On 04/16/2010 08:36 AM, Stephen Smalley wrote:
> On Thu, 2010-04-15 at 15:25 -0700, David Miller wrote:
>> From: Stephen Smalley <sds@xxxxxxxxxxxxx>
>> Date: Thu, 15 Apr 2010 08:43:05 -0400
>>
>>> Your eu-readelf output showed why SELinux is checking execmem - the data
>>> segment has flags RWE and thus a private file mapping is being created
>>> with PROT_WRITE and PROT_EXEC. That's a problem with the compiler
>>> toolchain - report it to them please. This was a problem with ppc32
>>> binaries before secure-plt was introduced.
>>
>> I don't really intend to implement secure-plt any time soon on sparc
>> because there simply is no way to do it efficiently.
>>
>> And when you talk about "toolchain issues" that all goes my way
>> anyways, so just direct such queries to me directly since I handle
>> both the kernel and toolchain bits entirely myself these days.
>>
>> So you'll always have to deal with the PLT section on sparc having
>> write and execute permission.
>
> Ok. Can someone with sparc hardware try the patch I posted to see if it
> suffices?
Apologies for the delay. Your patch does not suffice.
With your patch applied, this is the result:
dracut: Mounted root filesystem /dev/mapper/vg_apollo-lv_root
dracut: Loading SELinux policy
type=1404 audit(1272381939.416:2): enforcing=1 old_enforcing=0
auid=4294967295 ses=4294967295
type=1403 audit(1272381940.696:3): policy loaded auid=4294967295
ses=4294967295
dracut: Switching root
type=1400 audit(1272381942.195:4): avc: denied { execmem } for
pid=1055 comm="consoletype" scontext=system_u:system_r:consoletype_t:s0
tcontext=system_u:system_r:consoletype_t:s0 tclass=process
type=1400 audit(1272381942.245:5): avc: denied { execmem } for
pid=1059 comm="consoletype" scontext=system_u:system_r:consoletype_t:s0
tcontext=system_u:system_r:consoletype_t:s0 tclass=process
type=1400 audit(1272381942.315:6): avc: denied { execmem } for
pid=1060 comm="hostname" scontext=system_u:system_r:hostname_t:s0
tcontext=system_u:system_r:hostname_t:s0 tclass=process
type=1400 audit(1272381942.356:7): avc: denied { execmem } for
pid=1050 comm="readahead-colle"
scontext=system_u:system_r:readahead_t:s0
tcontext=system_u:system_r:readahead_t:s0 tclass=process
type=1400 audit(1272381942.376:8): avc: denied { execmem } for
pid=1063 comm="mount" scontext=system_u:system_r:mount_t:s0
tcontext=system_u:system_r:mount_t:s0 tclass=process
type=1400 audit(1272381942.385:9): avc: denied { execmem } for
pid=1065 comm="consoletype" scontext=system_u:system_r:consoletype_t:s0
tcontext=system_u:system_r:consoletype_t:s0 tclass=process
type=1400 audit(1272381942.396:10): avc: denied { execmem } for
pid=1068 comm="consoletype" scontext=system_u:system_r:consoletype_t:s0
tcontext=system_u:system_r:consoletype_t:s0 tclass=process
type=1400 audit(1272381942.466:11): avc: denied { execmem } for
pid=1077 comm="restorecon" scontext=system_u:system_r:setfiles_t:s0
tcontext=system_u:system_r:setfiles_t:s0 tclass=process
udev: starting version 145
e1000e: Intel(R) PRO/1000 Network Driver - 1.0.2-k2
e1000e: Copyright (c) 1999-2008 Intel Corporation.
0000:08:00.0: eth0: (PCI Express:2.5GB/s:Width x4) 00:14:4f:d4:8a:5a
0000:08:00.0: eth0: Intel(R) PRO/1000 Network Connection
0000:08:00.0: eth0: MAC: 0, PHY: 4, PBA No: ffffff-0ff
0000:08:00.1: eth1: (PCI Express:2.5GB/s:Width x4) 00:14:4f:d4:8a:5b
0000:08:00.1: eth1: Intel(R) PRO/1000 Network Connection
0000:08:00.1: eth1: MAC: 0, PHY: 4, PBA No: ffffff-0ff
0000:09:00.0: eth2: (PCI Express:2.5GB/s:Width x4) 00:14:4f:d4:8a:5c
0000:09:00.0: eth2: Intel(R) PRO/1000 Network Connection
0000:09:00.0: eth2: MAC: 0, PHY: 4, PBA No: ffffff-0ff
0000:09:00.1: eth3: (PCI Express:2.5GB/s:Width x4) 00:14:4f:d4:8a:5d
0000:09:00.1: eth3: Intel(R) PRO/1000 Network Connection
0000:09:00.1: eth3: MAC: 0, PHY: 4, PBA No: ffffff-0ff
__ratelimit: 24 callbacks suppressed
type=1400 audit(1272381946.637:20): avc: denied { execmem } for
pid=1332 comm="mount" scontext=system_u:system_r:mount_t:s0
tcontext=system_u:system_r:mount_t:s0 tclass=process
type=1400 audit(1272381946.637:21): avc: denied { execmem } for
pid=1333 comm="restorecon" scontext=system_u:system_r:setfiles_t:s0
tcontext=system_u:system_r:setfiles_t:s0 tclass=process
type=1400 audit(1272381946.654:22): avc: denied { execmem } for
pid=1334 comm="plymouth" scontext=system_u:system_r:plymouth_t:s0
tcontext=system_u:system_r:plymouth_t:s0 tclass=process
type=1400 audit(1272381946.687:23): avc: denied { execmem } for
pid=1337 comm="hostname" scontext=system_u:system_r:hostname_t:s0
tcontext=system_u:system_r:hostname_t:s0 tclass=process
device-mapper: multipath: version 1.1.0 loaded
type=1400 audit(1272381947.536:24): avc: denied { execmem } for
pid=1485 comm="mount" scontext=system_u:system_r:mount_t:s0
tcontext=system_u:system_r:mount_t:s0 tclass=process
type=1400 audit(1272381947.546:25): avc: denied { execmem } for
pid=1487 comm="restorecon" scontext=system_u:system_r:setfiles_t:s0
tcontext=system_u:system_r:setfiles_t:s0 tclass=process
type=1400 audit(1272381947.556:26): avc: denied { execmem } for
pid=1490 comm="mount" scontext=system_u:system_r:mount_t:s0
tcontext=system_u:system_r:mount_t:s0 tclass=process
type=1400 audit(1272381947.566:27): avc: denied { execmem } for
pid=1491 comm="mount" scontext=system_u:system_r:mount_t:s0
tcontext=system_u:system_r:mount_t:s0 tclass=process
type=1400 audit(1272381947.566:28): avc: denied { execmem } for
pid=1492 comm="mount" scontext=system_u:system_r:mount_t:s0
tcontext=system_u:system_r:mount_t:s0 tclass=process
type=1400 audit(1272381947.576:29): avc: denied { execmem } for
pid=1493 comm="mount" scontext=system_u:system_r:mount_t:s0
tcontext=system_u:system_r:mount_t:s0 tclass=process
Adding 35241968k swap on /dev/mapper/vg_apollo-lv_swap. Priority:-1
extents:1 across:35241968k
__ratelimit: 123 callbacks suppressed
type=1400 audit(1272381951.656:71): avc: denied { execmem } for
pid=1755 comm="consoletype" scontext=system_u:system_r:consoletype_t:s0
tcontext=system_u:system_r:consoletype_t:s0 tclass=process
type=1400 audit(1272381951.726:72): avc: denied { execmem } for
pid=1761 comm="consoletype" scontext=system_u:system_r:consoletype_t:s0
tcontext=system_u:system_r:consoletype_t:s0 tclass=process
RPC: Registered udp transport module.
RPC: Registered tcp transport module.
RPC: Registered tcp NFSv4.1 backchannel transport module.
type=1400 audit(1272381952.934:73): avc: denied { execmem } for
pid=1841 comm="mount" scontext=system_u:system_r:mount_t:s0
tcontext=system_u:system_r:mount_t:s0 tclass=process
type=1400 audit(1272381952.996:74): avc: denied { execmem } for
pid=1850 comm="consoletype" scontext=system_u:system_r:consoletype_t:s0
tcontext=system_u:system_r:consoletype_t:s0 tclass=process
type=1400 audit(1272381953.146:75): avc: denied { execmem } for
pid=1857 comm="consoletype" scontext=system_u:system_r:consoletype_t:s0
tcontext=system_u:system_r:consoletype_t:s0 tclass=process
type=1400 audit(1272381953.246:76): avc: denied { execmem } for
pid=1861 comm="sshd" scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023
tcontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tclass=process
type=1400 audit(1272381953.286:77): avc: denied { execmem } for
pid=1868 comm="consoletype" scontext=system_u:system_r:consoletype_t:s0
tcontext=system_u:system_r:consoletype_t:s0 tclass=process
type=1400 audit(1272381953.456:78): avc: denied { execmem } for
pid=1877 comm="sendmail" scontext=system_u:system_r:sendmail_t:s0
tcontext=system_u:system_r:sendmail_t:s0 tclass=process
type=1400 audit(1272381953.464:79): avc: denied { execmem } for
pid=1878 comm="plymouth" scontext=system_u:system_r:plymouth_t:s0
tcontext=system_u:system_r:plymouth_t:s0 tclass=process
type=1400 audit(1272381953.506:80): avc: denied { execmem } for
pid=1882 comm="restorecon" scontext=system_u:system_r:setfiles_t:s0
tcontext=system_u:system_r:setfiles_t:s0 tclass=process
__ratelimit: 21 callbacks suppressed
type=1400 audit(1272381957.135:88): avc: denied { execmem } for
pid=1940 comm="mingetty" scontext=system_u:system_r:getty_t:s0
tcontext=system_u:system_r:getty_t:s0 tclass=process
type=1400 audit(1272381957.135:90): avc: denied { execmem } for
pid=1941 comm="mingetty" scontext=system_u:system_r:getty_t:s0
tcontext=system_u:system_r:getty_t:s0 tclass=process
type=1400 audit(1272381957.135:91): avc: denied { execmem } for
pid=1938 comm="mingetty" scontext=system_u:system_r:getty_t:s0
tcontext=system_u:system_r:getty_t:s0 tclass=process
type=1400 audit(1272381957.135:92): avc: denied { execmem } for
pid=1943 comm="mingetty" scontext=system_u:system_r:getty_t:s0
tcontext=system_u:system_r:getty_t:s0 tclass=process
type=1400 audit(1272381957.135:89): avc: denied { execmem } for
pid=1939 comm="mingetty" scontext=system_u:system_r:getty_t:s0
tcontext=system_u:system_r:getty_t:s0 tclass=process
type=1400 audit(1272381957.135:93): avc: denied { execmem } for
pid=1942 comm="mingetty" scontext=system_u:system_r:getty_t:s0
tcontext=system_u:system_r:getty_t:s0 tclass=process
init: tty4 main process (1938) terminated with status 127
init: tty4 main process ended, respawning
init: tty5 main process (1939) terminated with status 127
init: tty5 main process ended, respawning
init: tty2 main process (1940) terminated with status 127
init: tty2 main process ended, respawning
init: tty3 main process (1941) terminated with status 127
init: tty3 main process ended, respawning
init: tty1 main process (1942) terminated with status 127
init: tty1 main process ended, respawning
init: tty6 main process (1943) terminated with status 127
init: tty6 main process ended, respawning
type=1400 audit(1272381957.145:94): avc: denied { execmem } for
pid=1944 comm="mingetty" scontext=system_u:system_r:getty_t:s0
tcontext=system_u:system_r:getty_t:s0 tclass=process
type=1400 audit(1272381957.145:95): avc: denied { execmem } for
pid=1945 comm="mingetty" scontext=system_u:system_r:getty_t:s0
tcontext=system_u:system_r:getty_t:s0 tclass=process
type=1400 audit(1272381957.145:96): avc: denied { execmem } for
pid=1946 comm="mingetty" scontext=system_u:system_r:getty_t:s0
tcontext=system_u:system_r:getty_t:s0 tclass=process
type=1400 audit(1272381957.145:97): avc: denied { execmem } for
pid=1947 comm="mingetty" scontext=system_u:system_r:getty_t:s0
tcontext=system_u:system_r:getty_t:s0 tclass=process
Init trails off and the system never goes anywhere.
~spot
--
To unsubscribe from this list: send the line "unsubscribe sparclinux" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
