execmem and targeted policy

Colin Walters walters at redhat.com
Thu Feb 10 18:17:58 UTC 2005


I noticed that as of a recent rawhide update that Eclipse stopped

audit(1108057938.336:0): avc:  denied  { execmem } for  pid=14065 comm=eclipse scontext=user_u:system_r:unconfined_t tcontext=user_u:system_r:unconfined_t tclass=process

Chatting with Dan, this is apparently because the execmem permission was
dropped from unconfined_domain recently.  

We can't do this in targeted policy because it would require us to know
about (and specially label) all such programs.  We could potentially
label /usr/bin/eclipse as unconfined_execmem_t or whatever since we have
Eclipse packages in Fedora.  However, I am almost positive the Sun JVM
requires this permission too, and if we go this route, then every person
who untars the Sun JVM and tries to run Java programs will run into this

This is against the philosophy of the targeted policy in that it affects
programs outside of the targeted daemon set.  My worry is that for every
person (like me) who tracks down this problem and finds a workaround,
there will be 999 others who disable SELinux entirely.  And that's bad,
because we need it to be enabled by default so we can use it to confine
the programs that really need it.

(Dan says that textrel_shlib_t has a similar issue)

One approach might be to have e.g. bin_t and bin_nonexecmem_t.  We label
programs that we know work as bin_nonexecmem_t.

More information about the fedora-selinux-list mailing list