Firstly as Laurent noted you can run "setsebool -P allow_execmem 1" to
permanently enable execmem.
Another option is to run "setsebool allow_execmem 1" before running the
program in question and then run "setsebool allow_execmem 0" afterwards so
other programs are only vulnerably to execmem attacks for a short duration.
I see this when running reportbug on a system with the python3-acme package (a
dependency of python3-certbot) installed. When I run reportbug on a system
without certbot installed it doesn't need execmem access.
As a test I ran "dpkg --force-depends --purge python3-openssl" and after that
reportbug worked correctly without execmem access.
type=AVC msg=audit(1550919568.023:269): avc: denied { execmem } for
pid=2769 comm="reportbug" scontext=unconfined_u:unconfined_r:unconfined_t:s0-
s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
tclass=process permissive=0
Above is one of the audit messages I see when python3-openssl is installed.
I run the following to interpret that (the :269 part in the above message is
the audit number):
# ausearch -a 269 -i
----
type=USER_AUTH msg=audit(20/02/19 03:03:32.316:269) : pid=3556 uid=root
auid=unset ses=unset subj=system_u:system_r:sshd_t:s0-s0:c0.c1023
msg='op=PAM:authentication acct=4 exe=/usr/sbin/sshd hostname=51.68.123.198
addr=51.68.123.198 terminal=ssh res=failed'
----
type=USER_LOGIN msg=audit(21/02/19 11:23:58.778:269) : pid=1399 uid=root
auid=unset ses=unset subj=system_u:system_r:sshd_t:s0-s0:c0.c1023
msg='op=login acct=(invalid user) exe=/usr/sbin/sshd hostname=?
addr=61.219.45.81 terminal=sshd res=failed'
----
type=PROCTITLE msg=audit(23/02/19 10:59:28.023:269) : proctitle=/usr/bin/
python3 /usr/bin/reportbug reportbug
type=SYSCALL msg=audit(23/02/19 10:59:28.023:269) : arch=x86_64 syscall=mmap
success=no exit=EACCES(Permission denied) a0=0x0 a1=0x1000 a2=PROT_READ|
PROT_WRITE|PROT_EXEC a3=MAP_PRIVATE|MAP_ANONYMOUS items=0 ppid=2766 pid=2769
auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root
fsgid=root tty=pts0 ses=11 comm=reportbug exe=/usr/bin/python3.7
subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(23/02/19 10:59:28.023:269) : avc: denied { execmem } for
pid=2769 comm=reportbug scontext=unconfined_u:unconfined_r:unconfined_t:s0-
s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
tclass=process permissive=0
This shows that it's doing the mmap system call.
The python code in question appears to be the following:
self.callback = _ffi.callback(
"int (*)(int, X509_STORE_CTX *)", wrapper)
PROT_WRITE|PROT_EXEC seems likely to be required for function pointers.
--
My Main Blog http://etbe.coker.com.au/
My Documents Blog http://doc.coker.com.au/