[DSE-Dev] Bug#963495: selinux-policy-default: reportbug Segmentation faulted when Selinux is in Enforcing mode

Maksim K. debian_bug at k-max.name
Mon Jun 22 13:41:57 BST 2020 

Package: selinux-policy-default
Version: 2:2.20161023.1-9
Severity: grave
Justification: renders package unusable

Dear Maintainer,

I am trying to use reportbug on a selinux-enabled system in enforcing mode.
It fails due to this AVC denial in the audit.log:
***
type=AVC msg=audit(1592825897.099:84464): avc:  denied  { execmem } for  pid=26214 comm="reportbug" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process permissive=0
type=SYSCALL msg=audit(1592825897.099:84464): arch=c000003e syscall=9 success=no exit=-13 a0=0 a1=1000 a2=7 a3=22 items=0 ppid=23168 pid=26214 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1551 comm="reportbug" exe="/usr/bin/python3.5" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
type=ANOM_ABEND msg=audit(1592825897.103:84465): auid=0 uid=0 gid=0 ses=1551 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 pid=26214 comm="reportbug" exe="/usr/bin/python3.5" sig=11
type=AVC msg=audit(1592826031.680:84474): avc:  denied  { execmem } for  pid=26284 comm="reportbug" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process permissive=0
type=SYSCALL msg=audit(1592826031.680:84474): arch=c000003e syscall=9 success=no exit=-13 a0=0 a1=1000 a2=7 a3=22 items=0 ppid=23168 pid=26284 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1551 comm="reportbug" exe="/usr/bin/python3.5" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
type=ANOM_ABEND msg=audit(1592826031.688:84475): auid=0 uid=0 gid=0 ses=1551 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 pid=26284 comm="reportbug" exe="/usr/bin/python3.5" sig=11
***

Here is the output of the reportbug session:

root at vps:/tmp# reportbug
Segmentation fault
root at vps:/tmp# getenforce
Enforcing 
root at vps:/tmp# 

But, if I switch Selinux to Permessive, I could send reportbug. I've done this one in the Permessive mode.
If I try to run audit2allow, it tequested me to enable allow_execstack and allow_execmem
***
root at vps:/etc/bind# grep reportbug /var/log/audit/audit.log | audit2why
type=AVC msg=audit(1592825897.099:84464): avc:  denied  { execmem } for  pid=26214 comm="reportbug" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process permissive=0

        Was caused by:
        One of the following booleans was set incorrectly.
        Description:
        Allow unconfined executables to map a memory region as both executable and writable, this is dangerous and the executable should be reported in bugzilla")

        Allow access by executing:
        # setsebool -P allow_execmem 1
        Description:
        Allow unconfined executables to make their stack executable.  This should never, ever be necessary. Probably indicates a badly coded executable, but could indicate an attack. This executable should be reported in bugzilla")

        Allow access by executing:
        # setsebool -P allow_execstack 1

***
I think this way is not secure because many services depends on this booleans.

Current version of reportbug packages are:
Versions of packages reportbug depends on:
ii  apt                1.4.10
ii  python3            3.5.3-1
ii  python3-reportbug  7.1.7+deb9u3

Versions of packages reportbug suggests:
pn  claws-mail                               <none>
pn  debconf-utils                            <none>
pn  debsums                                  <none>
pn  dlocate                                  <none>
pn  emacs24-bin-common | emacs25-bin-common  <none>
ii  file                                     1:5.30-1+deb9u3
pn  gir1.2-gtk-3.0                           <none>
pn  gir1.2-vte-2.91                          <none>
ii  gnupg                                    2.1.18-8~deb9u4
ii  postfix [mail-transport-agent]           3.1.14-0+deb9u1
ii  python3-gi                               3.22.0-2
pn  python3-gi-cairo                         <none>
pn  python3-gtkspellcheck                    <none>
pn  python3-urwid                            <none>
pn  xdg-utils                                <none>

Versions of packages python3-reportbug depends on:
ii  apt                1.4.10
ii  file               1:5.30-1+deb9u3
ii  python3            3.5.3-1
ii  python3-apt        1.4.1
ii  python3-debian     0.1.30
ii  python3-debianbts  2.6.1
ii  python3-requests   2.12.4-1


So, I could say that reportbug does not work with Selinux Enforcing at all.
That's why I set grave Severity.

-- System Information:
Debian Release: 9.12
  APT prefers oldstable-updates
  APT policy: (500, 'oldstable-updates'), (500, 'oldstable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.9.0-12-amd64 (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to en_US.UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to en_US.UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages selinux-policy-default depends on:
ii  libselinux1      2.6-3+b3
ii  libsemanage1     2.6-2
ii  libsepol1        2.6-2
ii  policycoreutils  2.6-3
ii  selinux-utils    2.6-3+b3

Versions of packages selinux-policy-default recommends:
ii  checkpolicy  2.6-2
ii  setools      4.0.1-6

Versions of packages selinux-policy-default suggests:
pn  logcheck        <none>
pn  syslog-summary  <none>

-- no debconf information

More information about the SELinux-devel mailing list