ldd fails for executables requiring execstack/execmem!? ld-linux.so.2 misbehaves?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

I'm running the latest Rawhide, selinux-policy-3.0.1-4.fc8 targeted/enforcing.

The 'ldd' command (/usr/bin/ldd) fails for me when I target it at
executables requiring execstack or execmem.

For example, here is what happens when I try 'ldd' against /usr/bin/skype:

[root@localhost ~]# getenforce
Enforcing
[root@localhost ~]# ldd /usr/bin/skype
       not a dynamic executable
[root@localhost ~]# setenforce 0
[root@localhost ~]# ldd /usr/bin/skype
       linux-gate.so.1 =>  (0x00110000)
       libasound.so.2 => /lib/libasound.so.2 (0x46f1f000)
       librt.so.1 => /lib/librt.so.1 (0x469c3000)
<<<<<<SNIP>>>>>
       libXdmcp.so.6 => /usr/lib/libXdmcp.so.6 (0x4625c000)
       libcap.so.1 => /lib/libcap.so.1 (0x46b1d000)
       libexpat.so.0 => /lib/libexpat.so.0 (0x46348000)
[root@localhost ~]#

Here is a typical AVC generated by the above:

type=AVC msg=audit(1183407589.500:113): avc:  denied  { execmem } for
pid=11095 comm="ld-linux.so.2"
scontext=system_u:system_r:unconfined_t:s0
tcontext=system_u:system_r:unconfined_t:s0 tclass=process
type=SYSCALL msg=audit(1183407589.500:113): arch=40000003 syscall=192
success=no exit=-13 a0=8048000 a1=aa8000 a2=7 a3=812 items=0
ppid=11094 pid=11095 auid=500 uid=500 gid=500 euid=500 suid=500
fsuid=500 egid=500 sgid=500 fsgid=500 tty=pts1 comm="ld-linux.so.2"
exe="/lib/ld-2.6.so" subj=system_u:system_r:unconfined_t:s0 key=(null)

Interestingly, setting 'allow_execstack' to one via 'setsebool
allow_execstack=1' eliminates the AVC and makes the 'ldd' command
succeed:

[root@localhost ~]# setsebool allow_execstack=1
[root@localhost ~]# getenforce
Enforcing
[root@localhost ~]# ldd /usr/bin/skype
       linux-gate.so.1 =>  (0x00110000)
       libasound.so.2 => /lib/libasound.so.2 (0x46f1f000)
       librt.so.1 => /lib/librt.so.1 (0x469c3000)
<<<<<SNIP>>>>


Of course, this happens with other files as well (e.g., vmware, ....).

The problem appears to hit ld-linux.so.2 badly.... Preloading
libraries that require execstack/execmem (and text relocation?)
generate AVCs and fail.

This causes particular problems with the scripts that start vmware.

'setroubleshoot' suggests setting /lib/ld-linux.so.2 to
'unconfined_execmem_exec_t', but that seems just wrong.

Can someone shed some light on what is happening here?  Path to enlightenment?

thanks,
  tom
--
Tom London

--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux