Bug 1583084
| Summary: | SELinux is preventing ldconfig from map access on the file /usr/lib64/libfreeblpriv3.so | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Lukas Slebodnik <lslebodn> |
| Component: | selinux-policy | Assignee: | Lukas Vrabec <lvrabec> |
| Status: | CLOSED ERRATA | QA Contact: | Milos Malik <mmalik> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 7.6 | CC: | apeetham, ernunes, jikortus, jpazdziora, lslebodn, lvrabec, mgrepl, mmalik, pbunyan, plautrba, ssekidde, yoyang, zsun |
| Target Milestone: | rc | Keywords: | Regression |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | selinux-policy-3.13.1-205.el7 | Doc Type: | If docs needed, set a value |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2018-10-30 10:04:11 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | |||
| Bug Blocks: | 1568427 | ||
Are you able to reproduce it after: ***** Plugin restorecon (99.5 confidence) suggests ************************ If you want to fix the label. /usr/lib64/libfreeblpriv3.so default label should be lib_t. Then you can run restorecon. The access attempt may have been stopped due to insufficient permissions to access a parent directory in which case try to change the following command accordingly. Do # /sbin/restorecon -v /usr/lib64/libfreeblpriv3.so THanks, Lukas. sh# ls -lZ /usr/lib64/libfreeblpriv3.so -rwxr-xr-x. root root system_u:object_r:lib_t:s0 /usr/lib64/libfreeblpriv3.so sh# matchpathcon /usr/lib64/libfreeblpriv3.so /usr/lib64/libfreeblpriv3.so system_u:object_r:lib_t:s0 I am not sure whether it will help. But I might check this AVC later in enforcing mode after fixing other mmap related AVCs. Seen a lot of these denials related to different libraries:
----
type=PROCTITLE msg=audit(06/07/2018 16:58:42.101:187) : proctitle=ldconfig -r /var/tmp/dracut.wbz0MV/initramfs
type=MMAP msg=audit(06/07/2018 16:58:42.101:187) : fd=4 flags=MAP_SHARED
type=SYSCALL msg=audit(06/07/2018 16:58:42.101:187) : arch=x86_64 syscall=mmap success=no exit=EACCES(Permission denied) a0=0x0 a1=0x56f18 a2=PROT_READ a3=MAP_SHARED items=0 ppid=2635 pid=9496 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=ldconfig exe=/usr/sbin/ldconfig subj=system_u:system_r:ldconfig_t:s0 key=(null)
type=AVC msg=audit(06/07/2018 16:58:42.101:187) : avc: denied { map } for pid=9496 comm=ldconfig path=/usr/lib64/libdevmapper.so.1.02 dev="dm-0" ino=9592421 scontext=system_u:system_r:ldconfig_t:s0 tcontext=system_u:object_r:kdumpctl_tmp_t:s0 tclass=file permissive=0
----
type=PROCTITLE msg=audit(06/07/2018 16:58:42.101:188) : proctitle=ldconfig -r /var/tmp/dracut.wbz0MV/initramfs
type=MMAP msg=audit(06/07/2018 16:58:42.101:188) : fd=4 flags=MAP_SHARED
type=SYSCALL msg=audit(06/07/2018 16:58:42.101:188) : arch=x86_64 syscall=mmap success=no exit=EACCES(Permission denied) a0=0x0 a1=0xa12f8 a2=PROT_READ a3=MAP_SHARED items=0 ppid=2635 pid=9496 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=ldconfig exe=/usr/sbin/ldconfig subj=system_u:system_r:ldconfig_t:s0 key=(null)
type=AVC msg=audit(06/07/2018 16:58:42.101:188) : avc: denied { map } for pid=9496 comm=ldconfig path=/usr/lib64/libsepol.so.1 dev="dm-0" ino=9592422 scontext=system_u:system_r:ldconfig_t:s0 tcontext=system_u:object_r:kdumpctl_tmp_t:s0 tclass=file permissive=0
----
I can see them as well with selinux-policy-3.13.1-204.el7.noarch
it seems that dracut it seems to be related to dracut
Jun 16 04:41:06 host.example.com dracut[3083]: *** Installing kernel module dependencies and firmware done ***
Jun 16 04:41:06 host.example.com dracut[3083]: *** Resolving executable dependencies ***
Jun 16 04:41:07 host.example.com beah-srv[3516]: 2018-06-16 04:41:07,067 beah buildProtocol: INFO TaskListener: New client connected from remote address UNIXAddress('')
Jun 16 04:41:07 host.example.com dracut[3083]: *** Resolving executable dependencies done***
Jun 16 04:41:07 host.example.com kdumpctl[1378]: ldconfig: Cannot mmap file /lib64/libfreeblpriv3.so.
Jun 16 04:41:07 host.example.com kdumpctl[1378]: ldconfig: Cannot mmap file /lib64/libfreebl3.so.
Jun 16 04:41:07 host.example.com kdumpctl[1378]: ldconfig: Cannot mmap file /lib64/libdevmapper-event.so.1.02.
Jun 16 04:41:07 host.example.com kdumpctl[1378]: ldconfig: Cannot mmap file /lib64/libdevmapper-event-lvm2mirror.so.
Jun 16 04:41:07 host.example.com kdumpctl[1378]: ldconfig: Cannot mmap file /lib64/libdevmapper-event-lvm2raid.so.
Jun 16 04:41:07 host.example.com kdumpctl[1378]: ldconfig: Cannot mmap file /lib64/libdevmapper-event-lvm2snapshot.so.
Jun 16 04:41:07 host.example.com kdumpctl[1378]: ldconfig: Cannot mmap file /lib64/libdevmapper-event-lvm2thin.so.
Jun 16 04:41:07 host.example.com kdumpctl[1378]: ldconfig: Cannot mmap file /lib64/libnss_files-2.17.so.
Jun 16 04:41:07 host.example.com kdumpctl[1378]: ldconfig: Cannot mmap file /lib64/libnss_files.so.
Jun 16 04:41:07 host.example.com kdumpctl[1378]: ldconfig: Cannot mmap file /lib64/libnss_files.so.2.
Jun 16 04:41:07 host.example.com kdumpctl[1378]: ldconfig: Cannot mmap file /lib64/libtinfo.so.5.9.
Jun 16 04:41:07 host.example.com kdumpctl[1378]: ldconfig: Cannot mmap file /lib64/libtinfo.so.5.
Jun 16 04:41:07 host.example.com kdumpctl[1378]: ldconfig: Cannot mmap file /lib64/libdl-2.17.so.
Jun 16 04:41:07 host.example.com kdumpctl[1378]: ldconfig: Cannot mmap file /lib64/libdl.so.2.
Jun 16 04:41:07 host.example.com kdumpctl[1378]: ldconfig: Cannot mmap file /lib64/libdl.so.
Jun 16 04:41:07 host.example.com kdumpctl[1378]: ldconfig: Cannot mmap file /lib64/libc-2.17.so.
Jun 16 04:41:07 host.example.com kdumpctl[1378]: ldconfig: Cannot mmap file /lib64/libc.so.6.
Jun 16 04:41:07 host.example.com kdumpctl[1378]: ldconfig: Cannot mmap file /lib64/libc.so.
Jun 16 04:41:07 host.example.com kdumpctl[1378]: ldconfig: Cannot mmap file /lib64/ld-2.17.so.
Jun 16 04:41:07 host.example.com kdumpctl[1378]: ldconfig: Cannot mmap file /lib64/ld-linux-x86-64.so.2.
Jun 16 04:41:07 host.example.com kdumpctl[1378]: ldconfig: Cannot mmap file /lib64/librt-2.17.so.
Jun 16 04:41:07 host.example.com kdumpctl[1378]: ldconfig: Cannot mmap file /lib64/librt.so.1.
Jun 16 04:41:07 host.example.com kdumpctl[1378]: ldconfig: Cannot mmap file /lib64/librt.so.
Jun 16 04:41:07 host.example.com kdumpctl[1378]: ldconfig: Cannot mmap file /lib64/libcap.so.2.22.
Jun 16 04:41:07 host.example.com kdumpctl[1378]: ldconfig: Cannot mmap file /lib64/libcap.so.2.
Jun 16 04:41:07 host.example.com kdumpctl[1378]: ldconfig: Cannot mmap file /lib64/libgcc_s-4.8.5-20150702.so.1.
Jun 16 04:41:07 host.example.com kdumpctl[1378]: ldconfig: Cannot mmap file /lib64/libgcc_s.so.1.
Jun 16 04:41:07 host.example.com kdumpctl[1378]: ldconfig: Cannot mmap file /lib64/libpthread-2.17.so.
Jun 16 04:41:07 host.example.com kdumpctl[1378]: ldconfig: Cannot mmap file /lib64/libpthread.so.0.
Jun 16 04:41:07 host.example.com kdumpctl[1378]: ldconfig: Cannot mmap file /lib64/libpthread.so.
Jun 16 04:41:07 host.example.com kdumpctl[1378]: ldconfig: Cannot mmap file /lib64/libattr.so.1.1.0.
Jun 16 04:41:07 host.example.com kdumpctl[1378]: ldconfig: Cannot mmap file /lib64/libattr.so.1.
Jun 16 04:41:07 host.example.com kdumpctl[1378]: ldconfig: Cannot mmap file /lib64/libmount.so.1.1.0.
Jun 16 04:41:07 host.example.com kdumpctl[1378]: ldconfig: Cannot mmap file /lib64/libmount.so.1.
Jun 16 04:41:07 host.example.com kdumpctl[1378]: ldconfig: Cannot mmap file /lib64/libblkid.so.1.1.0.
Jun 16 04:41:07 host.example.com kdumpctl[1378]: ldconfig: Cannot mmap file /lib64/libblkid.so.1.
Jun 16 04:41:07 host.example.com kdumpctl[1378]: ldconfig: Cannot mmap file /lib64/libuuid.so.1.3.0.
Jun 16 04:41:07 host.example.com kdumpctl[1378]: ldconfig: Cannot mmap file /lib64/libuuid.so.1.
Jun 16 04:41:07 host.example.com kdumpctl[1378]: ldconfig: Cannot mmap file /lib64/libselinux.so.1.
Jun 16 04:41:07 host.example.com kdumpctl[1378]: ldconfig: Cannot mmap file /lib64/libpcre.so.1.2.0.
Jun 16 04:41:07 host.example.com kdumpctl[1378]: ldconfig: Cannot mmap file /lib64/libpcre.so.1.
Jun 16 04:41:07 host.example.com dbus[1015]: [system] Activating service name='org.fedoraproject.Setroubleshootd' (using servicehelper)
Jun 16 04:41:07 host.example.com dracut[3083]: *** Hardlinking files ***
Jun 16 04:41:07 host.example.com kdumpctl[1378]: ldconfig: Cannot mmap file /lib64/libkmod.so.2.2.10.
Jun 16 04:41:07 host.example.com kdumpctl[1378]: ldconfig: Cannot mmap file /lib64/libkmod.so.2.
Jun 16 04:41:07 host.example.com kdumpctl[1378]: ldconfig: Cannot mmap file /lib64/libacl.so.1.1.0.
Jun 16 04:41:07 host.example.com kdumpctl[1378]: ldconfig: Cannot mmap file /lib64/libacl.so.1.
Jun 16 04:41:07 host.example.com kdumpctl[1378]: ldconfig: Cannot mmap file /lib64/liblzma.so.5.2.2.
Jun 16 04:41:07 host.example.com kdumpctl[1378]: ldconfig: Cannot mmap file /lib64/liblzma.so.5.
Jun 16 04:41:07 host.example.com kdumpctl[1378]: ldconfig: Cannot mmap file /lib64/libz.so.1.2.7.
Jun 16 04:41:07 host.example.com kdumpctl[1378]: ldconfig: Cannot mmap file /lib64/libz.so.1.
Jun 16 04:41:07 host.example.com kdumpctl[1378]: ldconfig: Cannot mmap file /lib64/liblz4.so.1.7.5.
Jun 16 04:41:07 host.example.com kdumpctl[1378]: ldconfig: Cannot mmap file /lib64/liblz4.so.1.
Jun 16 04:41:07 host.example.com kdumpctl[1378]: ldconfig: Cannot mmap file /lib64/libgcrypt.so.11.8.2.
Jun 16 04:41:07 host.example.com kdumpctl[1378]: ldconfig: Cannot mmap file /lib64/libgcrypt.so.11.
Jun 16 04:41:07 host.example.com kdumpctl[1378]: ldconfig: Cannot mmap file /lib64/libqrencode.so.3.4.1.
Jun 16 04:41:07 host.example.com kdumpctl[1378]: ldconfig: Cannot mmap file /lib64/libqrencode.so.3.
Jun 16 04:41:07 host.example.com kdumpctl[1378]: ldconfig: Cannot mmap file /lib64/libgpg-error.so.0.10.0.
Jun 16 04:41:07 host.example.com kdumpctl[1378]: ldconfig: Cannot mmap file /lib64/libgpg-error.so.0.
Jun 16 04:41:07 host.example.com kdumpctl[1378]: ldconfig: Cannot mmap file /lib64/libudev.so.1.6.2.
Jun 16 04:41:07 host.example.com kdumpctl[1378]: ldconfig: Cannot mmap file /lib64/libudev.so.1.
Jun 16 04:41:07 host.example.com kdumpctl[1378]: ldconfig: Cannot mmap file /lib64/libm-2.17.so.
Jun 16 04:41:07 host.example.com kdumpctl[1378]: ldconfig: Cannot mmap file /lib64/libm.so.6.
Jun 16 04:41:07 host.example.com kdumpctl[1378]: ldconfig: Cannot mmap file /lib64/libm.so.
Jun 16 04:41:07 host.example.com kdumpctl[1378]: ldconfig: Cannot mmap file /lib64/libdw-0.172.so.
Jun 16 04:41:07 host.example.com kdumpctl[1378]: ldconfig: Cannot mmap file /lib64/libdw.so.1.
Jun 16 04:41:07 host.example.com kdumpctl[1378]: ldconfig: Cannot mmap file /lib64/libelf-0.172.so.
Jun 16 04:41:07 host.example.com kdumpctl[1378]: ldconfig: Cannot mmap file /lib64/libelf.so.1.
Jun 16 04:41:07 host.example.com kdumpctl[1378]: ldconfig: Cannot mmap file /lib64/libbz2.so.1.0.6.
Jun 16 04:41:07 host.example.com kdumpctl[1378]: ldconfig: Cannot mmap file /lib64/libbz2.so.1.
Jun 16 04:41:07 host.example.com kdumpctl[1378]: ldconfig: Cannot mmap file /lib64/libprocps.so.4.0.0.
Jun 16 04:41:07 host.example.com kdumpctl[1378]: ldconfig: Cannot mmap file /lib64/libprocps.so.4.
Jun 16 04:41:07 host.example.com kdumpctl[1378]: ldconfig: Cannot mmap file /lib64/libsystemd.so.0.6.0.
Jun 16 04:41:07 host.example.com kdumpctl[1378]: ldconfig: Cannot mmap file /lib64/libsystemd.so.0.
Jun 16 04:41:07 host.example.com kdumpctl[1378]: ldconfig: Cannot mmap file /lib64/libresolv-2.17.so.
Jun 16 04:41:07 host.example.com kdumpctl[1378]: ldconfig: Cannot mmap file /lib64/libresolv.so.2.
Jun 16 04:41:07 host.example.com kdumpctl[1378]: ldconfig: Cannot mmap file /lib64/libresolv.so.
Jun 16 04:41:07 host.example.com kdumpctl[1378]: ldconfig: Cannot mmap file /lib64/libdevmapper.so.1.02.
Jun 16 04:41:07 host.example.com kdumpctl[1378]: ldconfig: Cannot mmap file /lib64/libsepol.so.1.
Jun 16 04:41:07 host.example.com kdumpctl[1378]: ldconfig: Cannot mmap file /lib64/libaio.so.1.0.1.
Jun 16 04:41:07 host.example.com kdumpctl[1378]: ldconfig: Cannot mmap file /lib64/libaio.so.1.
Jun 16 04:41:07 host.example.com kdumpctl[1378]: ldconfig: Cannot mmap file /lib64/libreadline.so.6.2.
Jun 16 04:41:07 host.example.com kdumpctl[1378]: ldconfig: Cannot mmap file /lib64/libreadline.so.6.
Jun 16 04:41:07 host.example.com kdumpctl[1378]: ldconfig: Cannot mmap file /lib64/libpci.so.3.5.1.
Jun 16 04:41:07 host.example.com kdumpctl[1378]: ldconfig: Cannot mmap file /lib64/libpci.so.3.
Jun 16 04:41:07 host.example.com kdumpctl[1378]: ldconfig: Cannot mmap file /lib64/libsnappy.so.1.1.4.
Jun 16 04:41:07 host.example.com kdumpctl[1378]: ldconfig: Cannot mmap file /lib64/libsnappy.so.1.
Jun 16 04:41:07 host.example.com kdumpctl[1378]: ldconfig: Cannot mmap file /lib64/liblzo2.so.2.0.0.
Jun 16 04:41:07 host.example.com kdumpctl[1378]: ldconfig: Cannot mmap file /lib64/liblzo2.so.2.
Jun 16 04:41:07 host.example.com kdumpctl[1378]: ldconfig: Cannot mmap file /lib64/libstdc++.so.6.0.19.
Jun 16 04:41:07 host.example.com kdumpctl[1378]: ldconfig: Cannot mmap file /lib64/libstdc++.so.6.
Jun 16 04:41:07 host.example.com kdumpctl[1378]: ldconfig: Cannot mmap file /lib64/libpam.so.0.83.1.
Jun 16 04:41:07 host.example.com kdumpctl[1378]: ldconfig: Cannot mmap file /lib64/libpam.so.0.
Jun 16 04:41:07 host.example.com kdumpctl[1378]: ldconfig: Cannot mmap file /lib64/libaudit.so.1.0.0.
Jun 16 04:41:07 host.example.com kdumpctl[1378]: ldconfig: Cannot mmap file /lib64/libaudit.so.1.
Jun 16 04:41:07 host.example.com kdumpctl[1378]: ldconfig: Cannot mmap file /lib64/libcap-ng.so.0.0.0.
Jun 16 04:41:07 host.example.com kdumpctl[1378]: ldconfig: Cannot mmap file /lib64/libcap-ng.so.0.
Jun 16 04:41:07 host.example.com kdumpctl[1378]: ldconfig: Cannot mmap file /lib64/libdevmapper-event-lvm2.so.2.02.
Jun 16 04:41:07 host.example.com kdumpctl[1378]: ldconfig: Cannot mmap file /lib64/liblvm2cmd.so.2.02.
Jun 16 04:41:07 host.example.com dracut[3083]: *** Hardlinking files done ***
Jun 16 04:41:07 host.example.com dracut[3083]: *** Stripping files ***
Jun 16 04:41:07 host.example.com dracut[3083]: *** Stripping files done ***
Jun 16 04:41:07 host.example.com dracut[3083]: *** Generating early-microcode cpio image contents ***
Jun 16 04:41:07 host.example.com dracut[3083]: *** No early-microcode cpio image needed ***
Jun 16 04:41:07 host.example.com dracut[3083]: *** Store current command line parameters ***
Jun 16 04:41:07 host.example.com dracut[3083]: *** Creating image file ***
Jun 16 04:41:08 host.example.com dbus[1015]: [system] Successfully activated service 'org.fedoraproject.Setroubleshootd'
Jun 16 04:41:08 host.example.com setroubleshoot[9781]: SELinux is preventing /usr/sbin/ldconfig from map access on the file /usr/lib64/libfreeblpriv3.so.
//snip
Jun 16 04:41:14 host.example.com dracut[3083]: drwxr-xr-x 13 root root 0 Jun 16 04:41 .
Jun 16 04:41:14 host.example.com dracut[3083]: crw-r--r-- 1 root root 5, 1 Jun 16 04:41 dev/console
Jun 16 04:41:14 host.example.com dracut[3083]: crw-r--r-- 1 root root 1, 11 Jun 16 04:41 dev/kmsg
Jun 16 04:41:14 host.example.com dracut[3083]: crw-r--r-- 1 root root 1, 3 Jun 16 04:41 dev/null
This is a regression against RHEL 7.5. *** Bug 1594832 has been marked as a duplicate of this bug. *** *** Bug 1595785 has been marked as a duplicate of this bug. *** *** Bug 1597608 has been marked as a duplicate of this bug. *** Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2018:3111 |
SELinux is preventing ldconfig from map access on the file /usr/lib64/libfreeblpriv3.so. ***** Plugin restorecon (99.5 confidence) suggests ************************ If you want to fix the label. /usr/lib64/libfreeblpriv3.so default label should be lib_t. Then you can run restorecon. The access attempt may have been stopped due to insufficient permissions to access a parent directory in which case try to change the following command accordingly. Do # /sbin/restorecon -v /usr/lib64/libfreeblpriv3.so ***** Plugin catchall (1.49 confidence) suggests ************************** If you believe that ldconfig should be allowed map access on the libfreeblpriv3.so file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'ldconfig' --raw | audit2allow -M my-ldconfig # semodule -i my-ldconfig.pp Additional Information: Source Context system_u:system_r:ldconfig_t:s0 Target Context system_u:object_r:kdumpctl_tmp_t:s0 Target Objects /usr/lib64/libfreeblpriv3.so [ file ] Source ldconfig Source Path ldconfig Port <Unknown> Host bkr-hv01-guest24.example.com Source RPM Packages Target RPM Packages nss-softokn-freebl-3.36.0-5.el7_5.x86_64 Policy RPM selinux-policy-3.13.1-197.el7.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Host Name bkr-hv01-guest24.example.com Platform Linux bkr-hv01-guest24.example.com 3.10.0-893.el7.x86_64 #1 SMP Thu May 24 21:37:14 UTC 2018 x86_64 x86_64 Alert Count 1 First Seen 2018-05-26 09:12:44 EDT Last Seen 2018-05-26 09:12:44 EDT Local ID 359d8431-4654-48eb-a1f9-0d97c4d23ed2 Raw Audit Messages type=AVC msg=audit(1527340364.451:62): avc: denied { map } for pid=9288 comm="ldconfig" path="/usr/lib64/libfreeblpriv3.so" dev="dm-0" ino=493560 scontext=system_u:system_r:ldconfig_t:s0 tcontext=system_u:object_r:kdumpctl_tmp_t:s0 tclass=file permissive=1 Hash: ldconfig,ldconfig_t,kdumpctl_tmp_t,file,map