Server : Apache System : Linux server2.corals.io 4.18.0-348.2.1.el8_5.x86_64 #1 SMP Mon Nov 15 09:17:08 EST 2021 x86_64 User : corals ( 1002) PHP Version : 7.4.33 Disable Function : exec,passthru,shell_exec,system Directory : /proc/self/root/usr/share/setroubleshoot/plugins/ |
#
# Copyright (C) 2006-2011 Red Hat, Inc.
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
#
import selinux
from stat import *
import gettext
translation=gettext.translation('setroubleshoot-plugins', fallback=True)
_=translation.gettext
from setroubleshoot.util import *
from setroubleshoot.Plugin import Plugin
class plugin(Plugin):
summary =_('''
SELinux is preventing $SOURCE_PATH from loading $TARGET_PATH which requires text relocation.
''')
problem_description = _('''
The $SOURCE application attempted to load $TARGET_PATH which
requires text relocation. This is a potential security problem.
Most libraries do not need this permission. Libraries are
sometimes coded incorrectly and request this permission. The
<a href="http://people.redhat.com/drepper/selinux-mem.html">SELinux Memory Protection Tests</a>
web page explains how to remove this requirement. You can configure
SELinux temporarily to allow $TARGET_PATH to use relocation as a
workaround, until the library is fixed. Please file a bug report.
''')
unsafe_problem_description = _('''
The $SOURCE application attempted to load $TARGET_PATH which
requires text relocation. This is a potential security problem.
Most libraries should not need this permission. The
<a href="http://people.redhat.com/drepper/selinux-mem.html">
SELinux Memory Protection Tests</a>
web page explains this check. This tool examined the library and it looks
like it was built correctly. So setroubleshoot can not determine if this
application is compromised or not. This could be a serious issue. Your
system may very well be compromised.
Contact your security administrator and report this issue.
''')
unsafe_fix_description = "Contact your security administrator and report this issue."
fix_description = _('''
If you trust $TARGET_PATH to run correctly, you can change the
file context to textrel_shlib_t. "chcon -t textrel_shlib_t
'$TARGET_PATH'"
You must also change the default file context files on the system in order to preserve them even on a full relabel. "semanage fcontext -a -t textrel_shlib_t '$FIX_TARGET_PATH'"
''')
unsafe_if_text = "If this issue occurred during normal system operation."
unsafe_then_text = """This alert could be a serious issue and your system could be compromised. Setroubleshoot examined '$FIX_TARGET_PATH' to make sure it was built correctly, but can not determine if this application has been compromised."""
unsafe_do_text = "Contact your security administrator and report this issue"
if_text = "If you trust $TARGET_PATH to run correctly and want to allow $SOURCE to load it"
then_text = "You need to change the label on '$FIX_TARGET_PATH' to textrel_shlib_t."
do_text = """# chcon -t textrel_shlib_t '$FIX_TARGET_PATH'
If you want this to survive a relabel, execute
# semanage fcontext -a -t textrel_shlib_t '$FIX_TARGET_PATH';restorecon -v '$FIX_TARGET_PATH'
"""
fix_cmd = """/usr/sbin/semanage fcontext -a -t textrel_shlib_t '$FIX_TARGET_PATH';/usr/sbin/restorecon -v '$FIX_TARGET_PATH'"""
def init_args(self, args):
if len(args) > 0:
self.fixable = False
self.report_bug = True
def get_problem_description(self, avc, args):
if len(args) > 0:
return self.unsafe_problem_description
return self.problem_description
def get_if_text(self, avc, args):
if len(args) > 0:
return self.unsafe_if_text
return self.if_text
def get_then_text(self, avc, args):
if len(args) > 0:
return self.unsafe_then_text
return self.then_text
def get_do_text(self, avc, args):
if len(args) > 0:
return self.unsafe_do_text
return self.do_text
def __init__(self):
Plugin.__init__(self,__name__)
self.fixable = True
self.button_text = _("Change label on the library.")
self.set_priority(10)
def analyze(self, avc):
import subprocess
if avc.has_any_access_in(['execmod']):
# MATCH
# from https://docs.python.org/2.7/library/subprocess.html#replacing-shell-pipeline
try:
p1 = subprocess.Popen(['eu-readelf', '-d', avc.tpath], stdout=subprocess.PIPE)
p2 = subprocess.Popen(["fgrep", "-q", "TEXTREL"], stdin=p1.stdout, stdout=subprocess.PIPE)
except:
return None
p1.stdout.close() # Allow p1 to receive a SIGPIPE if p2 exits.
p1.wait()
p2.wait()
if p2.returncode == 1:
return self.report(["unsafe"])
mcon = selinux.matchpathcon(avc.tpath.strip('"'), S_IFREG)[1]
if mcon.split(":")[2] == "lib_t":
return self.report()
return None