Bug 149819

Summary: Newer kernels cause init services to crash with shared library permission problems
Product: [Fedora] Fedora Reporter: Gabriel Schulhof <gabrielschulhof>
Component: kernelAssignee: Dave Jones <davej>
Status: CLOSED RAWHIDE QA Contact: Brian Brock <bbrock>
Severity: medium Docs Contact:
Priority: medium    
Version: rawhideCC: barryn, dwmw2, jmorris, pfrields, sdsmall, sundaram
Target Milestone: ---   
Target Release: ---   
Hardware: powerpc   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2005-09-04 23:22:12 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 133471    
Attachments:
Description Flags
Change SELinux execute-related permission checking none

Description Gabriel Schulhof 2005-02-27 22:15:56 UTC
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux ppc; en-US; rv:1.7.5)
Gecko/20050109 Fedora/1.7.5-3

Description of problem:
Since just after build 766 of the FC devel PPC kernel, selinux has
been broken to the point where many of the init services fail to start:

arping: error while loading shared libraries: cannot restore segment
prot after reloc: Permission denied

Starting system logger: syslogd: error while loading shared libraries:
libc.so.6: failed to map segment from shared object: Permission denied

audit(1109380338.264:0): avc:  denied  { execmem } for  pid=2340
comm=portmap scontext=user_u:system_r:portmap_t
tcontext=user_u:system_r:portmap_t tclass=process
portmap: error while loading shared libraries: libnsl.so.1: failed to
map segment from shared object: Permission denied

audit(1109380338.463:0): avc:  denied  { execmem } for  pid=2357
comm=rpc.statd scontext=user_u:system_r:rpcd_t
tcontext=user_u:system_r:rpcd_t tclass=process
rpc.statd: error while loading shared libraries: libwrap.so.0: failed
to map segment from shared object: Permission denied

audit(1109380339.031:0): avc:  denied  { execmem } for  pid=2392
comm=rpc.idmapd scontext=user_u:system_r:r
rpc.idmapd: error while loading shared libraries: libldap-2.2.so.7:
failed to map segment from shared object: Permission denied

audit(1109380340.832:0): avc:  denied  { execmod } for  pid=2510
comm=smartd path=/usr/sbin/smartd dev=hda5 ino=663228
scontext=user_u:system_r:initrc_t tcontext=system_u:object_r:sbin_t
tclass=file
/usr/sbin/smartd: error while loading shared libraries: cannot restore
segment prot after reloc: Permission denied

Starting xinetd: audit(1109380341.053:0): avc:  denied  { execmod }
for  pid=2519 comm=xinetd path=/usr/sbin/xinetd dev=hda5 ino=663469
scontext=user_u:system_r:initrc_t tcontext=system_u:object_r:sbin_t
tclass=file
xinetd: error while loading shared libraries: cannot restore segment
prot after reloc: Permission denied

audit(1109380341.266:0): avc:  denied  { execmem } for  pid=2531
comm=ntpdate scontext=user_u:system_r:ntpd_t
tcontext=user_u:system_r:ntpd_t tclass=process
audit(1109380341.330:0): avc:  denied  { execmem } for  pid=2533
comm=ntpd scontext=user_u:system_r:ntpd_t
tcontext=user_u:system_r:ntpd_t tclass=process
ntpd: error while loading shared libraries: libm.so.6: failed to map
segment from shared object: Permission denied

audit(1109380343.738:0): avc:  denied  { execmod } for  pid=2604
comm=crond path=/usr/sbin/crond dev=hda5 ino=662889
scontext=user_u:system_r:initrc_t tcontext=system_u:object_r:sbin_t
tclass=file
crond: error while loading shared libraries: cannot restore segment
prot after reloc: Permission denied

audit(1109380346.308:0): avc:  denied  { execmod } for  pid=2654
comm=atd path=/usr/sbin/atd dev=hda5 ino=662510
scontext=user_u:system_r:initrc_t tcontext=system_u:object_r:sbin_t
tclass=file
/usr/sbin/atd: error while loading shared libraries: cannot restore
segment prot after reloc: Permission denied

This problem has persisted across the following kernels:
kernel-2.6.10-1.1148_FC4
kernel-2.6.10-1.1149_FC4
kernel-2.6.10-1.1153_FC4
kernel-2.6.10-1.1154_FC4
kernel-2.6.10-1.1155_FC4


Version-Release number of selected component (if applicable):
kernel-2.6.10-1.1148_FC4

How reproducible:
Always

Steps to Reproduce:
1. Install fc-devel on your ppc
2. Update to the latest packages (incl. kernel) with you
3. Watch services crash with above error messages
    

Actual Results:  init scripts failed to launch their daemons, because
of shared library "Permission denied" problems

Expected Results:  All init scripts start and produce pretty green [ 
OK  ]s.

Additional info:

Comment 1 Stephen Smalley 2005-03-07 20:05:22 UTC
Created attachment 111755 [details]
Change SELinux execute-related permission checking

This attachment contains a patch to change the SELinux execute-related checking

both to address the specific bug in this report (for ppc32) as well as to
address
more widely reported issues with the same checks for legacy binaries and
binaries requiring PT_GNU_STACK RWE on x86.  This patch was submitted against
2.6.11-mm1
to Andrew Morton today, but I was told to also submit in bugzilla to help
ensure
that it gets into Fedora Core devel soon.  The patch does have one overlap with
another patch also submitted upstream today for enhanced MLS support, so you
will likely need to hand merge the Kconfig change (or if necessary, I can try
to grab the Fedora Core devel SRPM and re-base the diff, but that is obviously
more painful for me ;).

Comment 2 Stephen Smalley 2005-03-07 20:14:09 UTC
BTW, I'd recommend changing component to kernel and changing architecture to
all, as the kernel patch I just attached to the prior comment is obviously a
kernel fix and addresses more than just the ppc-specific issue.  And this
presumably means that the bug should be assigned to davej instead of dwalsh...

Comment 3 Gabriel Schulhof 2005-03-08 04:45:29 UTC
Well, as of kernel-2.6.11-1.1176_FC4, the problem is still present,
although it doesn't complain about bringing up interface lo anymore.

Comment 4 Stephen Smalley 2005-03-08 12:21:53 UTC
The patch hasn't been included in the FC devel kernel yet AFAIK.
I need someone else to change component to kernel and assigned to
to davej so that he will queue it up for future FC devel kernels; I
can't do it myself.

Comment 5 Stephen Smalley 2005-03-08 14:33:06 UTC
BTW, the patch is now included in 2.6.11-mm2.
So if davej rebases to that, he'll get it automatically.

Comment 6 Dave Jones 2005-03-08 22:25:55 UTC
the -mm kernels are too volatile to consider rebasing to. I've picked
this patch up (and tweaked it slightly, it rejected in Kconfig as you
mentioned above), it'll be in tomorrows rawhide, and should make it
into FC4 test1