zkab
22nd November 2010, 09:15 PM
I have Fedora 14 (2.6.35.6-48.fc14.x86_64) and when starting Bibble5 (http://bibblelabs.com/products/bibble5) I receive following from SELinux:
Summary:
SELinux is preventing /lib/ld-2.12.90.so from making the program stack
executable.
Detailed Description:
The ld-linux.so.2 application attempted to make its stack executable. This is a
potential security problem. This should never ever be necessary. Stack memory is
not executable on most OSes these days and this will not change. Executable
stack memory is one of the biggest security problems. An execstack error might
in fact be most likely raised by malicious code. Applications are sometimes
coded incorrectly and request this permission. The SELinux Memory Protection
Tests (http://www.akkadia.org/drepper/selinux-mem.html) web page explains how to
remove this requirement. If ld-linux.so.2 does not work and you need it to work,
you can configure SELinux temporarily to allow this access until the application
is fixed. Please file a bug report.
Allowing Access:
Sometimes a library is accidentally marked with the execstack flag, if you find
a library with this flag you can clear it with the execstack -c LIBRARY_PATH.
Then retry your application. If the app continues to not work, you can turn the
flag back on with execstack -s LIBRARY_PATH. Otherwise, if you trust
ld-linux.so.2 to run correctly, you can change the context of the executable to
execmem_exec_t. "chcon -t execmem_exec_t '/lib/ld-2.12.90.so'" You must also
change the default file context files on the system in order to preserve them
even on a full relabel. "semanage fcontext -a -t execmem_exec_t
'/lib/ld-2.12.90.so'"
Fix Command:
chcon -t execmem_exec_t '/lib/ld-2.12.90.so'
Additional Information:
Source Context unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1
023
Target Context unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1
023
Target Objects None [ process ]
Source ld-linux.so.2
Source Path /lib/ld-2.12.90.so
Port <Unknown>
Host zkab
Source RPM Packages glibc-2.12.90-19
Target RPM Packages
Policy RPM selinux-policy-3.9.7-12.fc14
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Plugin Name allow_execstack
Host Name zkab
Platform Linux zkab 2.6.35.6-48.fc14.x86_64 #1 SMP Fri Oct
22 15:36:08 UTC 2010 x86_64 x86_64
Alert Count 1
First Seen Mon 22 Nov 2010 10:08:01 PM CET
Last Seen Mon 22 Nov 2010 10:08:01 PM CET
Local ID b9f90403-a74b-4643-9c44-c29ece08767f
Line Numbers
Raw Audit Messages
node=zkab type=AVC msg=audit(1290460081.108:129): avc: denied { execstack } for pid=16948 comm="ld-linux.so.2" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process
node=zkab type=SYSCALL msg=audit(1290460081.108:129): arch=40000003 syscall=125 success=no exit=-13 a0=ffbf2000 a1=1000 a2=1000007 a3=ffbf2394 items=0 ppid=16947 pid=16948 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=1 comm="ld-linux.so.2" exe="/lib/ld-2.12.90.so" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
Howto avoid this ?
Summary:
SELinux is preventing /lib/ld-2.12.90.so from making the program stack
executable.
Detailed Description:
The ld-linux.so.2 application attempted to make its stack executable. This is a
potential security problem. This should never ever be necessary. Stack memory is
not executable on most OSes these days and this will not change. Executable
stack memory is one of the biggest security problems. An execstack error might
in fact be most likely raised by malicious code. Applications are sometimes
coded incorrectly and request this permission. The SELinux Memory Protection
Tests (http://www.akkadia.org/drepper/selinux-mem.html) web page explains how to
remove this requirement. If ld-linux.so.2 does not work and you need it to work,
you can configure SELinux temporarily to allow this access until the application
is fixed. Please file a bug report.
Allowing Access:
Sometimes a library is accidentally marked with the execstack flag, if you find
a library with this flag you can clear it with the execstack -c LIBRARY_PATH.
Then retry your application. If the app continues to not work, you can turn the
flag back on with execstack -s LIBRARY_PATH. Otherwise, if you trust
ld-linux.so.2 to run correctly, you can change the context of the executable to
execmem_exec_t. "chcon -t execmem_exec_t '/lib/ld-2.12.90.so'" You must also
change the default file context files on the system in order to preserve them
even on a full relabel. "semanage fcontext -a -t execmem_exec_t
'/lib/ld-2.12.90.so'"
Fix Command:
chcon -t execmem_exec_t '/lib/ld-2.12.90.so'
Additional Information:
Source Context unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1
023
Target Context unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1
023
Target Objects None [ process ]
Source ld-linux.so.2
Source Path /lib/ld-2.12.90.so
Port <Unknown>
Host zkab
Source RPM Packages glibc-2.12.90-19
Target RPM Packages
Policy RPM selinux-policy-3.9.7-12.fc14
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Plugin Name allow_execstack
Host Name zkab
Platform Linux zkab 2.6.35.6-48.fc14.x86_64 #1 SMP Fri Oct
22 15:36:08 UTC 2010 x86_64 x86_64
Alert Count 1
First Seen Mon 22 Nov 2010 10:08:01 PM CET
Last Seen Mon 22 Nov 2010 10:08:01 PM CET
Local ID b9f90403-a74b-4643-9c44-c29ece08767f
Line Numbers
Raw Audit Messages
node=zkab type=AVC msg=audit(1290460081.108:129): avc: denied { execstack } for pid=16948 comm="ld-linux.so.2" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process
node=zkab type=SYSCALL msg=audit(1290460081.108:129): arch=40000003 syscall=125 success=no exit=-13 a0=ffbf2000 a1=1000 a2=1000007 a3=ffbf2394 items=0 ppid=16947 pid=16948 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=1 comm="ld-linux.so.2" exe="/lib/ld-2.12.90.so" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
Howto avoid this ?
