I want to turn on a part of the kernel to make SELinux checking more stringent.

Daniel J Walsh dwalsh at redhat.com
Fri Jan 24 19:20:27 UTC 2014


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 01/24/2014 02:11 PM, Björn Persson wrote:
> Daniel J Walsh wrote:
>> Here is the request from upstream to enable this feature in Rawhide, with
>> an explanation of what it does.
>> 
>>> "Android is starting to apply execmem and friends to the non-Dalvik 
>>> components (i.e. non-Java components, primarily the native system 
>>> daemons). As part of that, I uploaded a change to effectively echo 0
>>>> /sys/fs/selinux/checkreqprot so that we always check the actual 
>>>> protection
>>> flags applied by the kernel rather than only checking what the 
>>> application requested.
>>> 
>>> Originally checkreqprot was to support legacy applications that had no
>>> PT_GNU_STACK marking or were marked with PT_GNU_STACK RWE, so that we
>>> wouldn't have to add execute permission pervasively to policy for such
>>> applications.  But it effectively provides a way to bypass policy by
>>> creating such an application, and as I later discovered, just by
>>> calling personality(READ_IMPLIES_EXEC) from an application at any time.
>>> The simplest way to eliminate that bypass comprehensively is to change
>>> the defaults for checkreqprot.
>>> 
>>> I think this is likely safe in Fedora since you now allow execmem by 
>>> default to most domains.  Can we get the same change applied in Fedora,
>>> either by changing the default kernel configuration 
>>> (CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE=0) or by putting something
>>> in an init script to set the /sys/fs/selinux/checkreqprot value?
> 
> I'm afraid all I understand of that explanation is that this has something
> to do with executable stacks. How does the proposed change affect programs
> that need an executable stack?
> 
> Björn Persson
> 
> 
> 
No, we pretty much allow executable stack/memory from user processes now and
block it for most daemons, except for those that need it.  My understanding of
this change is that the kernel was not doing complete checking, but most apps
at this point do the right thing.  We will turn it on in Rawhide and through
the beta.  If we see problems we will revert.  It is now a one line change in

# grep check /lib/tmpfiles.d/selinux-policy.conf
w /sys/fs/selinux/checkreqprot 1

I believe you can revert it by adding

echo "w /sys/fs/selinux/checkreqprot 0" >> /etc/tmpfiles.d/selinux-policy.conf





-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAlLivPsACgkQrlYvE4MpobMODQCgxDzqQZEwAVB3PeLPkDB5t4jI
FFcAnRpPxMSQO1ymoxEsDaxU64qCGxMq
=oI08
-----END PGP SIGNATURE-----


More information about the devel mailing list