-
Bug
-
Resolution: Unresolved
-
Normal
-
None
-
rhel-8.7.0
-
None
-
Moderate
-
rhel-sst-cs-net-perf-services
-
ssg_core_services
-
None
-
False
-
-
None
-
None
-
None
-
None
-
If docs needed, set a value
-
-
All
-
None
Description of problem:
When SELinux boolean "deny_execmem" is enabled (which is not the default), any execution of "grep -P" leads to getting an AVC, as shown in the example below:
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
- grep -P -o '^BOOT_IMAGE=(\S+)' /proc/cmdline
- ausearch -m avc -i -ts recent
...
type=PROCTITLE msg=audit(11/15/2022 10:26:05.953:257) : proctitle=grep --color=auto -P -o ^BOOT_IMAGE=(\S+) /proc/cmdline
type=SYSCALL msg=audit(11/15/2022 10:26:05.953:257) : arch=x86_64 syscall=mmap success=no exit=EACCES(Permission denied) a0=0x0 a1=0x10000 a2=PROT_READ|PROT_WRITE|PROT_EXEC a3=MAP_PRIVATE|MAP_ANONYMOUS items=0 ppid=12956 pid=15740 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts1 ses=3 comm=grep exe=/usr/bin/grep subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(11/15/2022 10:26:05.953:257) : avc: denied { execmem }for pid=15740 comm=grep scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process permissive=0
-
-
-
-
-
-
- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
-
-
-
-
-
-
The root cause for this is "grep" internally calling libpcre's code which tries to execute code in memory:
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
(gdb) bt
#0 0x00007f1db63a4af7 in mmap64 () from /lib64/libc.so.6
#1 0x00007f1db6670370 in alloc_chunk (size=65536) at sljit/sljitExecAllocator.c:213
#2 sljit_malloc_exec (size=936) at sljit/sljitExecAllocator.c:213
#3 sljit_generate_code (compiler=compiler@entry=0x559c95857ef0) at sljit/sljitNativeX86_common.c:506
#4 0x00007f1db668ce9a in _pcre_jit_compile (re=re@entry=0x559c95857d30, extra=extra@entry=0x559c95857da0,
mode=mode@entry=0) at pcre_jit_compile.c:11522
#5 0x00007f1db6690742 in pcre_study (external_re=0x559c95857d30, options=options@entry=1,
errorptr=errorptr@entry=0x7ffdd9551168) at pcre_study.c:1630
#6 0x0000559c945fdb9d in Pcompile (pattern=0x559c958577a0 "^BOOT_IMAGE=(
S+)", size=<optimized out>,
ignored=<optimized out>) at pcresearch.c:161
#7 0x0000559c945f6bc5 in main (argc=6, argv=0x7ffdd9551938) at grep.c:2884
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
IMHO when "deny_execmem" is enabled, mmap AVCs, which are expected, should be hidden.
It's then up to the caller to take appropriate action (here libpcre doesn't fail but uses another way, from my understanding).
Since troubleshooting may be more difficult due to hiding the AVC, having a boolean to unhide those may be a good option, something like "dontaudit_mmap" or similar.
It should be "on" by default.
Version-Release number of selected component (if applicable):
grep-3.1-6.el8.x86_64
selinux-policy-3.14.3-108.el8.noarch
pcre-8.42-6.el8.x86_64
How reproducible:
Always
Steps to Reproduce:
1. Enable "deny_execmem" boolean
- semanage boolean -m --on deny_execmem
2. Execute "grep -P" command
- grep -P -o '^BOOT_IMAGE=(\S+)' /proc/cmdline
Actual results:
AVC but grep functional
Expected results:
No AVC
Additional info:
"grep -P" is used in kexec-tools-2.0.24-6.el8 but can be used in any other script.
