Does MAP_FIXED inhibit execmem denial?
John Reiser
jreiser at BitWagon.com
Thu Apr 20 18:16:23 UTC 2006
Stephen Smalley wrote:
>>However, under all released FC5 kernels including 2.6.16-1.2096_FC5,
>>I see no execmem complaints. Strace of typical execution begins:
>
>
> Hmmm...shouldn't.
>
> # /usr/sbin/getsebool allow_execmem
> (If on, /usr/sbin/setsebool allow_execmem=0, or run your test under a
> confined domain.)
> # cat /selinux/checkreqprot
> # execstack -q /path/to/program
Thank you for diagnosing. allow_execmem is "on" under the installed
selinux-policy-targeted-2.2.29-3.fc5. [There have been no changes
to booleans after default install of FC5 except via "yum upgrade".]
Transcript:
-----
# /usr/sbin/getsebool allow_execmem
allow_execmem --> on
# /usr/sbin/setsebool allow_execmem=0
# cat /selinux/checkreqprot ## Note the output '1' on the next line.
1# execstack -q ./date.OK
execstack: "./date.OK" has no section headers
## The info would be in a PT_GNU_STACK Elf32_Phdr "segment header",
## not in any Elf32_Shdr.
## But anyway, there is no PT_GNU_STACK in ./date.OK, either.
# strace ./date.OK
execve("./date.OK", ["./date.OK"], [/* 22 vars */]) = 0
old_mmap(0xc06000, 4096, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, \
-1, 0xc06000) = -1 EACCES (Permission denied) ## Now I understand.
# rpm -qa | grep selinux
libselinux-devel-1.30-1.fc5
selinux-policy-2.2.29-3.fc5
selinux-policy-targeted-2.2.29-3.fc5
libselinux-1.30-1.fc5
libselinux-python-1.30-1.fc5
#
-----
--
More information about the selinux
mailing list