Bug#887348: steam:i386: execmod access is requested, security issue

[Russell Coker]

Package: steam
Version: 1.0.0.54-3
Severity: normal
Tags: upstream

type=AVC msg=audit(1516012042.500:1381380): avc:  denied  { execmod } for  
pid=4488 comm="steam" path="/home/rjc/.steam/ubuntu12_32/libavutil.so.55" 
dev="sda2" ino=64950 
scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 
tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=0

Above is an audit message from running steam with a fairly default SE Linux
configuration in enforcing mode.  The command "setsebool allow_execmod 1"
permits this to work, but this should be fixed.  Allowing execmod access
weakens the security of the system in general, and when the shared object
requests it the security of the application is weakened.

https://etbe.coker.com.au/2008/09/11/execmod-and-se-linux-i386-must-die/

Above is a blog post I wrote about this in 2008.  The root cause of this is
assembler optimisations for i386.  If the steam package was released in an
AMD64 variant then the default compile of libavutil would solve this problem
(back in 2008 I spent a lot of time recompiling libabutil and related libraries
to fix this on i386 while AMD64 just worked as desired).

https://etbe.coker.com.au/2007/02/10/execmod/

Here's another blog post I wrote about this.

-- System Information:
Debian Release: buster/sid
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.14.0-2-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_AU.UTF-8, LC_CTYPE=en_AU.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_AU:en (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: SELinux: enabled - Mode: Enforcing - Policy name: default

Versions of packages steam:i386 depends on:
ii  debconf [debconf-2.0]             1.5.65
ii  libc6                             2.26-2
ii  libgl1-mesa-dri                   17.2.5-1
ii  libgl1-mesa-glx                   17.2.5-1
ii  libgpg-error0                     1.27-5
ii  libstdc++6                        7.2.0-19
ii  libtxc-dxtn-s2tc0 [libtxc-dxtn0]  0~git20131104-1.1
ii  libudev1                          236-2
ii  libx11-6                          2:1.6.4-3
ii  libxinerama1                      2:1.1.3-1+b3
ii  xz-utils                          5.2.2-1.3

Versions of packages steam:i386 recommends:
ii  fonts-liberation               1:1.07.4-5
ii  konsole [x-terminal-emulator]  4:17.08.3-1
ii  libxss1                        1:1.2.2-1+b2
ii  xterm [x-terminal-emulator]    331-1
ii  zenity                         3.26.0-2

Versions of packages steam:i386 suggests:
pn  steam-devices  <none>

-- no debconf information