Bug 2004

Summary: selinux AVC denial of realcrypt execution because of execmem or execstack boolean
Product: Fedora Reporter: Jim Snyder <rpmfusion>
Component: realcryptAssignee: leigh scott <leigh123linux>
Status: RESOLVED EXPIRED    
Severity: normal    
Priority: P5    
Version: 14   
Hardware: All   
OS: GNU/Linux   
namespace:

Description Jim Snyder 2011-10-29 03:23:35 CEST 
Installed package: realcrypt.x86_64 0:7.1-1.fc14
uname -a: Linux labrea 2.6.35.14-95.fc14.x86_64 #1 SMP Tue Aug 16 21:01:58 UTC 2011 x86_64 x86_64 x86_64 GNU/Linux
___________________________________________________________________________

labrea=; sudo realcrypt -t --mount --filesystem=none /dev/sdb1 /usr/jhs/crypt
TrueCrypt::Thread::Start:47
Permission denied
labrea=; sudo grep realcrypt /var/log/audit/audit.log | audit2why | tail -14
type=AVC msg=audit(1319823507.395:88440): avc:  denied  { execmem } for  pid=29309 comm="realcrypt" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process

	Was caused by:
	One of the following booleans was set incorrectly.
	Description:
	Allow unconfined executables to make their stack executable.  This should never, ever be necessary. Probably indicates a badly coded executable, but could indicate an attack. This executable should be reported in bugzilla

	Allow access by executing:
	# setsebool -P allow_execstack 1
	Description:
	Allow unconfined executables to map a memory region as both executable and writable, this is dangerous and the executable should be reported in bugzilla

	Allow access by executing:
	# setsebool -P allow_execmem 1
labrea=; ls -Zd /home/jhs/crypt
drwxr-xr-x. jhs jhs unconfined_u:object_r:user_home_t:s0 /home/jhs/crypt
labrea=; 
________________________________

labrea=; getsebool -a | grep allow_exec
allow_execheap --> off
allow_execmem --> off
allow_execmod --> on
allow_execstack --> off
labrea=; 

If I set *either* allow_execmem=1 or allow_execstack=1, the mount succeeds.
________________________________

labrea=; execstack -q /usr/sbin/realcrypt
X /usr/sbin/realcrypt
labrea=;
Comment 1 Emmanuel Seyman 2012-05-06 23:34:51 CEST 
RPMFusion is no longer releasing updates for this version of Fedora. This bug
will be set to RESOLVED:EXPIRED next week to reflect this.

If the problem persists after upgrading to the latest version of Fedora, please
update the version field of this bug (and re-open it if it has been closed).
Comment 2 Emmanuel Seyman 2012-05-17 11:18:19 CEST 
Setting to RESOLVED:EXPIRED since RPMFusion is no longer releasing updates for
this version of Fedora.