document allow_execmem - Githubissues

SELinuxProject / selinux

This is the upstream repository for the Security Enhanced Linux (SELinux) userland libraries and tools. The software provided by this project complements the SELinux features integrated into the Linux kernel and is used by Linux distributions. All bugs and patches should be submitted to selinux@vger.kernel.org

Other

1.35k stars 360 forks source link

document allow_execmem #381

Open jmau111 opened 1 year ago

jmau111 commented 1 year ago

Hi,

I'm testing rules on a Debian.

Why do we have to allow execmem manually in some cases where apps need it (seems to happen frequently)?

avc:  denied  { execmem } for  pid=nnnn comm="...

I guess if it's not enabled by default, then it's probably not particularly safe or there are some issues related. Is that a good practice to allow it generally like sudo setsebool -P allow_execmem 1?

If it's not a good practice, can you indicate the right one?

jmau111 commented 1 year ago

hi, anyone?

williamcroberts commented 1 year ago

It is documented:

https://github.com/SELinuxProject/selinux-notebook/releases

execmem: "Make executable an anonymous mapping or private file mapping that is writable."

It's bad because it allows a write/execute code path. This really only useful for things that JIT IIRC. Sometimes it triggers because of bad file permissions, ie they open a file writeable but never actually write and the fix is changing the code not the policy.

jmau111 commented 1 year ago

@williamcroberts thank you for the hint. How would you authorize processes to access memory safely?