ldd fails for executables requiring execstack/execmem!? ld-linux.so.2 misbehaves?

Tom London selinux at gmail.com
Mon Jul 2 20:35:38 UTC 2007 

I'm running the latest Rawhide, selinux-policy-3.0.1-4.fc8 targeted/enforcing.

The 'ldd' command (/usr/bin/ldd) fails for me when I target it at
executables requiring execstack or execmem.

For example, here is what happens when I try 'ldd' against /usr/bin/skype:

[root at localhost ~]# getenforce
Enforcing
[root at localhost ~]# ldd /usr/bin/skype
        not a dynamic executable
[root at localhost ~]# setenforce 0
[root at localhost ~]# ldd /usr/bin/skype
        linux-gate.so.1 =>  (0x00110000)
        libasound.so.2 => /lib/libasound.so.2 (0x46f1f000)
        librt.so.1 => /lib/librt.so.1 (0x469c3000)
<<<<<<SNIP>>>>>
        libXdmcp.so.6 => /usr/lib/libXdmcp.so.6 (0x4625c000)
        libcap.so.1 => /lib/libcap.so.1 (0x46b1d000)
        libexpat.so.0 => /lib/libexpat.so.0 (0x46348000)
[root at localhost ~]#

Here is a typical AVC generated by the above:

type=AVC msg=audit(1183407589.500:113): avc:  denied  { execmem } for
pid=11095 comm="ld-linux.so.2"
scontext=system_u:system_r:unconfined_t:s0
tcontext=system_u:system_r:unconfined_t:s0 tclass=process
type=SYSCALL msg=audit(1183407589.500:113): arch=40000003 syscall=192
success=no exit=-13 a0=8048000 a1=aa8000 a2=7 a3=812 items=0
ppid=11094 pid=11095 auid=500 uid=500 gid=500 euid=500 suid=500
fsuid=500 egid=500 sgid=500 fsgid=500 tty=pts1 comm="ld-linux.so.2"
exe="/lib/ld-2.6.so" subj=system_u:system_r:unconfined_t:s0 key=(null)

Interestingly, setting 'allow_execstack' to one via 'setsebool
allow_execstack=1' eliminates the AVC and makes the 'ldd' command
succeed:

[root at localhost ~]# setsebool allow_execstack=1
[root at localhost ~]# getenforce
Enforcing
[root at localhost ~]# ldd /usr/bin/skype
        linux-gate.so.1 =>  (0x00110000)
        libasound.so.2 => /lib/libasound.so.2 (0x46f1f000)
        librt.so.1 => /lib/librt.so.1 (0x469c3000)
<<<<<SNIP>>>>


Of course, this happens with other files as well (e.g., vmware, ....).

The problem appears to hit ld-linux.so.2 badly.... Preloading
libraries that require execstack/execmem (and text relocation?)
generate AVCs and fail.

This causes particular problems with the scripts that start vmware.

'setroubleshoot' suggests setting /lib/ld-linux.so.2 to
'unconfined_execmem_exec_t', but that seems just wrong.

Can someone shed some light on what is happening here?  Path to enlightenment?

thanks,
   tom
-- 
Tom London

More information about the fedora-selinux-list mailing list