Bug 139860
Summary: | ntpd, httpd: /usr/lib/libgssapi_krb5.so.2.2 | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Ivan Gyurdiev <ivg231> |
Component: | selinux-policy-targeted | Assignee: | Daniel Walsh <dwalsh> |
Status: | CLOSED RAWHIDE | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | rawhide | CC: | barryn |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | i386 | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2004-11-23 18:12:24 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Ivan Gyurdiev
2004-11-18 15:07:50 UTC
These have the wrong context on them. restorecon /usr/lib/libgssapi_krb5.so.2.2 Should fix the problem. The real question is why is this happening? Did you just do a yum update on this machine and the context get screwed up? Any chance prelink caused this problem. IE check /var/log/prelink.log for any mention of this file. Thanks for your help. Dan Yes, restorecon /usr/lib/* and /lib/* fixed the problem. Affected libraries were all over the place, and they seemed to come from krb5-libs, compat-db and things I upgraded today via yum. Also, in the middle of the upgrade I started getting lots of selinux policy warnings. They went away after I rebooted. The upgrade included libselinux and libselinux-devel. I also might have upgraded selinux-policy-targeted today, not sure in what order I did all of this. Yum is broken so I upgraded packages manually. As far as prelink is concerned you'll have to be more specific - there's lots of things in that file, including the libgssapi. Basically on prelink, I want to know if it is reporting any errors on matchpatchcon, selinux, or file context, that might be causing the problem. So you believe the problem might be yum/RPM? Dan There are no permission related or selinux errors in the prelink file at all. The problem is most likely related to RPM somehow. Disregard yum above - I didn't use yum anywhere because it's currently broken - don't know why I wrote that. More problems - upgraded libselinux and selinux-policy-targeted again, and now I get this: [root@cobra ~]# ldconfig ldconfig: Input file /usr/lib/qt-3.3/lib/libqt-mt.so.3.3.3 not found. ldconfig: Input file /usr/lib/qt-3.3/lib/libqui.so.1.0.0 not found. ldconfig: Input file /usr/X11R6/lib/libXvMCNVIDIA.so.1.0.6629 not found. ldconfig: Input file /usr/lib/tls/libnvidia-tls.so.1.0.6629 not found. [root@cobra ~]# because the context of those libs is root:object_r:lib_t Restorecon fixes the problem. See, this is what I'm talking about - what causes those warnings: [root@cobra tmp]# rpm -Uvh sel* Preparing... ########################################### [100%] 1:selinux-policy-targeted########################################### [100%] [root@cobra tmp]# rm -f sel* [root@cobra tmp]# rpm -Uvh apmd* /etc/selinux/targeted/contexts/files/file_contexts: invalid context system_u:object_r:xconsole_device_t on line number 161 Preparing... ########################################### [100%] 1:apmd ########################################### [100%] This looks like the file_contexts file got replaced without a policy load. Dan The only way I can see this happening is the SELINUXTYPE in the config file does not match the type in the policy rpm, so the file_contexts gets updated in the post install of the source RPM but the policy does not get loaded, since this only happens when the SELINUXTYPE and the type of the rpm match. Dan That is not the case. SELINUXTYPE is targeted, and so is the policy I am installing. cat /etc/selinux/config # This file controls the state of SELinux on the system. # SELINUX= can take one of these three values: # enforcinfg - SELinux security policy is enforced. # permissive - SELinux prints warnings instead of enforcing. # disabled - No SELinux policy is loaded. SELINUX=enforcing # SELINUXTYPE= can take one of these two values: # targeted - Only targeted network daemons are protected. # strict - Full SELinux protection. SELINUXTYPE=targeted However as far as I can see selinuxenabled is located in sbin, not in bin. Yup that's the problem, nice catch. Fixed in selinux-policy-*-1.19.4-3 |