From: Antoine Martin <antoine@nagafix.co.uk>
To: gentoo-hardened@lists.gentoo.org
Subject: Re: [gentoo-hardened] mysql 4.1 requires shlib_t:file execmod?
Date: Mon, 24 Oct 2005 20:15:48 +0100 [thread overview]
Message-ID: <1130181349.17424.4.camel@localhost.localdomain> (raw)
In-Reply-To: <435D021A.9571.AEB74AE1@pageexec.freemail.hu>
On Mon, 2005-10-24 at 15:47 +0200, pageexec@freemail.hu wrote:
> On 23 Oct 2005 at 21:42, Antoine Martin wrote:
>
> ok, so this is the story of the textrelocs in libmysqlclient:
>
> > open("/usr/lib/libmysqlclient.so.14", O_RDONLY) = 3
> > mmap2(NULL, 2061732, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3,
> > 0) = 0xb7d24000
> > mprotect(0xb7d24000, 1073152, PROT_READ|PROT_WRITE) = 0
> > mprotect(0xb7d24000, 1073152, PROT_READ|PROT_EXEC) = -1 EACCES
> > (Permission denied)
>
> this is either PaX (if you have NOELFRELOCS on) or SELinux,
> i think they call it execmem or something like that.
Yes, I started this thread and CCed the SELinux list.
I can make this work by allowing postfix to execmem all shlibs.
ie for all the postfix domains:
allow postfix_{domain}_t shlib_t:file execmod;
But this is not the right way to do it, I admit this is only a very tiny
security risk, but I would much rather figure out a way to fix the
library to not require execmod. No other library requires it, and the
previous version of mysql I was using (4.0) didn't either.
> what do 'scanelf -T /usr/lib/libmysqlclient.so.14' or
> 'eu-findtextrel /usr/lib/libmysqlclient.so.14'
> say (it can't be 'nothing' for sure ;-)? eu-findtexrel
> is in dev-libs/elfutils.
# scanelf -T /usr/lib/libmysqlclient.so.14
TYPE TEXTRELS FILE
TEXTREL libmysqlclient.so.14: DES_encrypt2 [0xDAD5C] in
DES_encrypt3 [0xDACD0]
TEXTREL libmysqlclient.so.14: DES_encrypt2 [0xDAD70] in
DES_encrypt3 [0xDACD0]
TEXTREL libmysqlclient.so.14: DES_encrypt2 [0xDAD84] in
DES_encrypt3 [0xDACD0]
TEXTREL libmysqlclient.so.14: DES_encrypt2 [0xDAE8C] in
DES_decrypt3 [0xDAE00]
TEXTREL libmysqlclient.so.14: DES_encrypt2 [0xDAEA0] in
DES_decrypt3 [0xDAE00]
TEXTREL libmysqlclient.so.14: DES_encrypt2 [0xDAEB4] in
DES_decrypt3 [0xDAE00]
TEXTREL libmysqlclient.so.14: DES_encrypt1 [0xDAF82] in
DES_ncbc_encrypt [0xDAF30]
TEXTREL libmysqlclient.so.14: DES_encrypt1 [0xDAFEA] in
DES_ncbc_encrypt [0xDAF30]
TEXTREL libmysqlclient.so.14: DES_encrypt1 [0xDB01B] in
DES_ncbc_encrypt [0xDAF30]
TEXTREL libmysqlclient.so.14: DES_encrypt1 [0xDB067] in
DES_ncbc_encrypt [0xDAF30]
TEXTREL libmysqlclient.so.14: DES_encrypt3 [0xDB14B] in
DES_ede3_cbc_encrypt [0xDB0F0]
TEXTREL libmysqlclient.so.14: DES_encrypt3 [0xDB1B3] in
DES_ede3_cbc_encrypt [0xDB0F0]
TEXTREL libmysqlclient.so.14: DES_decrypt3 [0xDB1EB] in
DES_ede3_cbc_encrypt [0xDB0F0]
TEXTREL libmysqlclient.so.14: DES_decrypt3 [0xDB237] in
DES_ede3_cbc_encrypt [0xDB0F0]
TEXTREL libmysqlclient.so.14: RC5_32_encrypt [0xDD461] in
RC5_32_cbc_encrypt [0xDD410]
TEXTREL libmysqlclient.so.14: RC5_32_encrypt [0xDD4C9] in
RC5_32_cbc_encrypt [0xDD410]
TEXTREL libmysqlclient.so.14: RC5_32_decrypt [0xDD4FB] in
RC5_32_cbc_encrypt [0xDD410]
TEXTREL libmysqlclient.so.14: RC5_32_decrypt [0xDD547] in
RC5_32_cbc_encrypt [0xDD410]
TEXTREL libmysqlclient.so.14: BF_encrypt [0xDFB45] in
BF_cbc_encrypt [0xDFAF0]
TEXTREL libmysqlclient.so.14: BF_encrypt [0xDFBB5] in
BF_cbc_encrypt [0xDFAF0]
TEXTREL libmysqlclient.so.14: BF_decrypt [0xDFBEF] in
BF_cbc_encrypt [0xDFAF0]
TEXTREL libmysqlclient.so.14: BF_decrypt [0xDFC43] in
BF_cbc_encrypt [0xDFAF0]
ET_DYN /usr/lib/libmysqlclient.so.14
Hope this helps...
Many thanks
Antoine
--
gentoo-hardened@gentoo.org mailing list
next prev parent reply other threads:[~2005-10-24 19:17 UTC|newest]
Thread overview: 34+ messages / expand[flat|nested] mbox.gz Atom feed top
2005-10-22 14:15 [gentoo-hardened] mysql 4.1 requires shlib_t:file execmod? Antoine Martin
2005-10-22 14:39 ` Dave Strydom
2005-10-22 16:33 ` Antoine Martin
2005-10-22 16:38 ` Antoine Martin
2005-10-22 14:53 ` pageexec
2005-10-22 15:45 ` Antoine Martin
2005-10-22 15:53 ` pageexec
2005-10-22 16:37 ` Antoine Martin
2005-10-22 17:24 ` pageexec
2005-10-22 17:31 ` Antoine Martin
2005-10-22 17:56 ` Petre Rodan
2005-10-23 20:42 ` Antoine Martin
2005-10-24 13:47 ` pageexec
2005-10-24 19:15 ` Antoine Martin [this message]
2005-10-24 21:23 ` pageexec
2005-10-24 21:29 ` Antoine Martin
2005-10-24 23:05 ` pageexec
2005-10-25 10:45 ` Antoine Martin
2005-10-25 12:04 ` pageexec
2005-10-25 18:52 ` solar
2005-10-25 20:55 ` [gentoo-hardened] " Antoine Martin
2005-10-22 17:31 ` [gentoo-hardened] " solar
2005-10-22 17:41 ` Antoine Martin
2005-10-22 18:10 ` solar
2005-10-23 17:54 ` [gentoo-hardened] SELinux n00b questions Dale Pontius
2005-10-26 22:59 ` Chris PeBenito
2005-10-27 1:33 ` Dale Pontius
2005-10-31 3:19 ` Chris PeBenito
2005-11-14 1:51 ` Dale Pontius
2005-11-14 8:20 ` Peter Shaw
2005-11-14 22:37 ` Dale Pontius
2005-11-14 22:53 ` Antoine Martin
2005-11-15 1:23 ` Dale Pontius
2005-10-23 19:06 ` [gentoo-hardened] mysql 4.1 requires shlib_t:file execmod? Antoine Martin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1130181349.17424.4.camel@localhost.localdomain \
--to=antoine@nagafix.co.uk \
--cc=gentoo-hardened@lists.gentoo.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox