Bug 140100

Summary:	avc: denied for ntpd, nfs related stuff!
Product:	[Fedora] Fedora	Reporter:	Steve Murphy <murf>
Component:	selinux-policy-targeted	Assignee:	Daniel Walsh <dwalsh>
Status:	CLOSED WONTFIX	QA Contact:
Severity:	medium	Docs Contact:
Priority:	medium
Version:	3	CC:	djuran, trevor
Target Milestone:	---
Target Release:	---
Hardware:	i386
OS:	Linux
Whiteboard:
Fixed In Version:		Doc Type:	Bug Fix
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2005-04-12 21:55:42 UTC	Type:	---
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:

Description Steve Murphy 2004-11-19 19:34:31 UTC

From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.5)
Gecko/20041111 Firefox/1.0

Description of problem:
I get avc: denied messages during the boot. ntpd will not run,
and the nfs stuff (nfsd, portmapper, etc) will not run. When I
to "start" these servers via the "Services" GUI, the dialogs that pop
up point to "libm.so.6" (for ntpd) and the NFS start indicates a lack
of permission for "libnsl.so.1".  These files in /lib are soft links to 
libm-2.3.3.so, and libnsl-2.3.3.so, respectively.

This is strange. I just loaded (as a new install, erasing previous)
FC3 on a machine, and it has no such problems. But this system was
upgraded from RH9, and ALL the available up2date stuff has been applied.

What can be done to get around this? The messages that are generated
do not quickly lead one to conclude that SELinux is perhaps a part of
the problem...



Version-Release number of selected component (if applicable):
selinux-policy-targeted-1.17.30-2.19

How reproducible:
Always

Steps to Reproduce:
1. Reboot, watch messages
2.
3.
    

Expected Results:  No error messages, ntpd and nfs clients should work OK.

Additional info: Oh, and the messages about ntpd and nfs don't show up
in the logs. just on the console at boot time.

Comment 1 Daniel Walsh 2004-11-19 20:13:10 UTC

Did you relabel the system after you added SELinux?

Upgrade to the latest policy for FC3

selinux-policy-targeted-1.17.30-2.31

Comment 2 Steve Murphy 2004-11-19 20:58:49 UTC

Hmm... OK. Didn't know where this great RPM was, but googled, found a
link to your dir in another bug, went there, picked up 2.33 (no 31
there), and installed it here. Rebooted. Same messages. The avc:
denied has {search}, and the error messages complain about no
permission to load the .so's mentioned previously... 

any other ideas?

Comment 3 Steve Murphy 2004-11-19 21:00:26 UTC

Oh, sorry, forgot to address the first question... No, the system was
not relabeled. Just took my RH9 laptop, applied the FC3 install CD's,
and then did the complete up2date thing, and here I am.

Comment 4 Daniel Walsh 2004-11-21 03:06:32 UTC

Touch /.autorelabel
reboot

Comment 5 Steve Murphy 2004-11-21 22:27:05 UTC

That took a few minutes, but the deed is done. It has done some good,
it looks like the up2date stuff works again, nfsd is running, and I
can mount nfs partitions... 

I see this message on the console as I boot (along with several others):

name=libnss_nisplus-2.3.3.so dev=hda3 ino=8164472
Scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:var_spool_t
tclass=file


does this help? Still no ntpd, I'll see what else isn't working...

Comment 6 Daniel Walsh 2004-11-22 20:30:51 UTC

Could you see if you can get the full message using dmesg?

Dan

Comment 7 Steve Murphy 2004-11-22 21:05:27 UTC

I learn something new every day.

Here is what dmesg generates:

IDE controller at PCI slot 0000:00:04.0
ACPI: PCI interrupt 0000:00:04.0[A]: no GSI
ALI15X3: chipset revision 195
ALI15X3: not 100% native mode: will probe irqs later
    ide0: BM-DMA at 0xeff0-0xeff7, BIOS settings: hda:DMA, hdb:pio
    ide1: BM-DMA at 0xeff8-0xefff, BIOS settings: hdc:DMA, hdd:pio
Probing IDE interface ide0...
hda: IC25N030ATCS04-0, ATA DISK drive
Using cfq io scheduler
ide0 at 0x1f0-0x1f7,0x3f6 on irq 14
Probing IDE interface ide1...
hdc: TOSHIBA DVD-ROM SD-R2102, ATAPI CD/DVD-ROM drive
ide1 at 0x170-0x177,0x376 on irq 15
Probing IDE interface ide2...
ide2: Wait for ready failed before probe !
Probing IDE interface ide3...
ide3: Wait for ready failed before probe !
Probing IDE interface ide4...
ide4: Wait for ready failed before probe !
Probing IDE interface ide5...
ide5: Wait for ready failed before probe !
hda: max request size: 128KiB
hda: 58605120 sectors (30005 MB) w/1768KiB Cache, CHS=58140/16/63,
UDMA(33)
hda: cache flushes not supported
 hda: hda1 hda2 hda3 hda4 < hda5 >
hdc: ATAPI 24X DVD-ROM CD-R/RW drive, 2048kB Cache, UDMA(33)
Uniform CD-ROM driver Revision: 3.20
ide-floppy driver 0.99.newide
usbcore: registered new driver hiddev
usbcore: registered new driver usbhid
drivers/usb/input/hid-core.c: v2.0:USB HID core driver
mice: PS/2 mouse device common for all mice
input: AT Translated Set 2 keyboard on isa0060/serio0
input: PS/2 Generic Mouse on isa0060/serio1
md: md driver 0.90.0 MAX_MD_DEVS=256, MD_SB_DISKS=27
NET: Registered protocol family 2
IP: routing cache hash table of 2048 buckets, 64Kbytes
TCP: Hash tables configured (established 262144 bind 37449)
Initializing IPsec netlink socket
NET: Registered protocol family 1
NET: Registered protocol family 17
ACPI: (supports S0 S3 S4 S4bios S5)
ACPI wakeup devices: 
USB1 ASND VIY0 VIY1  LAN  LID 
Freeing unused kernel memory: 148k freed
kjournald starting.  Commit interval 5 seconds
EXT3-fs: mounted filesystem with ordered data mode.
security:  3 users, 4 roles, 305 types, 19 bools
security:  53 classes, 6679 rules
SELinux:  Completing initialization.
SELinux:  Setting up existing superblocks.
SELinux: initialized (dev hda3, type ext3), uses xattr
SELinux: initialized (dev tmpfs, type tmpfs), uses transition SIDs
SELinux: initialized (dev selinuxfs, type selinuxfs), uses genfs_contexts
SELinux: initialized (dev mqueue, type mqueue), not configured for
labeling
SELinux: initialized (dev hugetlbfs, type hugetlbfs), not configured
for labeling
SELinux: initialized (dev devpts, type devpts), uses transition SIDs
SELinux: initialized (dev eventpollfs, type eventpollfs), uses
genfs_contexts
SELinux: initialized (dev pipefs, type pipefs), uses task SIDs
SELinux: initialized (dev tmpfs, type tmpfs), uses transition SIDs
SELinux: initialized (dev futexfs, type futexfs), uses genfs_contexts
SELinux: initialized (dev sockfs, type sockfs), uses task SIDs
SELinux: initialized (dev proc, type proc), uses genfs_contexts
SELinux: initialized (dev bdev, type bdev), uses genfs_contexts
SELinux: initialized (dev rootfs, type rootfs), uses genfs_contexts
SELinux: initialized (dev sysfs, type sysfs), uses genfs_contexts
SELinux: initialized (dev usbfs, type usbfs), uses genfs_contexts
inserting floppy driver for 2.6.9-1.678_FC3
Floppy drive(s): fd0 is 1.44M
FDC 0 is a post-1991 82077
e100: Intel(R) PRO/100 Network Driver, 3.0.27-k2-NAPI
e100: Copyright(c) 1999-2004 Intel Corporation
ACPI: PCI interrupt 0000:00:0a.0[A] -> GSI 11 (level, low) -> IRQ 11
divert: allocating divert_blk for eth0
e100: eth0: e100_probe: addr 0xf7efe000, irq 11, MAC addr
00:00:39:FC:FC:3B
PCI: Enabling device 0000:00:06.0 (0000 -> 0003)
ACPI: PCI interrupt 0000:00:06.0[A] -> GSI 11 (level, low) -> IRQ 11
ohci_hcd: 2004 Feb 02 USB 1.1 'Open' Host Controller (OHCI) Driver (PCI)
ACPI: PCI interrupt 0000:00:02.0[A] -> GSI 11 (level, low) -> IRQ 11
ohci_hcd 0000:00:02.0: OHCI Host Controller
ohci_hcd 0000:00:02.0: irq 11, pci mem 41832000
SELinux: initialized (dev usbdevfs, type usbdevfs), uses genfs_contexts
ohci_hcd 0000:00:02.0: new USB bus registered, assigned bus number 1
hub 1-0:1.0: USB hub found
hub 1-0:1.0: 3 ports detected
Linux Kernel Card Services
  options:  [pci] [cardbus] [pm]
PCI: Enabling device 0000:00:11.0 (0000 -> 0002)
ACPI: PCI interrupt 0000:00:11.0[A] -> GSI 11 (level, low) -> IRQ 11
Yenta: CardBus bridge found at 0000:00:11.0 [1179:0001]
Yenta: ISA IRQ mask 0x04b8, PCI irq 11
Socket status: 30000007
PCI: Enabling device 0000:00:11.1 (0000 -> 0002)
ACPI: PCI interrupt 0000:00:11.1[B] -> GSI 11 (level, low) -> IRQ 11
Yenta: CardBus bridge found at 0000:00:11.1 [1179:0001]
Yenta: ISA IRQ mask 0x04b8, PCI irq 11
Socket status: 30000007
usb 1-1: new low speed USB device using address 2
md: Autodetecting RAID arrays.
md: autorun ...
md: ... autorun DONE.
input: USB HID v1.00 Mouse [0461:4d03] on usb-0000:00:02.0-1
usb 1-2: new full speed USB device using address 3
drivers/usb/class/usblp.c: usblp0: USB Bidirectional printer dev 3 if
0 alt 0 proto 2 vid 0x04B8 pid 0x0005
usbcore: registered new driver usblp
drivers/usb/class/usblp.c: v0.13: USB Printer Device Class driver
ACPI: AC Adapter [ADP1] (on-line)
ACPI: Battery Slot [BAT1] (battery present)
ACPI: Power Button (FF) [PWRF]
ACPI: Lid Switch [LID]
toshiba_acpi: Toshiba Laptop ACPI Extras version 0.18
toshiba_acpi:     HCI method: \_SB_.VALD.GHCI
EXT3 FS on hda3, internal journal
device-mapper: 4.1.0-ioctl (2003-12-10) initialised: dm.com
hdc: packet command error: status=0x51 { DriveReady SeekComplete Error }
hdc: packet command error: error=0x50
ide: failed opcode was 100
cdrom: open failed.
kjournald starting.  Commit interval 5 seconds
EXT3 FS on hda2, internal journal
EXT3-fs: mounted filesystem with ordered data mode.
SELinux: initialized (dev hda2, type ext3), uses xattr
SELinux: initialized (dev tmpfs, type tmpfs), uses transition SIDs
audit(1101070464.342:0): avc:  granted  { setenforce } for  pid=206
exe=/bin/bash scontext=user_u:system_r:unconfined_t
tcontext=system_u:object_r:
ecurity_t tclass=security
audit(1101071004.373:0): avc:  granted  { setenforce } for  pid=206
exe=/bin/bash scontext=user_u:system_r:unconfined_t
tcontext=system_u:object_r:
ecurity_t tclass=security
Adding 489940k swap on /dev/hda5.  Priority:-1 extents:1
SELinux: initialized (dev binfmt_misc, type binfmt_misc), uses
genfs_contexts
parport0: PC-style at 0x378 (0x778) [PCSPP,TRISTATE]
parport0: irq 7 detected
cs: IO port probe 0x0c00-0x0cff: clean.
cs: IO port probe 0x0100-0x04ff: excluding 0x200-0x207 0x220-0x22f
0x330-0x337 0x378-0x37f 0x388-0x38f 0x408-0x40f 0x480-0x48f 0x4d0-0x4d7
cs: IO port probe 0x0a00-0x0aff: clean.
ip_tables: (C) 2000-2002 Netfilter core team
ip_tables: (C) 2000-2002 Netfilter core team
e100: eth0: e100_watchdog: link up, 100Mbps, full-duplex
audit(1101071015.988:0): avc:  denied  { read } for  pid=1826
exe=/sbin/syslogd name=libnss_files-2.3.3.so dev=hda3 ino=816464
scontext=user_u:syst
m_r:syslogd_t tcontext=system_u:object_r:var_spool_t tclass=file
audit(1101071015.989:0): avc:  denied  { read } for  pid=1826
exe=/sbin/syslogd name=libnss_files-2.3.3.so dev=hda3 ino=816464
scontext=user_u:syst
m_r:syslogd_t tcontext=system_u:object_r:var_spool_t tclass=file
audit(1101071015.989:0): avc:  denied  { read } for  pid=1826
exe=/sbin/syslogd name=libnss_dns-2.3.3.so dev=hda3 ino=816461
scontext=user_u:system
r:syslogd_t tcontext=system_u:object_r:var_spool_t tclass=file
audit(1101071015.989:0): avc:  denied  { read } for  pid=1826
exe=/sbin/syslogd name=libnss_dns-2.3.3.so dev=hda3 ino=816461
scontext=user_u:system
r:syslogd_t tcontext=system_u:object_r:var_spool_t tclass=file
audit(1101071015.990:0): avc:  denied  { read } for  pid=1826
exe=/sbin/syslogd name=libnss_nisplus-2.3.3.so dev=hda3 ino=816472
scontext=user_u:sy
tem_r:syslogd_t tcontext=system_u:object_r:var_spool_t tclass=file
audit(1101071015.990:0): avc:  denied  { read } for  pid=1826
exe=/sbin/syslogd name=libnss_nisplus-2.3.3.so dev=hda3 ino=816472
scontext=user_u:sy
tem_r:syslogd_t tcontext=system_u:object_r:var_spool_t tclass=file
audit(1101071016.280:0): avc:  denied  { read } for  pid=1856
exe=/sbin/portmap name=libnss_files-2.3.3.so dev=hda3 ino=816464
scontext=user_u:syst
m_r:portmap_t tcontext=system_u:object_r:var_spool_t tclass=file
audit(1101071016.281:0): avc:  denied  { read } for  pid=1856
exe=/sbin/portmap name=libnss_files-2.3.3.so dev=hda3 ino=816464
scontext=user_u:syst
m_r:portmap_t tcontext=system_u:object_r:var_spool_t tclass=file
audit(1101071016.281:0): avc:  denied  { read } for  pid=1856
exe=/sbin/portmap name=libnss_nisplus-2.3.3.so dev=hda3 ino=816472
scontext=user_u:sy
tem_r:portmap_t tcontext=system_u:object_r:var_spool_t tclass=file
audit(1101071016.330:0): avc:  denied  { read } for  pid=1856
exe=/sbin/portmap name=libnss_nisplus-2.3.3.so dev=hda3 ino=816472
scontext=user_u:sy
tem_r:portmap_t tcontext=system_u:object_r:var_spool_t tclass=file
SELinux: initialized (dev rpc_pipefs, type rpc_pipefs), uses
genfs_contexts
i2c /dev entries driver
NET: Registered protocol family 23
IrCOMM protocol (Dag Brattli)
CSLIP: code copyright 1989 Regents of the University of California
PPP generic driver version 2.4.2
NET: Registered protocol family 10
Disabled Privacy Extensions on device 0236ca40(lo)
IPv6 over IPv4 tunneling driver
divert: not allocating divert_blk for non-ethernet device sit0
audit(1101071028.011:0): avc:  denied  { read } for  pid=2456
exe=/usr/sbin/ntpdate name=libnss_files-2.3.3.so dev=hda3 ino=816464
scontext=user_u:
ystem_r:ntpd_t tcontext=system_u:object_r:var_spool_t tclass=file
audit(1101071028.012:0): avc:  denied  { read } for  pid=2456
exe=/usr/sbin/ntpdate name=libnss_files-2.3.3.so dev=hda3 ino=816464
scontext=user_u:
ystem_r:ntpd_t tcontext=system_u:object_r:var_spool_t tclass=file
audit(1101071028.012:0): avc:  denied  { read } for  pid=2456
exe=/usr/sbin/ntpdate name=libnss_nisplus-2.3.3.so dev=hda3 ino=816472
scontext=user_
:system_r:ntpd_t tcontext=system_u:object_r:var_spool_t tclass=file
audit(1101071028.012:0): avc:  denied  { read } for  pid=2456
exe=/usr/sbin/ntpdate name=libnss_nisplus-2.3.3.so dev=hda3 ino=816472
scontext=user_
:system_r:ntpd_t tcontext=system_u:object_r:var_spool_t tclass=file
audit(1101071028.255:0): avc:  denied  { read } for  pid=2460
exe=/usr/sbin/ntpd name=libnss_files-2.3.3.so dev=hda3 ino=816464
scontext=user_u:sys
em_r:ntpd_t tcontext=system_u:object_r:var_spool_t tclass=file
audit(1101071028.256:0): avc:  denied  { read } for  pid=2460
exe=/usr/sbin/ntpd name=libnss_files-2.3.3.so dev=hda3 ino=816464
scontext=user_u:sys
em_r:ntpd_t tcontext=system_u:object_r:var_spool_t tclass=file
audit(1101071028.256:0): avc:  denied  { read } for  pid=2460
exe=/usr/sbin/ntpd name=libnss_nisplus-2.3.3.so dev=hda3 ino=816472
scontext=user_u:s
stem_r:ntpd_t tcontext=system_u:object_r:var_spool_t tclass=file
audit(1101071028.256:0): avc:  denied  { read } for  pid=2460
exe=/usr/sbin/ntpd name=libnss_nisplus-2.3.3.so dev=hda3 ino=816472
scontext=user_u:s
stem_r:ntpd_t tcontext=system_u:object_r:var_spool_t tclass=file
eth0: no IPv6 routers present
Installing knfsd (copyright (C) 1996 okir.de).
SELinux: initialized (dev nfsd, type nfsd), uses genfs_contexts
parport0: PC-style at 0x378 (0x778) [PCSPP,TRISTATE]
parport0: irq 7 detected
lp0: using parport0 (polling).
lp0: console ready
warning: process `update' used the obsolete bdflush system call
Fix your initscripts?
warning: process `update' used the obsolete bdflush system call
Fix your initscripts?
SELinux: initialized (dev 0:14, type nfs), uses genfs_contexts
audit(1101074843.574:0): avc:  denied  { getattr } for  pid=3829
exe=/sbin/ldconfig path=/lib/libnss_compat-2.3.3.so dev=hda3
ino=816245 scontext=r
ot:sysadm_r:ldconfig_t tcontext=system_u:object_r:var_spool_t tclass=file
audit(1101074843.575:0): avc:  denied  { getattr } for  pid=3829
exe=/sbin/ldconfig path=/lib/libnss_dns-2.3.3.so dev=hda3 ino=816461
scontext=root
sysadm_r:ldconfig_t tcontext=system_u:object_r:var_spool_t tclass=file
audit(1101074843.575:0): avc:  denied  { getattr } for  pid=3829
exe=/sbin/ldconfig path=/lib/libnss_files-2.3.3.so dev=hda3 ino=816464
scontext=ro
t:sysadm_r:ldconfig_t tcontext=system_u:object_r:var_spool_t tclass=file
audit(1101074843.575:0): avc:  denied  { getattr } for  pid=3829
exe=/sbin/ldconfig path=/lib/libnss_hesiod-2.3.3.so dev=hda3
ino=816467 scontext=r
ot:sysadm_r:ldconfig_t tcontext=system_u:object_r:var_spool_t tclass=file
audit(1101074843.576:0): avc:  denied  { getattr } for  pid=3829
exe=/sbin/ldconfig path=/lib/libnss_nis-2.3.3.so dev=hda3 ino=816469
scontext=root
sysadm_r:ldconfig_t tcontext=system_u:object_r:var_spool_t tclass=file
audit(1101074843.576:0): avc:  denied  { getattr } for  pid=3829
exe=/sbin/ldconfig path=/lib/libnss_nisplus-2.3.3.so dev=hda3
ino=816472 scontext=
oot:sysadm_r:ldconfig_t tcontext=system_u:object_r:var_spool_t tclass=file
audit(1101074843.581:0): avc:  denied  { read } for  pid=3829
exe=/sbin/ldconfig name=libnss_compat-2.3.3.so dev=hda3 ino=816245
scontext=root:sysa
m_r:ldconfig_t tcontext=system_u:object_r:var_spool_t tclass=file
audit(1101074843.582:0): avc:  denied  { read } for  pid=3829
exe=/sbin/ldconfig name=libnss_dns-2.3.3.so dev=hda3 ino=816461
scontext=root:sysadm_
:ldconfig_t tcontext=system_u:object_r:var_spool_t tclass=file
audit(1101074843.582:0): avc:  denied  { read } for  pid=3829
exe=/sbin/ldconfig name=libnss_files-2.3.3.so dev=hda3 ino=816464
scontext=root:sysad
_r:ldconfig_t tcontext=system_u:object_r:var_spool_t tclass=file
audit(1101074843.582:0): avc:  denied  { read } for  pid=3829
exe=/sbin/ldconfig name=libnss_hesiod-2.3.3.so dev=hda3 ino=816467
scontext=root:sysa
m_r:ldconfig_t tcontext=system_u:object_r:var_spool_t tclass=file
audit(1101074843.582:0): avc:  denied  { read } for  pid=3829
exe=/sbin/ldconfig name=libnss_nis-2.3.3.so dev=hda3 ino=816469
scontext=root:sysadm_
:ldconfig_t tcontext=system_u:object_r:var_spool_t tclass=file
audit(1101074843.583:0): avc:  denied  { read } for  pid=3829
exe=/sbin/ldconfig name=libnss_nisplus-2.3.3.so dev=hda3 ino=816472
scontext=root:sys
dm_r:ldconfig_t tcontext=system_u:object_r:var_spool_t tclass=file
audit(1101074857.900:0): avc:  denied  { read } for  pid=3831
exe=/sbin/ldconfig name=libnss_compat-2.3.3.so dev=hda3 ino=816245
scontext=root:sysa
m_r:ldconfig_t tcontext=system_u:object_r:var_spool_t tclass=file
audit(1101074857.900:0): avc:  denied  { read } for  pid=3831
exe=/sbin/ldconfig name=libnss_dns-2.3.3.so dev=hda3 ino=816461
scontext=root:sysadm_
:ldconfig_t tcontext=system_u:object_r:var_spool_t tclass=file
audit(1101074857.900:0): avc:  denied  { read } for  pid=3831
exe=/sbin/ldconfig name=libnss_files-2.3.3.so dev=hda3 ino=816464
scontext=root:sysad
_r:ldconfig_t tcontext=system_u:object_r:var_spool_t tclass=file
audit(1101074857.901:0): avc:  denied  { read } for  pid=3831
exe=/sbin/ldconfig name=libnss_hesiod-2.3.3.so dev=hda3 ino=816467
scontext=root:sysa
m_r:ldconfig_t tcontext=system_u:object_r:var_spool_t tclass=file
audit(1101074857.901:0): avc:  denied  { read } for  pid=3831
exe=/sbin/ldconfig name=libnss_nis-2.3.3.so dev=hda3 ino=816469
scontext=root:sysadm_
:ldconfig_t tcontext=system_u:object_r:var_spool_t tclass=file
audit(1101074857.901:0): avc:  denied  { read } for  pid=3831
exe=/sbin/ldconfig name=libnss_nisplus-2.3.3.so dev=hda3 ino=816472
scontext=root:sys
dm_r:ldconfig_t tcontext=system_u:object_r:var_spool_t tclass=file
input: AT Translated Set 2 keyboard on isa0060/serio0
input: AT Translated Set 2 keyboard on isa0060/serio0
input: AT Translated Set 2 keyboard on isa0060/serio0
SELinux: initialized (dev 0:15, type nfs), uses genfs_contexts


There it is.

Comment 8 Daniel Walsh 2004-11-22 21:21:12 UTC

Where does libnss_files-2.3.3.so exit on your machine?

if it exists in /lib then the following should fix the labeling 

restorecon -R -v /lib /usr/lib 

Should fix the context on the libraries.  Why they are labeled
/var/spool is beyond me.

Comment 9 Steve Murphy 2004-11-22 22:02:03 UTC

strange! I did a locate on that file...


[root@lurch /]# locate libnss_files-2.3.3.so
/var/spool/postfix/lib/libnss_files-2.3.3.so
/lib/libnss_files-2.3.3.so
[root@lurch /]# 

And, sure enough, there is a /var/spool/postfix, dated 8 Nov, in my
/var/spool/ dir. I don't THINK I did any playing with postfix in my
spool dir within the last month, if ever... I really can't explain why
it's there! But I checked, and no package seems to be associated with
those dirs/files, so I removed this stuff from /var/spool, and
will now do a boot. I should have waited to enter this, until after
the reboot, but I wanted to show the results above, copied and pasted
from the shell. More in a bit.

Comment 10 Colin Walters 2004-11-22 22:18:36 UTC

That's probably postfix trying to set up a chroot for itself.  We need
to make sure the postfix scripts preserve the security contexts of
files when setting up the chroot; if it's using "cp", it should be
passing the -c option.

(Ideally though we dump the whole Postfix chrooting thing and switch
to confining it with SELinux, which is much stronger protection and
doesn't require copying files around)

Comment 11 Steve Murphy 2004-11-22 22:34:23 UTC

OK, just a reboot after removing the /var/spool/postfix dir, didn't do
anything. A quick run of ldconfig -v showed all sorts of "permission
denied" messages. I ran the restorcon command, which generated a lot
of warnings about soft links, and then rebooted. That did it. The avc
messages at boot time are gone. ntpd is running. Very good. ldconfig -v
now runs pretty clean.

One of my self-installed utilities, gringotts, which I just compiled
and installed, segfaults, but when I run it under the debugger, it
runs fine... I'll sort that out later...

Did one of the package updates do something funny with
/var/spool/postfix? Is this/Could this be the cause of all the
/var/spool nonsense?

murf

Comment 12 Trevor Cordes 2004-11-28 14:21:05 UTC

I had a similar problem.  I upgraded from FC1->FC2->FC3 and when in
FC3 I turned on SElinux and policy-targeted.  Booted and almost no
services would run, esp the important ones like named.

I'll try touch /.autorelabel

Here's the big question: why doesn't anaconda (or any of the rpm's) do
this relabel thing automagically?  Anyone upgrading and trying to turn
on SElinux will hit this problem and the solution is very obscure.

Comment 13 Steve Murphy 2004-11-28 14:36:19 UTC

While we are on the subject, let me note that I could have solved this
problem on my own (maybe) IF I HAD DOCUMENTATION.

I've gone to the NSA site and looked at the documentation they have on
SELinux, and... well... I haven't read it all yet, but what I have
read is wonderfully general and non-implementation specific. 

The most critical thing (IMNASHO) that FC could provide right now, is
some good documentation on SELinux, and common probs and how to solve
them. Heh, hehe, this stuff is most likely SO new that there is no
such thing (yet) as a "common problem"...

Comment 14 Steve Murphy 2004-11-28 14:50:13 UTC

One more thing! Above, you mention "cp" and using the "-c" option.
Yet, the man pages don't mention a "-c" option for cp, nor does
cp --help show any such option. I assume that incorporating SELinux
will involve massive changes, like enhancements to dozens of utilities,
documentation, etc?

Comment 15 Daniel Walsh 2004-11-29 14:08:47 UTC

Colin should have said -p for preserving the security contexts of the
files.

Dan

Comment 16 Steve Murphy 2004-12-23 21:18:11 UTC

Ok, Here is a new, but seemingly highly related problem: I can no
longer     install some of the low-level libs for asterisk, nor run it
any longer! I get: avc: denied ( read } for pid=2959
exe=/sbin/ldconfig name=libpri.so.1.0 dev=dm-0 ino=2674205
scontext=root:system_r:ldconfig_t tcontext=root:object_r:lib_t tclass=file

I've done the /.autorelable and the restorecon thing, but these do not
help the situation. What do I do?

Comment 17 Daniel Walsh 2004-12-23 23:12:37 UTC

After you do a make install that installs libraries you need to run
restorecon on the directories to fix the file context on the libs.

restorecon -R -v /usr/local/lib

Comment 18 Steve Murphy 2004-12-24 03:42:02 UTC

Already did that. Been reading the FAQ and did a ls -alZ on the
libpri.so file, and I get:

[root@phone lib]# ls -alZ libpri*
-rw-r--r--  root     root     root:object_r:lib_t              libpri.a
lrwxrwxrwx  root     root     root:object_r:lib_t              libpri.so
-rwxr-xr-x  root     root     root:object_r:lib_t             
libpri.so.1.0

Doing the same thing on another file in the distribution that was
installed, I see:

[root@phone lib]# ls -alZ libzap*
-rw-r--r--  root     root     system_u:object_r:lib_t          libzap.a
lrwxrwxrwx  root     root     system_u:object_r:lib_t          libzap.so
-rwxr-xr-x  root     root     system_u:object_r:shlib_t        libzap.so.1

I did the restorecon -R -v on the /usr/lib dir, which did no good,
but when I did it on the libpri.so.1.0 file, it changed it to shlib_t
and all is now well...

What happened to mislabel the file?

Many thanks!

Comment 19 Daniel Walsh 2004-12-24 05:45:36 UTC

Did the file get replaced by a make install?

If so then it will get the default context of the directory that it
was installed into (lib_t).

Dan

Comment 20 Steve Murphy 2004-12-24 15:33:46 UTC

I'm sure it was, as this seems the standard procedure for updating
libraries...? How should it be done? Delete the so in the lib dir,
and then install it?

Comment 21 Steve Murphy 2004-12-29 23:50:35 UTC

OK, well, I modified the makefile to restorecon the libs immediately
after the install.

ANOTHER ISSUE: I have built and installed gringotts, a little utility
I use. It installs owned by root, setuid. If I un-setuid it, it runs,
but with the setuid bit on, it won't run. So, I suspect it's a SELinux
prob... 

When I run it without setuid, it's got all its memory protection stuff
turned off.  

So, what is the magic cookie for this? restorecon -v has no affect.

Comment 22 Daniel Walsh 2004-12-30 03:14:29 UTC

SELinux should have not effect on the APP.  You can temporarily turn
off SELinux enforcement with setenforce 0.  But with targeted policy
the app should be running in unconfined_t which would allow the app to
do what it wants.  I have a feeling you have a DAC problem.

Dan