:allow_execmod=1


Comment 6 Daniel Walsh 2005-05-02 15:42:53 UTC
The problem you have is that you have partially updated to some interim policy,
perhaps and interim policycoreutils and a later kernel.  Please  get up to date
on  your policy, policycoreutils, libselinux, and libsepol.

Load_policy and the rest of selinux now uses booleans.local to override the
defaults in the booleans file.    So this looks correct.

Dan

Comment 7 Orion Poplawski 2005-05-02 16:08:16 UTC
Did another yum update and all seems to be well now.  Thanks.


Note You need to log in before you can comment on or make changes to this bug.