Bug 216461
Summary: | prelink/amandad denials | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Orion Poplawski <orion> |
Component: | selinux-policy | Assignee: | Daniel Walsh <dwalsh> |
Status: | CLOSED NEXTRELEASE | QA Contact: | Ben Levenson <benl> |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | 5 | CC: | dwalsh |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2007-02-14 15:16:28 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Orion Poplawski
2006-11-20 17:03:54 UTC
This is pretty bizzare. Looks like a labeling problem? restorecon -v doesn't report any changes, so everything is labeled the way it currently is supposed to be. # ls -Z /usr/lib/amanda/ -rwxr-xr-x amanda disk system_u:object_r:amanda_inetd_exec_t amandad -rwsr-x--- root disk system_u:object_r:amanda_exec_t calcsize -rwsr-x--- root disk system_u:object_r:amanda_exec_t killpgrp -rwxr-xr-x amanda disk system_u:object_r:amanda_exec_t noop -rwxr-xr-x amanda disk system_u:object_r:amanda_exec_t patch-system -rwsr-x--- root disk system_u:object_r:amanda_exec_t rundump -rwsr-x--- root disk system_u:object_r:amanda_exec_t runtar -rwxr-xr-x amanda disk system_u:object_r:amanda_exec_t selfcheck -rwxr-xr-x amanda disk system_u:object_r:amanda_exec_t sendbackup -rwxr-xr-x amanda disk system_u:object_r:amanda_exec_t sendsize -rwxr-xr-x amanda disk system_u:object_r:amanda_exec_t versionsuffix # ldd /usr/lib/amanda/* /usr/lib/amanda/amandad: linux-gate.so.1 => (0x00684000) libamandad-2.5.1.so => /usr/lib/libamandad-2.5.1.so (0x4befa000) libamanda-2.5.1.so => /usr/lib/libamanda-2.5.1.so (0x4bea5000) libm.so.6 => /lib/libm.so.6 (0x4775a000) libreadline.so.5 => /usr/lib/libreadline.so.5 (0x4902e000) libtermcap.so.2 => /lib/libtermcap.so.2 (0x478ba000) libnsl.so.1 => /lib/libnsl.so.1 (0x48c2c000) libresolv.so.2 => /lib/libresolv.so.2 (0x4900c000) libc.so.6 => /lib/libc.so.6 (0x47625000) /lib/ld-linux.so.2 (0x47608000) /usr/lib/amanda/calcsize: linux-gate.so.1 => (0x00baa000) libamclient-2.5.1.so => /usr/lib/libamclient-2.5.1.so (0x00e82000) libamandad-2.5.1.so => /usr/lib/libamandad-2.5.1.so (0x00110000) libamanda-2.5.1.so => /usr/lib/libamanda-2.5.1.so (0x00113000) libm.so.6 => /lib/libm.so.6 (0x00536000) libreadline.so.5 => /usr/lib/libreadline.so.5 (0x00166000) libtermcap.so.2 => /lib/libtermcap.so.2 (0x0029a000) libnsl.so.1 => /lib/libnsl.so.1 (0x00c18000) libresolv.so.2 => /lib/libresolv.so.2 (0x00a83000) libc.so.6 => /lib/libc.so.6 (0x0029e000) /lib/ld-linux.so.2 (0x00613000) /usr/lib/amanda/killpgrp: linux-gate.so.1 => (0x008fb000) libamclient-2.5.1.so => /usr/lib/libamclient-2.5.1.so (0x00204000) libamandad-2.5.1.so => /usr/lib/libamandad-2.5.1.so (0x00ae6000) libamanda-2.5.1.so => /usr/lib/libamanda-2.5.1.so (0x00db2000) libm.so.6 => /lib/libm.so.6 (0x00758000) libreadline.so.5 => /usr/lib/libreadline.so.5 (0x00110000) libtermcap.so.2 => /lib/libtermcap.so.2 (0x00baa000) libnsl.so.1 => /lib/libnsl.so.1 (0x00a98000) libresolv.so.2 => /lib/libresolv.so.2 (0x00849000) libc.so.6 => /lib/libc.so.6 (0x0020d000) /lib/ld-linux.so.2 (0x0051d000) /usr/lib/amanda/noop: linux-gate.so.1 => (0x00110000) libamclient-2.5.1.so => /usr/lib/libamclient-2.5.1.so (0x005cf000) libamandad-2.5.1.so => /usr/lib/libamandad-2.5.1.so (0x0029f000) libamanda-2.5.1.so => /usr/lib/libamanda-2.5.1.so (0x00111000) libm.so.6 => /lib/libm.so.6 (0x005e4000) libreadline.so.5 => /usr/lib/libreadline.so.5 (0x00c50000) libtermcap.so.2 => /lib/libtermcap.so.2 (0x00327000) libnsl.so.1 => /lib/libnsl.so.1 (0x00cb7000) libresolv.so.2 => /lib/libresolv.so.2 (0x00d16000) libc.so.6 => /lib/libc.so.6 (0x0032b000) /lib/ld-linux.so.2 (0x00f5f000) /usr/lib/amanda/patch-system: not a dynamic executable /usr/lib/amanda/rundump: linux-gate.so.1 => (0x00110000) libamclient-2.5.1.so => /usr/lib/libamclient-2.5.1.so (0x00d66000) libamandad-2.5.1.so => /usr/lib/libamandad-2.5.1.so (0x00844000) libamanda-2.5.1.so => /usr/lib/libamanda-2.5.1.so (0x003a3000) libm.so.6 => /lib/libm.so.6 (0x007c4000) libreadline.so.5 => /usr/lib/libreadline.so.5 (0x00361000) libtermcap.so.2 => /lib/libtermcap.so.2 (0x0091f000) libnsl.so.1 => /lib/libnsl.so.1 (0x009ab000) libresolv.so.2 => /lib/libresolv.so.2 (0x00717000) libc.so.6 => /lib/libc.so.6 (0x00545000) /lib/ld-linux.so.2 (0x00df7000) /usr/lib/amanda/runtar: linux-gate.so.1 => (0x00766000) libamclient-2.5.1.so => /usr/lib/libamclient-2.5.1.so (0x00f5e000) libamandad-2.5.1.so => /usr/lib/libamandad-2.5.1.so (0x00964000) libamanda-2.5.1.so => /usr/lib/libamanda-2.5.1.so (0x007c1000) libm.so.6 => /lib/libm.so.6 (0x00110000) libreadline.so.5 => /usr/lib/libreadline.so.5 (0x00b7a000) libtermcap.so.2 => /lib/libtermcap.so.2 (0x00bfc000) libnsl.so.1 => /lib/libnsl.so.1 (0x002d4000) libresolv.so.2 => /lib/libresolv.so.2 (0x001de000) libc.so.6 => /lib/libc.so.6 (0x003bd000) /lib/ld-linux.so.2 (0x003a2000) /usr/lib/amanda/selfcheck: linux-gate.so.1 => (0x001fe000) libamclient-2.5.1.so => /usr/lib/libamclient-2.5.1.so (0x0037e000) libamandad-2.5.1.so => /usr/lib/libamandad-2.5.1.so (0x0025e000) libamanda-2.5.1.so => /usr/lib/libamanda-2.5.1.so (0x00110000) libm.so.6 => /lib/libm.so.6 (0x008be000) libreadline.so.5 => /usr/lib/libreadline.so.5 (0x00afe000) libtermcap.so.2 => /lib/libtermcap.so.2 (0x00ee0000) libnsl.so.1 => /lib/libnsl.so.1 (0x0020c000) libresolv.so.2 => /lib/libresolv.so.2 (0x00e13000) libc.so.6 => /lib/libc.so.6 (0x00387000) /lib/ld-linux.so.2 (0x006de000) /usr/lib/amanda/sendbackup: linux-gate.so.1 => (0x00376000) libamclient-2.5.1.so => /usr/lib/libamclient-2.5.1.so (0x00110000) libamandad-2.5.1.so => /usr/lib/libamandad-2.5.1.so (0x003bc000) libamanda-2.5.1.so => /usr/lib/libamanda-2.5.1.so (0x00eac000) libm.so.6 => /lib/libm.so.6 (0x00862000) libreadline.so.5 => /usr/lib/libreadline.so.5 (0x00a06000) libtermcap.so.2 => /lib/libtermcap.so.2 (0x003df000) libnsl.so.1 => /lib/libnsl.so.1 (0x00655000) libresolv.so.2 => /lib/libresolv.so.2 (0x005ec000) libc.so.6 => /lib/libc.so.6 (0x00119000) /lib/ld-linux.so.2 (0x00704000) /usr/lib/amanda/sendsize: linux-gate.so.1 => (0x0072f000) libamclient-2.5.1.so => /usr/lib/libamclient-2.5.1.so (0x0077f000) libamandad-2.5.1.so => /usr/lib/libamandad-2.5.1.so (0x00313000) libamanda-2.5.1.so => /usr/lib/libamanda-2.5.1.so (0x00609000) libm.so.6 => /lib/libm.so.6 (0x001f6000) libreadline.so.5 => /usr/lib/libreadline.so.5 (0x006d6000) libtermcap.so.2 => /lib/libtermcap.so.2 (0x0037a000) libnsl.so.1 => /lib/libnsl.so.1 (0x00ab8000) libresolv.so.2 => /lib/libresolv.so.2 (0x00983000) libc.so.6 => /lib/libc.so.6 (0x0037e000) /lib/ld-linux.so.2 (0x00833000) /usr/lib/amanda/versionsuffix: linux-gate.so.1 => (0x00110000) libamclient-2.5.1.so => /usr/lib/libamclient-2.5.1.so (0x0068f000) libamandad-2.5.1.so => /usr/lib/libamandad-2.5.1.so (0x003e3000) libamanda-2.5.1.so => /usr/lib/libamanda-2.5.1.so (0x00a49000) libm.so.6 => /lib/libm.so.6 (0x0043c000) libreadline.so.5 => /usr/lib/libreadline.so.5 (0x009a0000) libtermcap.so.2 => /lib/libtermcap.so.2 (0x00111000) libnsl.so.1 => /lib/libnsl.so.1 (0x00c59000) libresolv.so.2 => /lib/libresolv.so.2 (0x00b03000) libc.so.6 => /lib/libc.so.6 (0x001e1000) /lib/ld-linux.so.2 (0x00402000) It's a new thing in amanda-2.5.1 that /usr/lib/amanda/amandad is linked against /usr/lib/libamandad-2.5.1.so. Perhaps amandad should be installed elsewhere, being an executable? Although, I don't get prelink errors with any of the other items in /usr/lib/amanda. Ok, I can fix the /usr/lib/amanda/amandad problem but what about the tmpfs_t? I guess I assumed that if the first succeeded it wouldn't try the other two, but maybe they are unrelated. All of these bugs should be fixed in FC6, You could attempt to use the FC6 policy on FC5 or upgrade. Or you could use audit2allow -M mypolicy -i /var/log/audit/audit.log and build local customized policy |