Dear all,
I'm on Fedora release 37 and have two files with execstack flag set: $ readelf -a ./testx | grep -A1 STACK GNU_STACK 0x0000000000000000 0x0000000000000000 0x0000000000000000 0x0000000000000000 0x0000000000000000 RWE 0x10 $ readelf -a ./libtestx.so | grep -A1 STACK GNU_STACK 0x0000000000000000 0x0000000000000000 0x0000000000000000 0x0000000000000000 0x0000000000000000 RWE 0x10
Protection is enabled: # getsebool selinuxuser_execstack selinuxuser_execstack --> off
Library is not loadable: $ enable -f ./libtestx.so x -bash: enable: cannot open shared object ./libtestx.so: ./libtestx.so: cannot enable executable stack as shared object requires: Permission denied type=AVC msg=audit(01/23/2024 15:44:26.837:637) : avc: denied { execstack } for pid=1685 comm=bash scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process permissive=0
But the executable runs without restriction: $ ./testx This executable should be rejected as execstack
Is it wrong behaviour? I think that the needed LSM hook is not called from all the needed places in the kernel. I wrote a mail about this here: https://www.spinics.net/lists/linux-security-module/msg56376.html
Usually kernel people pay attention to problems that really affect users. So if someone could confirm the problem - it would help to fix it. Thank you for the attention.
Kind regards, Dmitry Mastykin
selinux@lists.fedoraproject.org