SELinux Mailing List - NSA/CSS

Skip All Menus Skip Top Menu

Top Navigation Menus

Skip Research Menus

Research Menu

Research Security Enhanced Linux What's New Frequently Asked Questions Background Documents License Download Participating Mail List Archives Remaining Work Contributors Related Work Press Releases Information Assurance Research NIARL In-house Research Areas Mathematical Sciences Program Sabbaticals Computer & Information Sciences Research Technology Transfer Advanced Computing Advanced Mathematics Communications & Networking Information Processing Microelectronics Other Technologies Technology Fact Sheets Publications Related Links	Skip Search Box Searchbox SELinux Mailing List Re: lots of execmem failures with 2.6.10 This message: [ Message body ] [ More options ] Related messages: [ Next message ] [ Previous message ] [ In reply to ] [ Next in thread ] [ Replies ] From: Stephen Smalley <sds_at_epoch.ncsc.mil> Date: Wed, 12 Jan 2005 09:47:36 -0500 On Wed, 2005-01-12 at 06:26, Greg Norris wrote: > When trying to boot a 2.6.10 kernel, with the SELinux patch from the NSA > website applied, I'm getting a LOT of denial messages such as the ones > shown below. This hoses the boot process to the point where the box is > essentially unusable (no networking, impossible to logon at the console, > etc.). Under 2.6.9, the same policy works just fine. > > audit(1105293465.527:0): avc: denied { execmem } for pid=237 comm=uname scontext=system_u:system_r:initrc_t tcontext=system_u:system_r:initrc_t tclass=process > audit(1105293465.663:0): avc: denied { execmem } for pid=240 comm=touch scontext=system_u:system_r:initrc_t tcontext=system_u:system_r:initrc_t tclass=process > audit(1105293466.661:0): avc: denied { execmem } for pid=259 comm=sync scontext=system_u:system_r:initrc_t tcontext=system_u:system_r:initrc_t tclass=process > audit(1105293466.716:0): avc: denied { execmem } for pid=262 comm=uname scontext=system_u:system_r:initrc_t tcontext=system_u:system_r:initrc_t tclass=process > > I haven't seen any mention of this on the list... any idea what's going > on? My policy source files are from cvs, as of three weeks or so ago. > I don't mind updating to current cvs if necessary, but don't see any > obvious updates relating to execmem. The server is an old Pentium II > box (nothing at all unusual about it), running Debian sid. > > I can update my policy to allow the execmem easily enough, but would > expect to find it already in cvs if this was an expected issue. Any > thoughts? The thread that discussed the new controls over executable mappings starts at http://marc.theaimsgroup.com/?l=selinux&m=110003195017130&w=2 and the final submitted version was http://marc.theaimsgroup.com/?l=linux-kernel&m=110200324503263&w=2. The question is why is your userland attempting to create executable anonymous mappings or executable writable private file mappings. May be related to the legacy binary issue that came up earlier, where the mainline kernel enables read-implies-exec behavior if the binary is a "legacy" binary, i.e. lacks PT_GNU_STACK. What does execstack -q `which uname` report? -- Stephen Smalley <sds@epoch.ncsc.mil> National Security Agency -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. Received on Wed 12 Jan 2005 - 09:54:10 EST This message: [ Message body ] Next message: Stephen Smalley: "Re: Multiple contexts" Previous message: Daniel J Walsh: "Re: Added is_context_configurable function" In reply to: Greg Norris: "lots of execmem failures with 2.6.10" Next in thread: Greg Norris: "Re: lots of execmem failures with 2.6.10" Reply: Greg Norris: "Re: lots of execmem failures with 2.6.10" Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ]
	Date Posted: Jan 15, 2009 \| Last Modified: Jan 15, 2009 \| Last Reviewed: Jan 15, 2009

bottom