Package: rsync
Version: 3.2.0-1
Severity: important
Hi,
rsync in version 3.2.0-1 started to require the SELinux permission execmem.
If denied rsync fails with "Segmentation fault".
This is probably due to the stack marked as executable, and hopefully
fixed with 3.2.1 ("Avoid the stack getting set to executable when
including the asm code.").
Example SELinux denial:
type=PROCTITLE msg=audit(06/23/20 10:57:42.939:3074) : proctitle=(null)
type=PATH msg=audit(06/23/20 10:57:42.939:3074) : item=1
name=/lib64/ld-linux-x86-64.so.2 inode=131080 dev=08:01 mode=file,755
ouid=root ogid=root rdev=00:00 obj=system_u:object_r:ld_so_t:s0
nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0
cap_frootid=0
type=PATH msg=audit(06/23/20 10:57:42.939:3074) : item=0
name=/usr/bin/rsync inode=394343 dev=08:01 mode=file,755 ouid=root
ogid=root rdev=00:00 obj=system_u:object_r:bin_t:s0 nametype=NORMAL
cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
type=CWD msg=audit(06/23/20 10:57:42.939:3074) : cwd=/tmp/backupv595nZLr
type=BPRM_FCAPS msg=audit(06/23/20 10:57:42.939:3074) : fver=0 fp=none
fi=none fe=0
old_pp=chown,dac_override,dac_read_search,fowner,fsetid,kill,setgid,setuid,setpcap,linux_immutable,net_bind_service,net_broadcast,net_admin,net_raw,ipc_lock,ipc_owner,sys_chroot,sys_ptrace,sys_pacct,sys_admin,sys_boot,sys_nice,sys_resource,sys_tty_config,lease,audit_write,audit_control,setfcap,mac_override,mac_admin,block_suspend,audit_read
old_pi=none
old_pe=chown,dac_override,dac_read_search,fowner,fsetid,kill,setgid,setuid,setpcap,linux_immutable,net_bind_service,net_broadcast,net_admin,net_raw,ipc_lock,ipc_owner,sys_chroot,sys_ptrace,sys_pacct,sys_admin,sys_boot,sys_nice,sys_resource,sys_tty_config,lease,audit_write,audit_control,setfcap,mac_override,mac_admin,block_suspend,audit_read
old_pa=none
pp=chown,dac_override,dac_read_search,fowner,fsetid,kill,setgid,setuid,setpcap,linux_immutable,net_bind_service,net_broadcast,net_admin,net_raw,ipc_lock,ipc_owner,sys_chroot,sys_ptrace,sys_pacct,sys_admin,sys_boot,sys_nice,sys_resource,sys_tty_config,lease,audit_write,audit_control,setfcap,mac_override,mac_admin,block_suspend,audit_read
pi=none
pe=chown,dac_override,dac_read_search,fowner,fsetid,kill,setgid,setuid,setpcap,linux_immutable,net_bind_service,net_broadcast,net_admin,net_raw,ipc_lock,ipc_owner,sys_chroot,sys_ptrace,sys_pacct,sys_admin,sys_boot,sys_nice,sys_resource,sys_tty_config,lease,audit_write,audit_control,setfcap,mac_override,mac_admin,block_suspend,audit_read
pa=none frootid=0
type=SYSCALL msg=audit(06/23/20 10:57:42.939:3074) : arch=x86_64
syscall=execve per=unknown-personality(0x400000) success=no
exit=EACCES(Permission denied) a0=0x55c281996c78 a1=0x55c281996c08
a2=0x55c281996c30 a3=0x7f8cbdeb6850 items=2 ppid=1879915 pid=1879935
auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root
sgid=root fsgid=root tty=(none) ses=unset comm=rsync
exe=/usr/bin/rsync subj=system_u:system_r:backuptimer_t:s0 key=(null)
type=AVC msg=audit(06/23/20 10:57:42.939:3074) : avc: denied {
execmem } for pid=1879935 comm=rsync
scontext=system_u:system_r:backuptimer_t:s0
tcontext=system_u:system_r:backuptimer_t:s0 tclass=process
permissive=0
