Dear all,
I'm on Fedora release 37 and have two files with execstack flag set:
$ readelf -a ./testx | grep -A1 STACK
GNU_STACK 0x0000000000000000 0x0000000000000000 0x0000000000000000
0x0000000000000000 0x0000000000000000 RWE 0x10
$ readelf -a ./libtestx.so | grep -A1 STACK
GNU_STACK 0x0000000000000000 0x0000000000000000 0x0000000000000000
0x0000000000000000 0x0000000000000000 RWE 0x10
Protection is enabled:
# getsebool selinuxuser_execstack
selinuxuser_execstack --> off
Library is not loadable:
$ enable -f ./libtestx.so x
-bash: enable: cannot open shared object ./libtestx.so: ./libtestx.so:
cannot enable executable stack as shared object requires: Permission
denied
type=AVC msg=audit(01/23/2024 15:44:26.837:637) : avc: denied {
execstack } for pid=1685 comm=bash
scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
tclass=process permissive=0
But the executable runs without restriction:
$ ./testx
This executable should be rejected as execstack
Is it wrong behaviour?
I think that the needed LSM hook is not called from all the needed
places in the kernel.
I wrote a mail about this here:
https://www.spinics.net/lists/linux-security-module/msg56376.html
Usually kernel people pay attention to problems that really affect
users. So if someone could confirm the problem - it would help to fix
it.
Thank you for the attention.
Kind regards,
Dmitry Mastykin
--
_______________________________________________
selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/selinux@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
