Bug 161844

Summary: crond, smbd, sshd errors
Product: [Fedora] Fedora Reporter: Nerijus Baliūnas <nerijus>
Component: selinux-policy-targetedAssignee: Daniel Walsh <dwalsh>
Status: CLOSED CURRENTRELEASE QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: 3   
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2005-07-04 23:21:13 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Nerijus Baliūnas 2005-06-27 18:22:22 UTC 
After update to selinux-policy-targeted 1.17.30-3.13 I see following errors in
syslog:

audit(1119895261.549:0): avc:  denied  { execmod } for  pid=19033 comm=crond
path=/lib/libnsl-2.3.5.so dev=md0 ino=999535
scontext=user_u:system_r:unconfined_t tcontext=system_u:object_r:lib_t tclass=file

audit(1119895261.552:0): avc:  denied  { execmod } for  pid=19033 comm=crond
path=/lib/libcrypt-2.3.5.so dev=md0 ino=999678
scontext=user_u:system_r:unconfined_t tcontext=system_u:object_r:lib_t tclass=file

audit(1119886648.341:0): avc:  denied  { execmod } for  pid=18933 comm=smbd
path=/lib/libnss_files-2.3.5.so dev=md0 ino=998312
scontext=user_u:system_r:unconfined_t tcontext=system_u:object_r:lib_t tclass=file

audit(1119889030.658:0): avc:  denied  { execmod } for  pid=18980 comm=sshd
path=/lib/libdl-2.3.5.so dev=md0 ino=999672
scontext=user_u:system_r:unconfined_t tcontext=system_u:object_r:lib_t tclass=file

I cannot even ssh into the box! It's good that I didn't disconnect from current
ssh session. For now I disabled selinux.
Comment 1 Nerijus Baliūnas 2005-06-27 21:18:23 UTC 
It seems it also breaks squid:

audit(1119878211.583:0): avc:  denied  { 
append } for  pid=3071 exe=/usr/sbin/squid path=/var/log/squid/squid.out 
dev=sda2 ino=1465950 scontext=user_u:system_r:squid_t
tcontext=root:object_r:var_log_t tclass=file
Comment 2 Daniel Walsh 2005-06-29 15:34:34 UTC 
You have a labeling problem.  Did you run with selinux disabled?  

restorecon  -R -v /var/log  

Should fix its labeling.

touch /.autorelabel 
reboot
Will relabel the entire system.

selinux-policy-targeted 1.17.30-3.15 should fix the lib_t error.
Dan
Comment 3 Nerijus Baliūnas 2005-06-29 15:56:50 UTC 
I cannot reboot, so I ran fixfiles restore, but it didn't help (why?). Are you
sure relabeling /var/log will help with avc:  denied  { execmod } for  pid=18980
comm=sshd
path=/lib/libdl-2.3.5.so dev=md0 ino=999672 ? Or will 1.17.30-3.15 help even
without relabeling?

BTW, it happened on about 5 different servers, so of course I disabled selinux,
as otherwise customers would have killed me. And I'm very afraid to enable it now.

Is it possible to relabel the entire system without rebooting?
Comment 4 Daniel Walsh 2005-06-29 16:07:32 UTC 
Please go to ftp://people.redhat.com/dwalsh/SELinux/FC3
and grab the latest policy

1.17.30-3.15 and see if this fixes the problem.  This should be available via
update tomorrow.

Dan
Comment 5 Daniel Walsh 2005-07-03 15:20:48 UTC 
Fixed in selinux-policy-targeted-1.17.30-3.16