Bug 160331
| Summary: | update to selinux-policy-targeted breaks 3rd party apps (like wine + Lotus Notes, IBM db2, etc) | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | James Hunt <jamesodhunt> |
| Component: | selinux-policy-targeted | Assignee: | Daniel Walsh <dwalsh> |
| Status: | CLOSED CURRENTRELEASE | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | 3 | CC: | dwm, jose.p.oliveira.oss, mail |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | 1.25.2-4 | Doc Type: | Bug Fix |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2005-07-21 19:16:10 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
Related ticket * selinux-policy-targeted 1.17.30-3.2 breaks Adobe AcroRead 7.0.0-2 https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=160106 Also breaks the cisco vpnclient package:
Jun 14 16:12:20 localhost kernel: audit(1118761940.276:0): avc: denied {
execmod } for pid=5447 comm=vpnclient path=/opt/cisco-vpnclient/lib/libvpnapi.so
dev=hda9 ino=827502 scontext=root:system_r:unconfined_t
tcontext=root:object_r:usr_t tclass=file
fixed in selinux-policy-targeted 1.17.30-3.9 Daniel, Unfortunately, it is not fixed in 1.17.30-3.9; I get exactly the same errors, and have had to revert to permissive mode again. Regards, James. James, Do you have allow_execmod set? setsebool -P allow_execmod=1 Dan Hi Da,
I believe so...
cat /selinux/booleans/allow_execmod
1 1
Here's the output of "sestatus -v":
SELinux status: enabled
SELinuxfs mount: /selinux
Current mode: enforcing
Mode from config file: enforcing
Policy version: 18
Policy from config file:targeted
Policy booleans:
allow_execmem active
allow_execmod active
allow_execstack active
allow_kerberos active
allow_ypbind active
dhcpd_disable_trans inactive
httpd_builtin_scripting inactive
httpd_can_network_connectinactive
httpd_disable_trans inactive
httpd_enable_cgi active
httpd_enable_homedirs active
httpd_ssi_exec active
httpd_tty_comm inactive
httpd_unified active
mysqld_disable_trans inactive
named_disable_trans inactive
named_write_master_zonesinactive
nscd_disable_trans inactive
ntpd_disable_trans inactive
portmap_disable_trans inactive
postgresql_disable_transinactive
snmpd_disable_trans inactive
squid_disable_trans inactive
syslogd_disable_trans inactive
use_nfs_home_dirs inactive
use_samba_home_dirs inactive
use_syslogng inactive
winbind_disable_trans inactive
ypbind_disable_trans inactive
Process contexts:
Current context: root:system_r:unconfined_t
Init context: user_u:system_r:unconfined_t
/sbin/mingetty user_u:system_r:unconfined_t
/usr/sbin/sshd user_u:system_r:unconfined_t
File contexts:
Controlling term: root:object_r:devpts_t
/etc/passwd system_u:object_r:etc_t
/etc/shadow system_u:object_r:shadow_t
/bin/bash system_u:object_r:shell_exec_t
/bin/login system_u:object_r:bin_t
/bin/sh system_u:object_r:bin_t -> system_u:object_r:shell_exec_t
/sbin/agetty system_u:object_r:sbin_t
/sbin/init system_u:object_r:init_exec_t
/sbin/mingetty system_u:object_r:sbin_t
/usr/sbin/sshd system_u:object_r:sbin_t
/lib/libc.so.6 system_u:object_r:lib_t -> system_u:object_r:shlib_t
/lib/ld-linux.so.2 system_u:object_r:lib_t -> system_u:object_r:ld_so_t
Here's one of the many errors I get in dmesg when I attempt to start Notes under
Wine:
audit(1119011237.629:0): avc: denied { execmod } for pid=26379
comm=wine-preloader path=/usr/ibm/c4eb/nul6/program/Lotus/Notes/nnotesws.dll
dev=dm-5 ino=672253 scontext=user_u:system_r:unconfined_t
tcontext=system_u:object_r:usr_t tclass=file
(In reply to comment #3) > fixed in selinux-policy-targeted 1.17.30-3.9 Works For Me (tm) with crossover office 4.2. I now have a problem with the current Java SDK from Sun. With
selinux-policy-targeted-1.17.30-3.9 everything was working fine. But then I
updated to 1.17.30-3.13 and get errors when executing java or javac.
Even the Java installer doesn't work. When executing
jdk-1_5_0_04-linux-amd64.bin (the installer's binary) I get the following error:
./install.sfx.19637: error while loading shared libraries: /lib64/tls/libc.so.6:
cannot apply additional memory protection after relocation: Permission denied
/var/var/messages says:
kernel: audit(1120039055.765:0): avc: denied { execmod } for pid=19648
comm=install.sfx.196 path=/lib64/tls/libc-2.3.5.so dev=dm-0 ino=24281097
scontext=root:system_r:unconfined_t tcontext=system_u:object_r:lib_t tclass=file
The output of "sestatus -v" is:
SELinux status: enabled
SELinuxfs mount: /selinux
Current mode: enforcing
Mode from config file: enforcing
Policy version: 18
Policy from config file:targeted
Policy booleans:
allow_execmem active
allow_execmod active
allow_execstack active
allow_kerberos active
allow_ypbind active
dhcpd_disable_trans inactive
httpd_builtin_scripting inactive
httpd_can_network_connectinactive
httpd_disable_trans inactive
httpd_enable_cgi active
httpd_enable_homedirs active
httpd_ssi_exec active
httpd_tty_comm inactive
httpd_unified active
mysqld_disable_trans inactive
named_disable_trans inactive
named_write_master_zonesinactive
nscd_disable_trans inactive
ntpd_disable_trans inactive
portmap_disable_trans inactive
postgresql_disable_transinactive
read_default_t active
snmpd_disable_trans inactive
squid_connect_any inactive
squid_disable_trans inactive
syslogd_disable_trans inactive
use_nfs_home_dirs inactive
use_samba_home_dirs inactive
winbind_disable_trans inactive
ypbind_disable_trans inactive
Process contexts:
Current context: root:system_r:unconfined_t
Init context: user_u:system_r:unconfined_t
/sbin/mingetty user_u:system_r:unconfined_t
/usr/sbin/sshd root:system_r:unconfined_t
File contexts:
Controlling term: root:object_r:devpts_t
/etc/passwd system_u:object_r:etc_t
/etc/shadow system_u:object_r:shadow_t
/bin/bash system_u:object_r:shell_exec_t
/bin/login system_u:object_r:bin_t
/bin/sh system_u:object_r:bin_t -> system_u:object_r:shell_exec_t
/sbin/agetty system_u:object_r:sbin_t
/sbin/init system_u:object_r:init_exec_t
/sbin/mingetty system_u:object_r:sbin_t
/usr/sbin/sshd system_u:object_r:sbin_t
/lib/libc.so.6 system_u:object_r:lib_t -> system_u:object_r:shlib_t
/lib/ld-linux.so.2 system_u:object_r:lib_t -> system_u:object_r:ld_so_t
Addition to comment #8: If I set "setenforce 0" everything is working as expected, but I think this is a workaround and not a solution. Sorry - forgot to update bug. I'm now running with selinux-policy-targeted-1.25.2-4, and it is also fixed for me; I'm now running back in enforcing mode. |
From Bugzilla Helper: User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.8) Gecko/20050513 Fedora/1.0.4-1.3.1 Firefox/1.0.4 Description of problem: The udpate to selinux-policy-targeted-1.17.30-3.2 that I received on June 10, 2005 has broken Wine / Lotus Notes. Here are the log messages I get when I attempt to start Notes: audit(1118735600.902:0): avc: denied { execmod } for pid=7102 comm=wine-preloader path=/usr/ibm/c4eb/nul6/program/Lotus/Notes/nnotesws.dll dev=dm-5 ino=672289 scontext=user_u:system_r:unconfined_t tcontext=system_u:object_r:usr_t tclass=file This worked with selinux-policy-targeted-1.17.30-2.96. Version-Release number of selected component (if applicable): selinux-policy-targeted-1.17.30-3.2 How reproducible: Always Steps to Reproduce: 1. start notes under wine 2. watch the splash screen appear and then disappear 3. observe the error in the ring buffer by typing 'dmesg'. Actual Results: Application (Lotus Notes) did not start, and this message appeared in the ring buffer: audit(1118735600.902:0): avc: denied { execmod } for pid=7102 comm=wine-preloader path=/usr/ibm/c4eb/nul6/program/Lotus/Notes/nnotesws.dll dev=dm-5 ino=672289 scontext=user_u:system_r:unconfined_t tcontext=system_u:object_r:usr_t tclass=file Expected Results: I expected no error, and for Notes to start, as it did when I was running with selinux-policy-targeted-1.17.30-2.96. Additional info: I have very similar errors ("avc: denied { execmod }") for IBM's DB2 and eclipse (haven't had a chance to check running all the other 3rd party apps I've got installed). Here is a DB2 example: audit(1118735088.338:0): avc: denied { execmod } for pid=5997 comm=db2dasstm path=/usr/IBM/db2/V8.1/das/function/db2mdfile dev=dm-5 ino=720934 scontext=user_u:system_r:unconfined_ t tcontext=system_u:object_r:usr_t tclass=file I'm not a SELinux guru, but it appears that the major change introduced by selinux-policy-targeted-1.17.30-3.2 was all the boolean stuff: sdiff /etc/selinux/targeted/booleans /tmp/old/selinux/etc/selinux/targeted/ allow_execmem=1 < allow_execmod=1 < allow_execstack=1 < allow_kerberos=1 < allow_ypbind=1 < dhcpd_disable_trans=0 < httpd_builtin_scripting=0 < httpd_can_network_connect=0 < httpd_disable_trans=0 < httpd_enable_cgi=1 httpd_enable_cgi=1 httpd_enable_homedirs=1 httpd_enable_homedirs=1 httpd_ssi_exec=1 httpd_ssi_exec=1 httpd_tty_comm=0 < httpd_unified=1 < mysqld_disable_trans=0 < named_disable_trans=0 < named_write_master_zones=0 named_write_master_zones=0 nscd_disable_trans=0 | httpd_unified=1 ntpd_disable_trans=0 | httpd_tty_comm=0 portmap_disable_trans=0 < postgresql_disable_trans=0 < snmpd_disable_trans=0 < squid_disable_trans=0 < syslogd_disable_trans=0 < use_nfs_home_dirs=0 < use_samba_home_dirs=0 < use_syslogng=0 < winbind_disable_trans=0 < ypbind_disable_trans=0 < I tried to change allow_execmod to "0", but got my fingers singed as I couldn't even run '/bin/clear' after that!! The "fix" for me was to run system-config-securitylevel, select the "SELinux" tab, and then uncheck "Enforcing Current" box, which I believe (a complete guess, due to lack of documentation) puts the system in "permissive" mode. Please consider reverting these changes as they appear to be breaking lots of non-Fedora packaged applications. Maybe some actual documentation would be kind of useful too: try googling on these sets of keywords: selinux allow_execmod linux allow_execmod fc3 allow_execmod I rest my case...