1. SELinux problems
- Posted by Nathan Webb <nathan.webb at gma?l.com> Jun 11, 2008
- 2383 views
Please forgive me if this is the wrong forum for a bug report...
Has anyone tried running exu on a system running SELinux? I use Fedora 9 / KDE
and I keep seeing the attached message (this example is when running
demo/sanity.ex).
Thanks,
Nathan
-------------------------------------------------------
--exu error message
Euphoria SANITY TEST ...
sanity.ex:963 in procedure machine_level()
A machine-level exception occurred during execution of this statement
... called from sanity.ex:1247 in procedure sanity()
... called from sanity.ex:1302
--> See ex.err
-----------------------------------------------------------
SELinux report:
Summary:
SELinux is preventing exu from changing the access protection of memory on the
heap.
Detailed Description:
The exu application attempted to change the access protection of memory on the
heap (e.g., allocated using malloc). This is a potential security problem.
Applications should not be doing this. Applications are sometimes coded
incorrectly and request this permission. The SELinux Memory Protection Tests
(http://people.redhat.com/drepper/selinux-mem.html) web page explains how to
remove this requirement. If exu does not work and you need it to work, you can
configure SELinux temporarily to allow this access until the application is
fixed. Please file a bug report
(http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package.
Allowing Access:
If you want exu to continue, you must turn on the allow_execheap boolean. Note:
This boolean will affect all applications on the system.
Fix Command:
setsebool -P allow_execheap=1
Additional Information:
Source Context unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1
023
Target Context unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1
023
Target Objects None [ process ]
Source exu
Source Path /home/Nathan/Download/euphoria/bin/exu
Port <Unknown>
Host localhost.localdomain
Source RPM Packages
Target RPM Packages
Policy RPM selinux-policy-3.3.1-62.fc9
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name allow_execheap
Host Name localhost.localdomain
Platform Linux localhost.localdomain 2.6.25.4-30.fc9.i686
#1 SMP Wed May 21 18:12:35 EDT 2008 i686 i686
Alert Count 211
First Seen Wed 21 May 2008 01:55:22 AM EDT
Last Seen Wed 21 May 2008 02:02:14 AM EDT
Local ID 3d4cac42-3335-45e6-b187-58cc1a855c6b
Line Numbers
Raw Audit Messages
host=localhost.localdomain type=AVC msg=audit(1211349734.334:340): avc: denied
{ execheap } for pid=2196 comm="exu"
scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process
host=localhost.localdomain type=SYSCALL msg=audit(1211349734.334:340):
arch=40000003 syscall=125 success=no exit=-13 a0=851e000 a1=1000 a2=7 a3=851eec0
items=0 ppid=2162 pid=2196 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500
egid=500 sgid=500 fsgid=500 tty=pts2 ses=1 comm="exu"
exe="/home/Nathan/Download/euphoria/bin/exu"
subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
2. Re: SELinux problems
- Posted by xecronix Aug 22, 2015
- 2250 views
Has this issue been looked into? If so, was it determined that it can't/wont be fixed? Or am I experiencing a new problem much like an old one? On Fedora 22 with SELinux turned on, *eui* is causing this error today. I didn't notice this earlier in the week because my other VM with Fedora installed had SELinux turned off. For the moment, I've disabled SELinux on my VM so that I can continue my project for the next day or so as I explore if Euphoria is a good fit for this new project.
This type of error would be alarming for sysadmins considering Euphoria in the work place.
3. Re: SELinux problems
- Posted by jimcbrown (admin) Aug 22, 2015
- 2214 views
Has this issue been looked into? If so, was it determined that it can't/wont be fixed? Or am I experiencing a new problem much like an old one? On Fedora 22 with SELinux turned on, *eui* is causing this error today. I didn't notice this earlier in the week because my other VM with Fedora installed had SELinux turned off. For the moment, I've disabled SELinux on my VM so that I can continue my project for the next day or so as I explore if Euphoria is a good fit for this new project.
This should have been fixed, years ago, with the adoption of DEP-aware code and the new allocate_code() routine.
What's the exact command line you are passing to eui to get this error?
This type of error would be alarming for sysadmins considering Euphoria in the work place.
Agreed.
4. Re: SELinux problems
- Posted by xecronix Aug 22, 2015
- 2250 views
I found this link via google. http://danwalsh.livejournal.com/6117.html?thread=23525 Not sure if it helps but, a comment suggests that this may boil down to a Makefile problem if it is related to -fPIC
5. Re: SELinux problems
- Posted by xecronix Aug 22, 2015
- 2249 views
This is how I installed Euphoria: How to Compile Open Euphoria On Linux
This is the development version of Euphoria I downloaded so that I can compile Euphoria (also causes SELinux to complain)
[ronald@localhost bin]$ ./eui Euphoria Interpreter v4.1.0 development 64-bit Linux, Using System Memory Revision Date: 2012-05-30 12:24:02, Id: 5567:cbe08aedf560
This is how I can reproduce the problem
[ronald@localhost ~]$ eui Euphoria Interpreter v4.1.0 development 64-bit Linux, Using System Memory Revision Date: 2015-08-02 10:59:17, Id: 6336:e92935807c7b
Here is some more info about my particular issue.
Additional Information:
Source Context unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1
023
Target Context unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1
023
Target Objects Unknown [ process ]
Source eui
Source Path eui
Port <Unknown>
Host localhost.localdomain
Source RPM Packages
Target RPM Packages
Policy RPM selinux-policy-3.13.1-128.10.fc22.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name localhost.localdomain
Platform Linux localhost.localdomain 4.1.5-200.fc22.x86_64
#1 SMP Mon Aug 10 23:38:23 UTC 2015 x86_64 x86_64
Alert Count 763
First Seen 2015-08-22 05:51:18 EDT
Last Seen 2015-08-22 15:53:42 EDT
Local ID 88420203-0087-407d-9688-5b0e8c70df66
Raw Audit Messages
type=AVC msg=audit(1440273222.737:707): avc: denied { execheap } for pid=2597 comm="eui" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process permissive=0
Hash: eui,unconfined_t,unconfined_t,process,execheap
6. Re: SELinux problems
- Posted by xecronix Aug 22, 2015
- 2240 views
This is a very clean Fedora 22 install BTW.
- downloaded the latest Fedora last night
- installed Fedora on new VM
- ran dnf upgrade to get anything else that might be new
- installed Virtual Box Guest additions
- Installed Euphoria
Nothing else happened on this box prior to the error.
- Virtual Box 5.0.3
- Guest Fedora 22
- Host Windows 10
7. Re: SELinux problems
- Posted by jimcbrown (admin) Aug 24, 2015
- 2152 views
This is the development version of Euphoria I downloaded so that I can compile Euphoria (also causes SELinux to complain)
[ronald@localhost bin]$ ./eui Euphoria Interpreter v4.1.0 development 64-bit Linux, Using System Memory Revision Date: 2012-05-30 12:24:02, Id: 5567:cbe08aedf560
I had technical difficulties getting a 64bit version of Fedora set up in VirtualBox, but I tried the 32bit version of Fedora 22 with the latest 32bit eubin at http://openeuphoria.org/eubins/linux/4.1.0/32-bit/eubin-2011-06-29-3739d931e005.tar.gz and sestatus reports that SELinux is on. At least on the 32bit platform, this problem is not reproducible.
I'll give the 64bit version another try in a day or two.
8. Re: SELinux problems
- Posted by jimcbrown (admin) Aug 25, 2015
- 2094 views
I found this link via google. http://danwalsh.livejournal.com/6117.html?thread=23525 Not sure if it helps but, a comment suggests that this may boil down to a Makefile problem if it is related to -fPIC
Just tried this on Fedora 22 64-bit, but I still could not reproduce the issue.
9. Re: SELinux problems
- Posted by xecronix Aug 25, 2015
- 2092 views
I'll go through the exercise again tonight but this time in a different order:
- Create new Virtualbox machine
- Download latest Fedora Distribution
- Install Fedora 22 64 Bit
- `sudo dnf upgrade` to get the latest updates.
- Unzip/Install OpenEuphoria 64 Bit
- Check for SELinux Problem
If no SELinux Problems:
- Run through these docs "How to Compile Open Euphoria On Linux" using the above installed binary release to translate code. (This step may require software installs. At the very least hg will be needed. I'll report back if I need to install anything else to compile.)
- Check for SELinux Problem
If no SELinux Problems:
- Install the Virtualbox Guest Additions
- Check for SELinux Problem
Thanks for taking the time to look into this.
10. Re: SELinux problems
- Posted by jimcbrown (admin) Aug 25, 2015
- 2041 views
Thanks for taking the time to look into this.
Thank you for taking the time to discover and report this.
I'll go through the exercise again tonight but this time in a different order:
If you do find a problem, would it be possible to put the complete image somewhere so I can run it myself? That might make it a lot easier for me to reproduce and resolve this problem.
11. Re: SELinux problems
- Posted by xecronix Aug 25, 2015
- 2026 views
I am able to reproduce.
- create new Virtualbox VM
- Unzip/Install OpenEuphoria 64 Bit
- ./eui while in the OpenEuphoria bin dir
- su root
- cat /var/log/audit/audit.log | grep eui
- Observe many denial messages
Upgrade Try again
- dnf upgrade
- reboot
- ./eui while in the OpenEuphoria bin dir
- su root
- cat /var/log/audit/audit.log | grep eui
- Observe many denial messages
At this point I stopped testing so that I can figure out how and where to share the VM with you. The VM is compressing right now. I'll put it somewhere you can get it. Please contact me with a gmail account when you're ready.
Also the above screen shots do not always happen when you try to run eui. But regardless as to whether or not you see the popup you can consistently find the issue in the logs.
- su root
- cat /var/log/audit/audit.log | grep eui
12. Re: SELinux problems
- Posted by jimcbrown (admin) Aug 26, 2015
- 1971 views
I am able to reproduce.
- cat /var/log/audit/audit.log | grep eui
Ah. I never got a pop up, but I see the messages in the audit log for 64bit.
I believe this line is the culprit: http://scm.openeuphoria.org/hg/euphoria/annotate/e92935807c7b/source/be_machine.c#l859
Can you comment this line out, rebuild, and retest the newly built binary?
At this point I stopped testing so that I can figure out how and where to share the VM with you. The VM is compressing right now. I'll put it somewhere you can get it. Please contact me with a gmail account when you're ready.
Follow the instructions at http://openeuphoria.org/wiki/view/Contact%20Administrators.wc
13. Re: SELinux problems
- Posted by xecronix Aug 26, 2015
- 2016 views
Ah. I never got a pop up, but I see the messages in the audit log for 64bit.
I believe this line is the culprit: http://scm.openeuphoria.org/hg/euphoria/annotate/e92935807c7b/source/be_machine.c#l859
Can you comment this line out, rebuild, and retest the newly built binary?
I commented out that line of code, re-enabled SELinux, rebooted, and retested using the VM that I originally was using when I reported the problem. This seemed to fix the problem. After the someone checks in the change, if applicable, let me know. I'd be happy continue installing Euphoria from source on the sandbox VM I created specifically for testing this problem.
14. Re: SELinux problems
- Posted by jimcbrown (admin) Aug 26, 2015
- 1938 views
After the someone checks in the change, if applicable, let me know. I'd be happy continue installing Euphoria from source on the sandbox VM I created specifically for testing this problem.
This change has now been checked in: http://scm.openeuphoria.org/hg/euphoria/rev/4ba858266107
15. Re: SELinux problems
- Posted by xecronix Aug 26, 2015
- 1923 views
This change has now been checked in: http://scm.openeuphoria.org/hg/euphoria/rev/4ba858266107
I feel like this issue is resolved at this point. Thanks for you efforts and quick response.
