[gentoo-hardened] SELinux problem -> avc: denied {execmem}

[gentoo-hardened] SELinux problem -> avc: denied {execmem}

[Jan Meier]

[-- Attachment #1: Type: text/plain, Size: 1475 bytes --]

Hello,

I am running SELinux and at boot time I get the following avc: denied 
messages:

May 21 16:01:40 jeeves audit(1148220069.887:0): avc:  denied  { execmem } for  
pid=1 comm=init scontext=system_u:system_r:kernel_t 
tcontext=system_u:system_r:kernel_t tclass=process
May 21 16:01:40 jeeves audit(1148220069.905:0): avc:  denied  { execmem } for  
pid=1 comm=init scontext=system_u:system_r:init_t 
tcontext=system_u:system_r:init_t tclass=process
May 21 16:01:40 jeeves audit(1148220070.475:0): avc:  denied  { execmem } for  
pid=896 comm=rc scontext=system_u:system_r:initrc_t 
tcontext=system_u:system_r:initrc_t tclass=process
May 21 16:01:40 jeeves audit(1148220070.920:0): avc:  denied  { execmem } for  
pid=904 comm=mount scontext=system_u:system_r:mount_t 
tcontext=system_u:system_r:mount_t tclass=process
May 21 16:01:40 jeeves audit(1148220071.457:0): avc:  denied  { execmem } for  
pid=934 comm=swapon scontext=system_u:system_r:fsadm_t 
tcontext=system_u:system_r:fsadm_t tclass=process
May 21 16:01:40 jeeves audit(1148220072.480:0): avc:  denied  { execmem } for  
pid=974 comm=modules-update scontext=system_u:system_r:update_modules_t 
tcontext=system_u:system_r:update_modules_t tclass=process

What can I do to get rid of them?
When I execute `setenforce 1` I get a "Killed" after each command I execute, 
does this have something to do with the denied messages?

Best regards,

Jan



-- 
GPG-Key-ID: BC3D36E0

[-- Attachment #2: Type: application/pgp-signature, Size: 191 bytes --]

Re: [gentoo-hardened] SELinux problem -> avc: denied {execmem}

[kakou]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Jan Meier wrote:
> Hello,
>
> I am running SELinux and at boot time I get the following avc: denied
> messages:
>
> May 21 16:01:40 jeeves audit(1148220069.887:0): avc:  denied  { execmem
} for 
> pid=1 comm=init scontext=system_u:system_r:kernel_t
> tcontext=system_u:system_r:kernel_t tclass=process
> May 21 16:01:40 jeeves audit(1148220069.905:0): avc:  denied  { execmem
} for 
> pid=1 comm=init scontext=system_u:system_r:init_t
> tcontext=system_u:system_r:init_t tclass=process
> May 21 16:01:40 jeeves audit(1148220070.475:0): avc:  denied  { execmem
} for 
> pid=896 comm=rc scontext=system_u:system_r:initrc_t
> tcontext=system_u:system_r:initrc_t tclass=process
> May 21 16:01:40 jeeves audit(1148220070.920:0): avc:  denied  { execmem
} for 
> pid=904 comm=mount scontext=system_u:system_r:mount_t
> tcontext=system_u:system_r:mount_t tclass=process
> May 21 16:01:40 jeeves audit(1148220071.457:0): avc:  denied  { execmem
} for 
> pid=934 comm=swapon scontext=system_u:system_r:fsadm_t
> tcontext=system_u:system_r:fsadm_t tclass=process
> May 21 16:01:40 jeeves audit(1148220072.480:0): avc:  denied  { execmem
} for 
> pid=974 comm=modules-update scontext=system_u:system_r:update_modules_t
> tcontext=system_u:system_r:update_modules_t tclass=process
>
> What can I do to get rid of them?
> When I execute `setenforce 1` I get a "Killed" after each command I
execute,
> does this have something to do with the denied messages?
>
> Best regards,
>
> Jan
>
>
>
You boot in enforcing or permissive mode?
You are using an other security protection (grsecurity, PAX, ...) ?
You are in stable or ~x86?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFEcHIw3RS+hG/PB/URApMKAJ9DD8zAhSyJQ0NHwQStWvzsnhZ+4wCfXv1k
jvWILLlRUskWkUmtk9w0haw=
=w7UJ
-----END PGP SIGNATURE-----

-- 
gentoo-hardened@gentoo.org mailing list

Re: [gentoo-hardened] SELinux problem -> avc: denied {execmem}

[Petre Rodan]

[-- Attachment #1: Type: text/plain, Size: 1920 bytes --]


Hi,

On Sun, May 21, 2006 at 04:40:57PM +0200, Jan Meier wrote:
> Hello,
> 
> I am running SELinux and at boot time I get the following avc: denied 
> messages:
> 
> May 21 16:01:40 jeeves audit(1148220069.887:0): avc:  denied  { execmem } for  
> pid=1 comm=init scontext=system_u:system_r:kernel_t 
> tcontext=system_u:system_r:kernel_t tclass=process
> May 21 16:01:40 jeeves audit(1148220069.905:0): avc:  denied  { execmem } for  
> pid=1 comm=init scontext=system_u:system_r:init_t 
> tcontext=system_u:system_r:init_t tclass=process
> May 21 16:01:40 jeeves audit(1148220070.475:0): avc:  denied  { execmem } for  
> pid=896 comm=rc scontext=system_u:system_r:initrc_t 
> tcontext=system_u:system_r:initrc_t tclass=process
> May 21 16:01:40 jeeves audit(1148220070.920:0): avc:  denied  { execmem } for  
> pid=904 comm=mount scontext=system_u:system_r:mount_t 
> tcontext=system_u:system_r:mount_t tclass=process
> May 21 16:01:40 jeeves audit(1148220071.457:0): avc:  denied  { execmem } for  
> pid=934 comm=swapon scontext=system_u:system_r:fsadm_t 
> tcontext=system_u:system_r:fsadm_t tclass=process
> May 21 16:01:40 jeeves audit(1148220072.480:0): avc:  denied  { execmem } for  
> pid=974 comm=modules-update scontext=system_u:system_r:update_modules_t 
> tcontext=system_u:system_r:update_modules_t tclass=process

your binares might lack the GNU_STACK header, i.e. they were built with an old toolchain.
use readelf --headers to find out if it's the case.

you might want to upgrade to the latest stable gcc and recompile all binaries with that header missing.

> When I execute `setenforce 1` I get a "Killed" after each command I execute, 
> does this have something to do with the denied messages?

you should enforce only when your policy is ok for your purposes.

cheers,
peter

-- 
petre rodan
<kaiowas@gentoo.org>
Developer,
Hardened Gentoo Linux 

[-- Attachment #2: Type: application/pgp-signature, Size: 198 bytes --]

Re: [gentoo-hardened] SELinux problem -> avc: denied {execmem}

[Jan Meier]

Petre Rodan wrote:
> your binares might lack the GNU_STACK header, i.e. they were built with an old toolchain.
> use readelf --headers to find out if it's the case.
Executing: readelf -headers /bin/mount  | grep GNU_STACK shows 
"GNU_STACK      0x000000 0x00000000 0x00000000 0x00000 0x00000 RW  0x4"

> you might want to upgrade to the latest stable gcc and recompile all binaries with that header missing.
My gcc is version 3.4.5

>>When I execute `setenforce 1` I get a "Killed" after each command I execute, 
>>does this have something to do with the denied messages?
> you should enforce only when your policy is ok for your purposes.
I am new to SELinux and currently reading the O'Reilly SELinux book to 
gather more informations :)

Any suggestions to my problem?

Regards Jan
-- 
gentoo-hardened@gentoo.org mailing list

Re: [gentoo-hardened] SELinux problem -> avc: denied {execmem}

[Petre Rodan]

[-- Attachment #1: Type: text/plain, Size: 746 bytes --]

On Sun, May 21, 2006 at 07:46:01PM +0200, Jan Meier wrote:
> Petre Rodan wrote:
> >your binares might lack the GNU_STACK header, i.e. they were built with an old 
> >toolchain.
> >use readelf --headers to find out if it's the case.
> Executing: readelf -headers /bin/mount  | grep GNU_STACK shows "GNU_STACK      0x000000 
> 0x00000000 0x00000000 0x00000 0x00000 RW  0x4"

how about /sbin/runscript, /sbin/init, /bin/bash?

> >you might want to upgrade to the latest stable gcc and recompile all binaries with 
> >that header missing.
> My gcc is version 3.4.5

I presume that 'gcc-config -l' also shows that you're actually using it?

cheers,
peter

-- 
petre rodan
<kaiowas@gentoo.org>
Developer,
Hardened Gentoo Linux 

[-- Attachment #2: Type: application/pgp-signature, Size: 198 bytes --]

Re: [gentoo-hardened] SELinux problem -> avc: denied {execmem}

[Jan Meier]

Am Sonntag 21 Mai 2006 20:31 schrieb Petre Rodan:
> On Sun, May 21, 2006 at 07:46:01PM +0200, Jan Meier wrote:
> > Petre Rodan wrote:
> > >your binares might lack the GNU_STACK header, i.e. they were built with
> > > an old toolchain.
> > >use readelf --headers to find out if it's the case.
> >
> > Executing: readelf -headers /bin/mount  | grep GNU_STACK shows "GNU_STACK
> >      0x000000 0x00000000 0x00000000 0x00000 0x00000 RW  0x4"
>
> how about /sbin/runscript, /sbin/init, /bin/bash?
Same result, GNU_STACK is in the header.

> > >you might want to upgrade to the latest stable gcc and recompile all
> > > binaries with that header missing.
> >
> > My gcc is version 3.4.5
>
> I presume that 'gcc-config -l' also shows that you're actually using it?
gcc-config shows that I am using 3.4.5 :)

regards 
Jan

> cheers,
> peter

-- 
GPG-Key-ID: BC3D36E0
-- 
gentoo-hardened@gentoo.org mailing list

Re: [gentoo-hardened] SELinux problem -> avc: denied {execmem}

[Petre Rodan]

[-- Attachment #1: Type: text/plain, Size: 1092 bytes --]


Hi,

On Sun, May 21, 2006 at 11:40:15PM +0200, Jan Meier wrote:
> Am Sonntag 21 Mai 2006 20:31 schrieb Petre Rodan:
> > On Sun, May 21, 2006 at 07:46:01PM +0200, Jan Meier wrote:
> > > Petre Rodan wrote:
> > > >your binares might lack the GNU_STACK header, i.e. they were built with
> > > > an old toolchain.
> > > >use readelf --headers to find out if it's the case.
> > >
> > > Executing: readelf -headers /bin/mount  | grep GNU_STACK shows "GNU_STACK
> > >      0x000000 0x00000000 0x00000000 0x00000 0x00000 RW  0x4"
> >
> > how about /sbin/runscript, /sbin/init, /bin/bash?
> Same result, GNU_STACK is in the header.

strange. please file a bug report and make sure you include emerge --info in it.

do you have a new gentoo setup there or did you migrate an old install?

> > > >you might want to upgrade to the latest stable gcc and recompile all
> > > > binaries with that header missing.
> > >
> > > My gcc is version 3.4.5
> >
> > I presume that 'gcc-config -l' also shows that you're actually using it?
> gcc-config shows that I am using 3.4.5 :)

just checking :)

cheers,
peter

[-- Attachment #2: Type: application/pgp-signature, Size: 198 bytes --]

Re: [gentoo-hardened] SELinux problem -> avc: denied {execmem}

[pageexec]

On 22 May 2006 at 9:04, Petre Rodan wrote:
> > > how about /sbin/runscript, /sbin/init, /bin/bash?
> > Same result, GNU_STACK is in the header.
> 
> strange. please file a bug report and make sure you include emerge --info in it.

aren't execmem denials due to text relocations? i'd run a scanelf -t on
all affected executables and libraries just in case...

-- 
gentoo-hardened@gentoo.org mailing list

Re: [gentoo-hardened] SELinux problem -> avc: denied {execmem}

[Petre Rodan]

[-- Attachment #1: Type: text/plain, Size: 781 bytes --]


Hi,

On Mon, May 22, 2006 at 11:59:59AM +0200, pageexec@freemail.hu wrote:
> On 22 May 2006 at 9:04, Petre Rodan wrote:
> > > > how about /sbin/runscript, /sbin/init, /bin/bash?
> > > Same result, GNU_STACK is in the header.
> > 
> > strange. please file a bug report and make sure you include emerge --info in it.
> 
> aren't execmem denials due to text relocations? i'd run a scanelf -t on
> all affected executables and libraries just in case...

I hit the GNU_STACK problem about a year ago and recompiling old binaries helped. oh well. [1][2]

[1] http://www.nsa.gov/selinux/list-archive/0502/10386.cfm
[2] http://www.nsa.gov/selinux/list-archive/0502/10553.cfm

cheers,
peter

-- 
petre rodan
<kaiowas@gentoo.org>
Developer,
Hardened Gentoo Linux 

[-- Attachment #2: Type: application/pgp-signature, Size: 198 bytes --]

Re: [gentoo-hardened] SELinux problem -> avc: denied {execmem}

[Chris PeBenito]

[-- Attachment #1: Type: text/plain, Size: 729 bytes --]

On Mon, 2006-05-22 at 10:59 +0200, pageexec@freemail.hu wrote:
> On 22 May 2006 at 9:04, Petre Rodan wrote:
> > > > how about /sbin/runscript, /sbin/init, /bin/bash?
> > > Same result, GNU_STACK is in the header.
> > 
> > strange. please file a bug report and make sure you include emerge --info in it.
> 
> aren't execmem denials due to text relocations? i'd run a scanelf -t on
> all affected executables and libraries just in case...

No, that would be execmod.

-- 
Chris PeBenito
<pebenito@gentoo.org>
Developer,
Hardened Gentoo Linux
Embedded Gentoo Linux
 
Public Key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xE6AF9243
Key fingerprint = B0E6 877A 883F A57A 8E6A  CB00 BC8E E42D E6AF 9243


[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: [gentoo-hardened] SELinux problem -> avc: denied {execmem}

[Jan Meier]

[-- Attachment #1: Type: text/plain, Size: 380 bytes --]

Hi,

> do you have a new gentoo setup there or did you migrate an old install?
The gentoo installation is two month old, I migrated to SELinux. 
It is a PPC, could this be a problem?

Currently I am running emerge -euDN world, to know that it is not a problem 
with my installation, I will report if it is finished. (38/192)

Regards
Jan


-- 
GPG-Key-ID: BC3D36E0

[-- Attachment #2: Type: application/pgp-signature, Size: 191 bytes --]

Re: [gentoo-hardened] SELinux problem -> avc: denied {execmem}

[pageexec]

On 22 May 2006 at 19:32, Jan Meier wrote:
> > do you have a new gentoo setup there or did you migrate an old install?
> The gentoo installation is two month old, I migrated to SELinux. 
> It is a PPC, could this be a problem?

i'm wondering if it's the ppc .plt issue that PaX runs against as well
(it's rwx and runtime generated -> not good). a year ago or so Red Hat
people added secureplt support to binutils/ld, (hardened) gentoo should
probably take a look.

http://gcc.gnu.org/ml/gcc-patches/2005-05/msg01134.html
http://sources.redhat.com/ml/binutils/2005-05/msg00391.html

-- 
gentoo-hardened@gentoo.org mailing list

Re: [gentoo-hardened] SELinux problem -> avc: denied {execmem}

[Ned Ludd]

On Mon, 2006-05-22 at 21:43 +0200, pageexec@freemail.hu wrote:
> On 22 May 2006 at 19:32, Jan Meier wrote:
> > > do you have a new gentoo setup there or did you migrate an old install?
> > The gentoo installation is two month old, I migrated to SELinux. 
> > It is a PPC, could this be a problem?
> 
> i'm wondering if it's the ppc .plt issue that PaX runs against as well
> (it's rwx and runtime generated -> not good). a year ago or so Red Hat
> people added secureplt support to binutils/ld, (hardened) gentoo should
> probably take a look.
> 
> http://gcc.gnu.org/ml/gcc-patches/2005-05/msg01134.html
> http://sources.redhat.com/ml/binutils/2005-05/msg00391.html

Last we spoke about this I thought you said it was reverted.

Btw. I'm running a ppc box with pretty great success with most of the 
supported PaX features enabled. (only bugs thus far have been with SPP 
and a few pkgs (glibc/busybox/gcc) but I'm sure that wont shock you :)

Linux luna 2.6.14-hardened #1 Tue Nov 15 21:55:38 UTC 2005 ppc
7447/7457, altivec supported GNU/Linux

128bb000-128c1000 r-xp 00000000 03:03 1703959    /bin/cat
128cb000-128cc000 r--p 00010000 03:03 1703959    /bin/cat
128cc000-128cd000 rw-p 00011000 03:03 1703959    /bin/cat
128cd000-128fb000 rw-p 128cd000 00:00 0          [heap]
32cc6000-32cde000 r-xp 00000000 03:03 205825     /lib/ld-2.3.5.so
32cde000-32cdf000 rw-p 32cde000 00:00 0 
32ce6000-32ce7000 r--p 00020000 03:03 205825     /lib/ld-2.3.5.so
32ce7000-32ce8000 rw-p 00021000 03:03 205825     /lib/ld-2.3.5.so
32ce8000-32ce9000 rw-p 32ce8000 00:00 0 
32cea000-32cee000 r-xp 00000000 03:03 205787     /lib/libaudit.so
32cee000-32cfa000 ---p 00004000 03:03 205787     /lib/libaudit.so
32cfa000-32cfb000 r--p 00010000 03:03 205787     /lib/libaudit.so
32cfb000-32cfc000 rw-p 00011000 03:03 205787     /lib/libaudit.so
32d06000-32e29000 r-xp 00000000 03:03 205828     /lib/libc-2.3.5.so
32e29000-32e36000 ---p 00123000 03:03 205828     /lib/libc-2.3.5.so
32e36000-32e38000 r--p 00130000 03:03 205828     /lib/libc-2.3.5.so
32e38000-32e3c000 rw-p 00132000 03:03 205828     /lib/libc-2.3.5.so
32e3c000-32e3e000 rw-p 32e3c000 00:00 0 
32e3e000-32e40000 r-xp 00000000 03:03 205830     /lib/libdl-2.3.5.so
32e40000-32e4e000 ---p 00002000 03:03 205830     /lib/libdl-2.3.5.so
32e4e000-32e4f000 r--p 00010000 03:03 205830     /lib/libdl-2.3.5.so
32e4f000-32e50000 rw-p 00011000 03:03 205830     /lib/libdl-2.3.5.so
7904f000-79065000 rw-p 7904f000 00:00 0          [stack]


-- 
Ned Ludd <solar@gentoo.org>
Gentoo Linux

-- 
gentoo-hardened@gentoo.org mailing list

Re: [gentoo-hardened] SELinux problem -> avc: denied {execmem}

[Jan Meier]

[-- Attachment #1: Type: text/plain, Size: 330 bytes --]

Hi,

> Currently I am running emerge -euDN world, to know that it is not a problem
> with my installation, I will report if it is finished. (38/192)

The emerge -euDN did not help to get rid of the messages, I filed an bug 
report: http://bugs.gentoo.org/show_bug.cgi?id=134129

Regards
Jan

-- 
GPG-Key-ID: BC3D36E0

[-- Attachment #2: Type: application/pgp-signature, Size: 191 bytes --]

Re: [gentoo-hardened] SELinux problem -> avc: denied {execmem}

[Peter S. Mazinger]

On Mon, 22 May 2006 pageexec@freemail.hu wrote:

> On 22 May 2006 at 19:32, Jan Meier wrote:
> > > do you have a new gentoo setup there or did you migrate an old install?
> > The gentoo installation is two month old, I migrated to SELinux. 
> > It is a PPC, could this be a problem?
> 
> i'm wondering if it's the ppc .plt issue that PaX runs against as well
> (it's rwx and runtime generated -> not good). a year ago or so Red Hat
> people added secureplt support to binutils/ld, (hardened) gentoo should
> probably take a look.

that patch is never applied to redhat fedora builds

Peter
> 
> http://gcc.gnu.org/ml/gcc-patches/2005-05/msg01134.html
> http://sources.redhat.com/ml/binutils/2005-05/msg00391.html
> 
> 

-- 
Peter S. Mazinger <ps dot m at gmx dot net>           ID: 0xA5F059F2
Key fingerprint = 92A4 31E1 56BC 3D5A 2D08  BB6E C389 975E A5F0 59F2

-- 
gentoo-hardened@gentoo.org mailing list