|
Server : Apache System : Linux srv.rainic.com 4.18.0-553.47.1.el8_10.x86_64 #1 SMP Wed Apr 2 05:45:37 EDT 2025 x86_64 User : rainic ( 1014) PHP Version : 7.4.33 Disable Function : exec,passthru,shell_exec,system Directory : /usr/share/setroubleshoot/plugins/ |
Upload File : |
#
# Copyright (C) 2006-2010 Red Hat, Inc.
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
#
import gettext
translation=gettext.translation('setroubleshoot-plugins', fallback=True)
_=translation.gettext
from setroubleshoot.util import *
from setroubleshoot.Plugin import Plugin
import subprocess
import sys
def is_execstack(path):
if path[0] != "/":
return False
try:
x = subprocess.check_output(["execstack", "-q", path], universal_newlines=True).split()
except:
return False
return ( x[0] == "X" )
def find_execstack(exe, pid):
execstacklist = []
try:
paths = subprocess.check_output(["ldd", exe], universal_newlines=True).split()
except:
return execstacklist
for path in paths:
if is_execstack(path) and path not in execstacklist:
execstacklist.append(path)
try:
fd = open("/proc/%s/maps" % pid , "r")
for rec in fd.readlines():
for path in rec.split():
if is_execstack(path) and path not in execstacklist:
execstacklist.append(path)
except IOError:
pass
return execstacklist
class plugin(Plugin):
summary =_('''
SELinux is preventing $SOURCE_PATH from making the program stack executable.
''')
problem_description = _('''
The $SOURCE application attempted to make its stack
executable. This is a potential security problem. This should
never ever be necessary. Stack memory is not executable on most
OSes these days and this will not change. Executable stack memory
is one of the biggest security problems. An execstack error might
in fact be most likely raised by malicious code. Applications are
sometimes coded incorrectly and request this permission. The
<a href="http://people.redhat.com/drepper/selinux-mem.html">SELinux Memory Protection Tests</a>
web page explains how to remove this requirement. If $SOURCE does not
work and you need it to work, you can configure SELinux
temporarily to allow this access until the application is fixed. Please
file a bug report.
''')
fix_description = _('''
Sometimes a library is accidentally marked with the execstack flag,
if you find a library with this flag you can clear it with the
execstack -c LIBRARY_PATH. Then retry your application. If the
app continues to not work, you can turn the flag back on with
execstack -s LIBRARY_PATH.
''')
fix_cmd = ""
if_text = _("If you do not think $SOURCE_PATH should need to map stack memory that is both writable and executable.")
then_text = _("you need to report a bug. \nThis is a potentially dangerous access.")
do_text = _("Contact your security administrator and report this issue.")
def get_if_text(self, avc, args):
try:
path = args[0]
if not path:
return self.if_text
return _("If you believe that \n%s\nshould not require execstack") % path
except:
return self.if_text
def get_then_text(self, avc, args):
try:
path = args[0]
if not path:
return self.then_text
return _("you should clear the execstack flag and see if $SOURCE_PATH works correctly.\nReport this as a bug on %s.\nYou can clear the exestack flag by executing:") % path
except:
return self.then_text
def get_do_text(self, avc, args):
try:
path = args[0]
if not path:
return self.do_text
return _("execstack -c %s") % path
except:
return self.do_text
def __init__(self):
Plugin.__init__(self,__name__)
def analyze(self, avc):
if (avc.matches_source_types(['unconfined_t', 'staff_t', 'user_t', 'guest_t', 'xguest_t']) and
avc.has_any_access_in(['execstack'])):
reports = []
for i in find_execstack(avc.spath, avc.pid):
reports.append(self.report((i,avc)))
if len(reports) > 0:
return reports
return self.report((None,None))
else:
return None