SELinux helped to find security bug in build system!

Hi All,

Two weeks ago, very interesting bug was created against selinux-policy component and assigned to me. Immediately, after first research, there was something really weird. Let’s look on raw SELinux denials:

----
time->Thu Apr 11 12:07:17 2019
type=AVC msg=audit(1555009637.626:234): avc:  denied  { execute } for  pid=1395 comm="gnome-initial-s" path="/usr/lib/locale/C.utf8/LC_CTYPE" dev="dm-0" ino=1679 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:locale_t:s0 tclass=file permissive=1
----
time->Thu Apr 11 12:07:20 2019
type=AVC msg=audit(1555009640.645:235): avc:  denied  { execute } for  pid=1395 comm="gnome-initial-s" path="/usr/share/fonts/cantarell/Cantarell-Regular.otf" dev="dm-0" ino=527821 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:fonts_t:s0 tclass=file permissive=1

These are just few of them. What’s going on? Well… process gnome-initial-setup labeled as xdm_t (which looks good) tried to execute files labeled as locale_t (/usr/lib/locale/C.utf8/LC_CTYPE) or fonts_t (/usr/share/fonts/cantarell/Cantarell-Regular.otf). Which doesn’t make sense, right? Why should gnome-initial-setup executes non-executable localization files ?

So it looks like a bug in the code, not in SELinux policy. SELinux did it’s job and point us that something is wrong here. I re-assigned bug to gnome-initial-setup developers to find issue on their side. After few days of investigation, the issue was clear.

The problem was in Meson – High productivity build system since version 0.5.0. Builds with meson since meson 0.5.0 landed in the buildroot (on 2019-03-25) had the execstack flag set on its main executable, while everything that was built before meson 0.5.0 landed does not have it set.

All main executables built in that build system had execstack flag turned on! This is not good idea to make this flag on because of possible Buffer overflow attacks. Buffer overflow exploits often put some code in a program’s data area or stack, and then jump to it. When the stack writable addresses are non-executable, such an attack is prevented. For more information see the article. This security feature was turned off and SELinux told us about that. Meson developers fixed the bug, SELinux policy was not modified.

This is nice example how can SELinux finds bugs in the code, not only mitigate damage after successful attacks which is it’s main purpose.

Good job SELinux!