Security Enhanced Linux
What's New
Frequently Asked Questions
Background
Documents
License
Download
Participating
Mail List
Archives
Remaining Work
Contributors
Related Work
Press Releases
Information Assurance Research
NIARL In-house Research Areas
Mathematical Sciences Program
Sabbaticals
Computer & Information Sciences Research
Technology Transfer
Advanced Computing
Advanced Mathematics
Communications & Networking
Information Processing
Microelectronics
Other Technologies
Technology Fact Sheets
Publications
Related Links
|
SELinux Mailing ListRe: Still getting random execute permissions on shared libraries.
From: petre rodan <kaiowas_at_gentoo.org>
Date: Fri, 26 Nov 2004 21:49:22 +0200
Hi Stephen,
Stephen Smalley wrote:
>>Trying to run java from within firefox is a disaster, Mozilla crashes. >> >>allow user_mozilla_t ld_so_cache_t:file execute; >>allow user_mozilla_t lib_t:file execute; (Jar files) >>allow user_mozilla_t user_tmp_t:file execute; >>allow user_t ld_so_cache_t:file execute; >>allow user_t locale_t:file execute; > > > They aren't random. As discussed previously here and on > fedora-selinux-list, execution of a legacy binary causes the > read_implies_exec behavior to be enabled for the process, so that > subsequent read requests are transparently mapped to read|execute. This > was a change in the upstream kernel, not SELinux, and was to allow > introduction of NX support without breaking compatibility with legacy > binaries. SELinux is merely checking permissions based on the > information supplied by the core kernel. > > Your options are: > - get java rebuilt with a PT_GNU_STACK header so the kernel doesn't > treat it as a legacy binary (assuming that it doesn't assume that read > implies exec), > - change policy to allow execute permission in these cases (although it > would be preferable here to move java into its own domain in that case, > so that you only have to allow it these permissions and not the entire > user domain or mozilla domain). I made a patch to the kernel that reverts to the old behaviour. no more execs on random files. I find that changing the policy to allow those execs is not a valid solution. would it be feasible to send upstream a patch that would remove the 'exec on read' behaviour if the kernel has selinux capabilities?
bye,
-- petre rodan <kaiowas@gentoo.org> Developer, Hardened Gentoo LinuxReceived on Fri 26 Nov 2004 - 14:27:42 EST |
|
Date Posted: Jan 15, 2009 | Last Modified: Jan 15, 2009 | Last Reviewed: Jan 15, 2009 |