Bug 132458

Summary: avc: denied {execute} for pid=1
Product: [Fedora] Fedora Reporter: Leonard den Ottolander <leonard-rh-bugzilla>
Component: selinux-policy-strictAssignee: Daniel Walsh <dwalsh>
Status: CLOSED RAWHIDE QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: 3   
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: 1.17.26-3 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2004-10-05 15:58:41 EDT Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Bug Depends On:    
Bug Blocks: 130887, 133652    

Description Leonard den Ottolander 2004-09-13 13:15:38 EDT
FC3t1 updated a few days ago. Booting doesn't get me very far:

avc: denied {execute} for pid=1 path=/lib/tls/i486/libc-2.3.3.so
dev=hda6 ino=137734 scontext=system_u:system_r:init_t
tcontext=system_u:object_r:lib_t tclass=file

And what follows is obviously a kernel panic.

This is a K6-450.
Comment 1 Leonard den Ottolander 2004-09-13 14:09:27 EDT
fixfiles relabel did *not* fix this issue.
Comment 2 Daniel Walsh 2004-09-15 11:34:11 EDT
Try selinux-policy-strict-1.17.16-3

Or just patch
--- nsapolicy/file_contexts/types.fc	2004-09-14 09:18:10.000000000 -0400
+++ policy-1.17.16/file_contexts/types.fc	2004-09-15
11:25:43.459813532 -0400
@@ -298,6 +298,7 @@
 /lib(64)?/[^/]*/lib[^/]*\.so(\.[^/]*)*	--	system_u:object_r:shlib_t
 /lib(64)?/security/[^/]*\.so(\.[^/]*)*	--	system_u:object_r:shlib_t
 /lib(64)?/tls/i686/cmov/[^/]*\.so(\.[^/]*)* --	system_u:object_r:shlib_t
+/lib(64)?/tls/i486/[^/]*\.so(\.[^/]*)* --	system_u:object_r:shlib_t
 
 #
 # /sbin

And restorecon on the shared library
Comment 3 Leonard den Ottolander 2004-09-19 12:14:17 EDT
I'd love to try selinux-policy-strict-1.17.16-3, but RawHide is still
at  1.17.16-2. Why is that?
Comment 4 Daniel Walsh 2004-09-20 06:25:41 EDT
Rawhide is frozen until FC3Test2 is released.  Policy is available via
my people page for now.

Dan
Comment 5 Leonard den Ottolander 2004-09-20 06:31:18 EDT
Let's hope not too many people start testing the strict policy on
FC3t2 on i586s then ;-) . Or is this issue mentioned in the release notes?
Comment 6 Ben Levenson 2004-10-05 15:58:41 EDT
I don't have an i586 up and running to verify this, but I see the
following in /etc/selinux/strict/src/policy/file_contexts/types.fc 
which should fix the problem:

/lib(64)?/tls/i.86/[^/]*\.so(\.[^/]*)* -- system_u:object_r:shlib_t

version:selinux-policy-*-1.17.26-3