Bug 1105033
| Summary: | libfreebl3.so runs prelink during the initialization phase | |||
|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 6 | Reporter: | Milos Malik <mmalik> | |
| Component: | nss-softokn | Assignee: | Elio Maldonado Batiz <emaldona> | |
| Status: | CLOSED DUPLICATE | QA Contact: | BaseOS QE Security Team <qe-baseos-security> | |
| Severity: | high | Docs Contact: | ||
| Priority: | high | |||
| Version: | 6.6 | CC: | eparis, mfranc, rrelyea | |
| Target Milestone: | rc | |||
| Target Release: | --- | |||
| Hardware: | All | |||
| OS: | Linux | |||
| Whiteboard: | ||||
| Fixed In Version: | Doc Type: | Bug Fix | ||
| Doc Text: | Story Points: | --- | ||
| Clone Of: | ||||
| : | 1153602 (view as bug list) | Environment: | ||
| Last Closed: | 2014-06-11 18:09:54 UTC | Type: | Bug | |
| Regression: | --- | Mount Type: | --- | |
| Documentation: | --- | CRM: | ||
| Verified Versions: | Category: | --- | ||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
| Cloudforms Team: | --- | Target Upstream Version: | ||
| Embargoed: | ||||
# ldd `which id`
linux-vdso64.so.1 => (0x00000fff87a00000)
libselinux.so.1 => /lib64/libselinux.so.1 (0x00000080ca8a0000)
libc.so.6 => /lib64/libc.so.6 (0x00000080ca360000)
libdl.so.2 => /lib64/libdl.so.2 (0x00000080ca590000)
/lib64/ld64.so.1 (0x0000000033e50000)
# strace -f -o output.txt -E LD_PRELOAD=/lib64/libfreebl3.so `which id`
uid=0(root) gid=0(root) groups=0(root) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
# grep -e prelink -e fchown output.txt
19336 stat("/usr/sbin/prelink", {st_mode=S_IFREG|0755, st_size=1402904, ...}) = 0
19337 execve("/usr/sbin/prelink", ["/usr/sbin/prelink", "-u", "-o", "-", "/lib64/libfreebl3.so"], [/* 38 vars */] <unfinished ...>
19337 fchown(1, 0, 0 <unfinished ...>
19337 <... fchown resumed> ) = -1 EACCES (Permission denied)
#
See also BZ#1103674. Yes, freebl this is by design. It's a fips requirement. *** This bug has been marked as a duplicate of bug 1103674 *** |
Description of problem: * libfreebl3.so runs prelink during the initialization phase -> each program which needs this library automatically runs prelink * libfreebl3.so calls fchown() on the pipe, where the prelink process sends its output Version-Release number of selected component (if applicable): nss-softokn-freebl-3.14.3-13.el6 How reproducible: always Steps to Reproduce: # get a RHEL-6.6 machine where prelink package is installed # setenforce 1 # service crond restart # ausearch -m avc -m user_avc -m selinux_err -i Actual results: ---- type=PATH msg=audit(06/05/2014 06:02:35.735:31600) : item=0 name=(null) inode=128576 dev=00:08 mode=fifo,600 ouid=root ogid=root rdev=00:00 obj=unconfined_u:system_r:crond_t:s0-s0:c0.c1023 nametype=NORMAL type=SYSCALL msg=audit(06/05/2014 06:02:35.735:31600) : arch=ppc64 syscall=fchown success=no exit=-13(Permission denied) a0=1 a1=0 a2=0 a3=2 items=1 ppid=19225 pid=19226 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts1 ses=179 comm=prelink exe=/usr/sbin/prelink subj=unconfined_u:system_r:prelink_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(06/05/2014 06:02:35.735:31600) : avc: denied { setattr } for pid=19226 comm=prelink name= dev=pipefs ino=128576 scontext=unconfined_u:system_r:prelink_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:crond_t:s0-s0:c0.c1023 tclass=fifo_file ---- Expected results: * prelink does not call fchown() on the pipe, where prelink process sends its output