Firstly as Laurent noted you can run "setsebool -P allow_execmem 1" to 
permanently enable execmem. 

Another option is to run "setsebool allow_execmem 1" before running the 
program in question and then run "setsebool allow_execmem 0" afterwards so 
other programs are only vulnerably to execmem attacks for a short duration.

I see this when running reportbug on a system with the python3-acme package (a 
dependency of python3-certbot) installed.  When I run reportbug on a system 
without certbot installed it doesn't need execmem access.

As a test I ran "dpkg --force-depends --purge python3-openssl" and after that 
reportbug worked correctly without execmem access.

type=AVC msg=audit(1550919568.023:269): avc:  denied  { execmem } for  
pid=2769 comm="reportbug" scontext=unconfined_u:unconfined_r:unconfined_t:s0-
s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 
tclass=process permissive=0

Above is one of the audit messages I see when python3-openssl is installed.

I run the following to interpret that (the :269 part in the above message is 
the audit number):

# ausearch -a 269 -i
----
type=USER_AUTH msg=audit(20/02/19 03:03:32.316:269) : pid=3556 uid=root 
auid=unset ses=unset subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 
msg='op=PAM:authentication acct=4 exe=/usr/sbin/sshd hostname=51.68.123.198 
addr=51.68.123.198 terminal=ssh res=failed' 
----
type=USER_LOGIN msg=audit(21/02/19 11:23:58.778:269) : pid=1399 uid=root 
auid=unset ses=unset subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 
msg='op=login acct=(invalid user) exe=/usr/sbin/sshd hostname=? 
addr=61.219.45.81 terminal=sshd res=failed' 
----
type=PROCTITLE msg=audit(23/02/19 10:59:28.023:269) : proctitle=/usr/bin/
python3 /usr/bin/reportbug reportbug 
type=SYSCALL msg=audit(23/02/19 10:59:28.023:269) : arch=x86_64 syscall=mmap 
success=no exit=EACCES(Permission denied) a0=0x0 a1=0x1000 a2=PROT_READ|
PROT_WRITE|PROT_EXEC a3=MAP_PRIVATE|MAP_ANONYMOUS items=0 ppid=2766 pid=2769 
auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root 
fsgid=root tty=pts0 ses=11 comm=reportbug exe=/usr/bin/python3.7 
subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(23/02/19 10:59:28.023:269) : avc:  denied  { execmem } for  
pid=2769 comm=reportbug scontext=unconfined_u:unconfined_r:unconfined_t:s0-
s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 
tclass=process permissive=0

This shows that it's doing the mmap system call.

The python code in question appears to be the following:
        self.callback = _ffi.callback(
            "int (*)(int, X509_STORE_CTX *)", wrapper)

PROT_WRITE|PROT_EXEC seems likely to be required for function pointers.

-- 
My Main Blog         http://etbe.coker.com.au/
My Documents Blog    http://doc.coker.com.au/

Reply via email to