SELinux Mailing List - NSA/CSS

Skip All Menus Skip Top Menu

Top Navigation Menus

Skip Research Menus

Research Menu

Research Security Enhanced Linux What's New Frequently Asked Questions Background Documents License Download Participating Mail List Archives Remaining Work Contributors Related Work Press Releases Information Assurance Research NIARL In-house Research Areas Mathematical Sciences Program Sabbaticals Computer & Information Sciences Research Technology Transfer Advanced Computing Advanced Mathematics Communications & Networking Information Processing Microelectronics Other Technologies Technology Fact Sheets Publications Related Links	Skip Search Box Searchbox SELinux Mailing List Re: Still getting random execute permissions on shared libraries. This message: [ Message body ] [ More options ] Related messages: [ Next message ] [ Previous message ] [ In reply to ] [ Next in thread ] [ Replies ] From: petre rodan <kaiowas_at_gentoo.org> Date: Fri, 26 Nov 2004 21:49:22 +0200 Hi Stephen, Stephen Smalley wrote: > On Tue, 2004-11-23 at 21:04, Daniel J Walsh wrote: > >>Trying to run java from within firefox is a disaster, Mozilla crashes. >> >>allow user_mozilla_t ld_so_cache_t:file execute; >>allow user_mozilla_t lib_t:file execute; (Jar files) >>allow user_mozilla_t user_tmp_t:file execute; >>allow user_t ld_so_cache_t:file execute; >>allow user_t locale_t:file execute; > > > They aren't random. As discussed previously here and on > fedora-selinux-list, execution of a legacy binary causes the > read_implies_exec behavior to be enabled for the process, so that > subsequent read requests are transparently mapped to read\|execute. This > was a change in the upstream kernel, not SELinux, and was to allow > introduction of NX support without breaking compatibility with legacy > binaries. SELinux is merely checking permissions based on the > information supplied by the core kernel. > > Your options are: > - get java rebuilt with a PT_GNU_STACK header so the kernel doesn't > treat it as a legacy binary (assuming that it doesn't assume that read > implies exec), > - change policy to allow execute permission in these cases (although it > would be preferable here to move java into its own domain in that case, > so that you only have to allow it these permissions and not the entire > user domain or mozilla domain). I made a patch to the kernel that reverts to the old behaviour. no more execs on random files. I find that changing the policy to allow those execs is not a valid solution. would it be feasible to send upstream a patch that would remove the 'exec on read' behaviour if the kernel has selinux capabilities? bye, peter -- petre rodan <kaiowas@gentoo.org> Developer, Hardened Gentoo Linux --- linux-2.6.9.orig/mm/mmap.c 2004-11-11 20:18:36.436249280 +0200 +++ linux-2.6.9/mm/mmap.c 2004-11-11 20:20:47.863269336 +0200 @@ -790,10 +790,12 @@ * (the exception is when the underlying filesystem is noexec * mounted, in which case we dont add PROT_EXEC.) / + / + // this breaks havoc on a SELinux system if ((prot & PROT_READ) && (current->personality & READ_IMPLIES_EXEC)) if (!(file && (file->f_vfsmnt->mnt_flags & MNT_NOEXEC))) prot \|= PROT_EXEC; - + */ if (!len) return addr; -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. application/pgp-signature attachment: OpenPGP digital signature Received on Fri 26 Nov 2004 - 14:27:42 EST This message: [ Message body ] Next message: Greg Norris: "anyone attending the SELinux Symposium?" Previous message: Valdis.Kletnieks_at_vt.edu: "Re: dynamic context transitions" In reply to: Stephen Smalley: "Re: Still getting random execute permissions on shared libraries." Next in thread: Valdis.Kletnieks_at_vt.edu: "Re: Still getting random execute permissions on shared libraries." Reply: Valdis.Kletnieks_at_vt.edu: "Re: Still getting random execute permissions on shared libraries." Reply: Stephen Smalley: "Re: Still getting random execute permissions on shared libraries." Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ]
	Date Posted: Jan 15, 2009 \| Last Modified: Jan 15, 2009 \| Last Reviewed: Jan 15, 2009

bottom