Re: [PATCH] Disable execmem for sparc

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Tue, 2010-04-27 at 11:34 -0400, Tom "spot" Callaway wrote:
> On 04/16/2010 08:36 AM, Stephen Smalley wrote:
> > On Thu, 2010-04-15 at 15:25 -0700, David Miller wrote:
> >> From: Stephen Smalley <sds@xxxxxxxxxxxxx>
> >> Date: Thu, 15 Apr 2010 08:43:05 -0400
> >>
> >>> Your eu-readelf output showed why SELinux is checking execmem - the data
> >>> segment has flags RWE and thus a private file mapping is being created
> >>> with PROT_WRITE and PROT_EXEC.  That's a problem with the compiler
> >>> toolchain - report it to them please.  This was a problem with ppc32
> >>> binaries before secure-plt was introduced.
> >>
> >> I don't really intend to implement secure-plt any time soon on sparc
> >> because there simply is no way to do it efficiently.
> >>
> >> And when you talk about "toolchain issues" that all goes my way
> >> anyways, so just direct such queries to me directly since I handle
> >> both the kernel and toolchain bits entirely myself these days.
> >>
> >> So you'll always have to deal with the PLT section on sparc having
> >> write and execute permission.
> > 
> > Ok.  Can someone with sparc hardware try the patch I posted to see if it
> > suffices?
> 
> Apologies for the delay. Your patch does not suffice.
> 
> With your patch applied, this is the result:
> 
> dracut: Mounted root filesystem /dev/mapper/vg_apollo-lv_root
> dracut: Loading SELinux policy
> type=1404 audit(1272381939.416:2): enforcing=1 old_enforcing=0
> auid=4294967295 ses=4294967295
> type=1403 audit(1272381940.696:3): policy loaded auid=4294967295
> ses=4294967295
> dracut: Switching root
> type=1400 audit(1272381942.195:4): avc:  denied  { execmem } for
> pid=1055 comm="consoletype" scontext=system_u:system_r:consoletype_t:s0
> tcontext=system_u:system_r:consoletype_t:s0 tclass=process
<snip>
> Init trails off and the system never goes anywhere.

Ok, thanks for trying.  Could you send a copy of /proc/pid/maps for one
of these processes that is triggering an execmem check?

-- 
Stephen Smalley
National Security Agency

--
To unsubscribe from this list: send the line "unsubscribe sparclinux" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
[Index of Archives]     [Kernel Development]     [DCCP]     [Linux ARM Development]     [Linux]     [Photo]     [Yosemite Help]     [Linux ARM Kernel]     [Linux SCSI]     [Linux x86_64]     [Linux Hams]
  Powered by Linux