Bug 199005

Summary: avc: denied { unlink } for comm="prelink" name="prelink.cache"
Product: [Fedora] Fedora Reporter: Sitsofe Wheeler <sitsofe>
Component: selinux-policyAssignee: Daniel Walsh <dwalsh>
Status: CLOSED CURRENTRELEASE QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: 5CC: dwalsh, elsmorian, rollercow
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Current Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2007-03-28 20:02:55 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Sitsofe Wheeler 2006-07-15 15:34:07 UTC 
Description of problem:
dmesg is full of warnings like:
audit(1152935399.786:15): avc:  denied  { unlink } for  pid=9017 comm="prelink"
name="prelink.cache" dev=hda3 ino=71440 scontext=user_u:system_r:prelink_t:s0
tcontext=user_u:object_r:etc_t:s0 tclass=file

Version-Release number of selected component (if applicable):
selinux-policy-2.2.47-3.fc5

How reproducible:
Every time

Steps to Reproduce:
1. Install FC5.
2. Apply all updates.
3. Wait for nightly prelink rebuild.
  
Actual results:
selinux warnings in dmesg.

Expected results:
No warnings.

Additional info:
$ ls -Z /etc/prelink.c*
-rw-r--r--  root root user_u:object_r:etc_t            /etc/prelink.cache
-rw-r--r--  root root system_u:object_r:etc_t          /etc/prelink.conf

I sort of suspect that the selinux policy for prelink has been updated but a
relabel was never forced on those files. This is seen on all of the 9 FC5
machines we have here. 

prelink seems to have been causing selinux warnings for some time. If there is
some sort of selinux-policy testsuite I'd recommend that prelink be added to it
as it seems to have had a fair few problems.
Comment 1 Daniel Walsh 2006-07-17 13:22:36 UTC 
restorecon /etc/prelink.cache should fix the problem,
prelink has been updated in FC6 to play better with SELinux.  Not sure if this
is being backported.
Comment 2 Sitsofe Wheeler 2006-07-20 06:20:26 UTC 
And indeed it does. I wound up doing a full filesystem relabel because I was
worried that prelink wouldn't be the only package with this issue (and that took
ages). I guess there needs to be a warning if manual relabelling like this needs
to be done or prelink starts having to accrue massive baggage in the form of
forced relabels of files whose context changes across the life of a distro...
Comment 3 Daniel Walsh 2007-03-28 20:02:55 UTC 
Closing bugs