Bug hunting on SELinux
I’ve been trying to track down an annoying bug with SELinux these days.
The situation is as follows: when I’m running enforcing mode, binds’ “host” command, “named” itself and “dig” won’t work. They fail with an odd error message:
mem.c:653: INSIST(ctx->stats[size].gets > 0U) failed.
or with the latest bind backported to stable:
host: isc_taskmgr_create: no available threads
the SELinux audit error reported is denied { execmem } for pid=28566 comm="host" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=process
.
As far as I know, “execmem” means the process can do runtime code generation (i.e. make its own memory executable) - that is a privilege you don’t want to give out lightly. But everybody should be able to use the “host” command… so the situation sucks.
Right now I guess that this is caused by pthreads, not bind itself.
Anyone some hints for me? Does this mean I have to build a customized libc to run stable with SELinux (or make huge modifications to the policy, to add a domain for “host” and exec permissions to every other domain that needs to be able to run “host”…)?