Bug 209951

Summary: Prelink verify shows no output
Product: [Fedora] Fedora Reporter: John Horne <john.horne>
Component: selinux-policy-targetedAssignee: Daniel Walsh <dwalsh>
Status: CLOSED CURRENTRELEASE QA Contact: Ben Levenson <benl>
Severity: high Docs Contact:
Priority: medium    
Version: 5CC: goodyca48, jakub, james.antill
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Current Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2007-03-28 20:01:59 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 182226    

Description John Horne 2006-10-08 19:25:22 UTC 
Description of problem:
If I run the command 'prelink -y --md5 /bin/cat' I get no output at all.

Version-Release number of selected component (if applicable):
prelink-0.3.6-3
selinux-policy-2.3.7-2.fc5
selinux-policy-targeted-2.3.7-2.fc5

How reproducible:
At this moment every time. However, the problem seems to
be inconsistent. 

Steps to Reproduce:
1. Run the above prelink command.
2.
3.
  
Actual results:
Nothing - no output.

Expected results:
MD5 hash of the /bin/cat file.

Additional info:
I have tested this with other files (e.g. /bin/ps) and get no output with those
either. The problem exists on more than one system.

My systems hasve SELinux enabled, but if I disable it (setenforce 0), then the
prelink command works.

One of the other reported prelink bugs had a comment saying that FC6 prelink has
been improved in working with SELinux. I have downloaded the FC6 SRPM and
rebuilt it on an FC5 system (the build didn't complete, a test failed, but it
did create the prelink binary). I ran the prelink binary in the BUILD directory
and the command worked fine. Re-running the FC5 command failed.

As such, would it be possible to backport the FC6 prelink command to FC5 please?



Thanks,

John.
Comment 1 Jakub Jelinek 2006-10-09 09:36:45 UTC 
If you compiled it yourself, most likely you haven't set the SELinux context
of the binary to system_u:object_r:prelink_exec_t.  There were no changes
whatsoever between FC5 and FC6 related to SELinux in the prelink sources,
except that the location of prelink.log file changed.
But that log file is only written in the cron.daily/prelink job and nothing
else, so it is completely unrelated to prelink --verify.
Trying this on current rawhide I see the SELinux policy is broken:
/usr/sbin/prelink -y --sha /bin/echo
/usr/sbin/prelink: Could not create temporary file /dev/shm/#prelink#.1U9vGB:
Permission denied
dmesg | tail -n 1
audit(1160386441.213:13): avc:  denied  { add_name } for  pid=27665
comm="prelink" name="#prelink#.1U9vGB" scontext=user_u:system_r:prelink_t:s0
tcontext=system_u:object_r:tmpfs_t:s0 tclass=dir

So, at least prelink_exec_t needs to be allowed to create/write/read files in
/dev/shm/.
Comment 2 Jakub Jelinek 2006-10-09 09:41:31 UTC 
Strangely rpm -V coreutils works, guess rpm changes the SELinux context
of the prelink binary it executes or something like that.
But, e.g.
/usr/sbin/prelink -y {,--md5,--sha} /some/elf/object
or
/usr/sbin/prelink -u /some/elf/object
or
/usr/sbin/prelink -u -o /tmp/foo /some/elf/object
should work even from the command line.
Comment 3 John Horne 2006-10-09 12:47:24 UTC 
FYI:
I tried your 'dmesg|tail -1' command and get:

  audit(1160397748.927:781): avc:  denied  { read write } for  pid=4626 
  comm="prelink" name="2" dev=devpts ino=4 scontext=user_u:system_r:prelink_t:s0 
  tcontext=user_u:object_r:devpts_t:s0 tclass=chr_file

I get the 'name="2"' I guess because I am using /dev/pts/2.

Likewise 'rpm -V `rpm -qf /bin/cat`' works.


John.
Comment 4 James Antill 2006-10-09 19:18:28 UTC 
 As a workaround you can do:

% runcon -t unconfined_t -- prelink -y --md5 /bin/cat            ~
60b898dae597cc87a4f4080cda7ea351  /bin/cat
Comment 5 John Horne 2006-10-10 20:12:32 UTC 
Sorry for the delay. Yes, your workaround seems to work fine :-)

Thanks,

John.
Comment 6 Daniel Walsh 2006-10-16 14:37:40 UTC 
Fixed in selinux-policy-2.3.7-4.fc5
Comment 7 Daniel Walsh 2007-03-28 20:01:59 UTC 
Closing bugs