Bug 216461
| Summary: | prelink/amandad denials | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Orion Poplawski <orion> |
| Component: | selinux-policy | Assignee: | Daniel Walsh <dwalsh> |
| Status: | CLOSED NEXTRELEASE | QA Contact: | Ben Levenson <benl> |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | 5 | CC: | dwalsh |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2007-02-14 15:16:28 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
This is pretty bizzare. Looks like a labeling problem? restorecon -v doesn't report any changes, so everything is labeled the way it
currently is supposed to be.
# ls -Z /usr/lib/amanda/
-rwxr-xr-x amanda disk system_u:object_r:amanda_inetd_exec_t amandad
-rwsr-x--- root disk system_u:object_r:amanda_exec_t calcsize
-rwsr-x--- root disk system_u:object_r:amanda_exec_t killpgrp
-rwxr-xr-x amanda disk system_u:object_r:amanda_exec_t noop
-rwxr-xr-x amanda disk system_u:object_r:amanda_exec_t patch-system
-rwsr-x--- root disk system_u:object_r:amanda_exec_t rundump
-rwsr-x--- root disk system_u:object_r:amanda_exec_t runtar
-rwxr-xr-x amanda disk system_u:object_r:amanda_exec_t selfcheck
-rwxr-xr-x amanda disk system_u:object_r:amanda_exec_t sendbackup
-rwxr-xr-x amanda disk system_u:object_r:amanda_exec_t sendsize
-rwxr-xr-x amanda disk system_u:object_r:amanda_exec_t versionsuffix
# ldd /usr/lib/amanda/*
/usr/lib/amanda/amandad:
linux-gate.so.1 => (0x00684000)
libamandad-2.5.1.so => /usr/lib/libamandad-2.5.1.so (0x4befa000)
libamanda-2.5.1.so => /usr/lib/libamanda-2.5.1.so (0x4bea5000)
libm.so.6 => /lib/libm.so.6 (0x4775a000)
libreadline.so.5 => /usr/lib/libreadline.so.5 (0x4902e000)
libtermcap.so.2 => /lib/libtermcap.so.2 (0x478ba000)
libnsl.so.1 => /lib/libnsl.so.1 (0x48c2c000)
libresolv.so.2 => /lib/libresolv.so.2 (0x4900c000)
libc.so.6 => /lib/libc.so.6 (0x47625000)
/lib/ld-linux.so.2 (0x47608000)
/usr/lib/amanda/calcsize:
linux-gate.so.1 => (0x00baa000)
libamclient-2.5.1.so => /usr/lib/libamclient-2.5.1.so (0x00e82000)
libamandad-2.5.1.so => /usr/lib/libamandad-2.5.1.so (0x00110000)
libamanda-2.5.1.so => /usr/lib/libamanda-2.5.1.so (0x00113000)
libm.so.6 => /lib/libm.so.6 (0x00536000)
libreadline.so.5 => /usr/lib/libreadline.so.5 (0x00166000)
libtermcap.so.2 => /lib/libtermcap.so.2 (0x0029a000)
libnsl.so.1 => /lib/libnsl.so.1 (0x00c18000)
libresolv.so.2 => /lib/libresolv.so.2 (0x00a83000)
libc.so.6 => /lib/libc.so.6 (0x0029e000)
/lib/ld-linux.so.2 (0x00613000)
/usr/lib/amanda/killpgrp:
linux-gate.so.1 => (0x008fb000)
libamclient-2.5.1.so => /usr/lib/libamclient-2.5.1.so (0x00204000)
libamandad-2.5.1.so => /usr/lib/libamandad-2.5.1.so (0x00ae6000)
libamanda-2.5.1.so => /usr/lib/libamanda-2.5.1.so (0x00db2000)
libm.so.6 => /lib/libm.so.6 (0x00758000)
libreadline.so.5 => /usr/lib/libreadline.so.5 (0x00110000)
libtermcap.so.2 => /lib/libtermcap.so.2 (0x00baa000)
libnsl.so.1 => /lib/libnsl.so.1 (0x00a98000)
libresolv.so.2 => /lib/libresolv.so.2 (0x00849000)
libc.so.6 => /lib/libc.so.6 (0x0020d000)
/lib/ld-linux.so.2 (0x0051d000)
/usr/lib/amanda/noop:
linux-gate.so.1 => (0x00110000)
libamclient-2.5.1.so => /usr/lib/libamclient-2.5.1.so (0x005cf000)
libamandad-2.5.1.so => /usr/lib/libamandad-2.5.1.so (0x0029f000)
libamanda-2.5.1.so => /usr/lib/libamanda-2.5.1.so (0x00111000)
libm.so.6 => /lib/libm.so.6 (0x005e4000)
libreadline.so.5 => /usr/lib/libreadline.so.5 (0x00c50000)
libtermcap.so.2 => /lib/libtermcap.so.2 (0x00327000)
libnsl.so.1 => /lib/libnsl.so.1 (0x00cb7000)
libresolv.so.2 => /lib/libresolv.so.2 (0x00d16000)
libc.so.6 => /lib/libc.so.6 (0x0032b000)
/lib/ld-linux.so.2 (0x00f5f000)
/usr/lib/amanda/patch-system:
not a dynamic executable
/usr/lib/amanda/rundump:
linux-gate.so.1 => (0x00110000)
libamclient-2.5.1.so => /usr/lib/libamclient-2.5.1.so (0x00d66000)
libamandad-2.5.1.so => /usr/lib/libamandad-2.5.1.so (0x00844000)
libamanda-2.5.1.so => /usr/lib/libamanda-2.5.1.so (0x003a3000)
libm.so.6 => /lib/libm.so.6 (0x007c4000)
libreadline.so.5 => /usr/lib/libreadline.so.5 (0x00361000)
libtermcap.so.2 => /lib/libtermcap.so.2 (0x0091f000)
libnsl.so.1 => /lib/libnsl.so.1 (0x009ab000)
libresolv.so.2 => /lib/libresolv.so.2 (0x00717000)
libc.so.6 => /lib/libc.so.6 (0x00545000)
/lib/ld-linux.so.2 (0x00df7000)
/usr/lib/amanda/runtar:
linux-gate.so.1 => (0x00766000)
libamclient-2.5.1.so => /usr/lib/libamclient-2.5.1.so (0x00f5e000)
libamandad-2.5.1.so => /usr/lib/libamandad-2.5.1.so (0x00964000)
libamanda-2.5.1.so => /usr/lib/libamanda-2.5.1.so (0x007c1000)
libm.so.6 => /lib/libm.so.6 (0x00110000)
libreadline.so.5 => /usr/lib/libreadline.so.5 (0x00b7a000)
libtermcap.so.2 => /lib/libtermcap.so.2 (0x00bfc000)
libnsl.so.1 => /lib/libnsl.so.1 (0x002d4000)
libresolv.so.2 => /lib/libresolv.so.2 (0x001de000)
libc.so.6 => /lib/libc.so.6 (0x003bd000)
/lib/ld-linux.so.2 (0x003a2000)
/usr/lib/amanda/selfcheck:
linux-gate.so.1 => (0x001fe000)
libamclient-2.5.1.so => /usr/lib/libamclient-2.5.1.so (0x0037e000)
libamandad-2.5.1.so => /usr/lib/libamandad-2.5.1.so (0x0025e000)
libamanda-2.5.1.so => /usr/lib/libamanda-2.5.1.so (0x00110000)
libm.so.6 => /lib/libm.so.6 (0x008be000)
libreadline.so.5 => /usr/lib/libreadline.so.5 (0x00afe000)
libtermcap.so.2 => /lib/libtermcap.so.2 (0x00ee0000)
libnsl.so.1 => /lib/libnsl.so.1 (0x0020c000)
libresolv.so.2 => /lib/libresolv.so.2 (0x00e13000)
libc.so.6 => /lib/libc.so.6 (0x00387000)
/lib/ld-linux.so.2 (0x006de000)
/usr/lib/amanda/sendbackup:
linux-gate.so.1 => (0x00376000)
libamclient-2.5.1.so => /usr/lib/libamclient-2.5.1.so (0x00110000)
libamandad-2.5.1.so => /usr/lib/libamandad-2.5.1.so (0x003bc000)
libamanda-2.5.1.so => /usr/lib/libamanda-2.5.1.so (0x00eac000)
libm.so.6 => /lib/libm.so.6 (0x00862000)
libreadline.so.5 => /usr/lib/libreadline.so.5 (0x00a06000)
libtermcap.so.2 => /lib/libtermcap.so.2 (0x003df000)
libnsl.so.1 => /lib/libnsl.so.1 (0x00655000)
libresolv.so.2 => /lib/libresolv.so.2 (0x005ec000)
libc.so.6 => /lib/libc.so.6 (0x00119000)
/lib/ld-linux.so.2 (0x00704000)
/usr/lib/amanda/sendsize:
linux-gate.so.1 => (0x0072f000)
libamclient-2.5.1.so => /usr/lib/libamclient-2.5.1.so (0x0077f000)
libamandad-2.5.1.so => /usr/lib/libamandad-2.5.1.so (0x00313000)
libamanda-2.5.1.so => /usr/lib/libamanda-2.5.1.so (0x00609000)
libm.so.6 => /lib/libm.so.6 (0x001f6000)
libreadline.so.5 => /usr/lib/libreadline.so.5 (0x006d6000)
libtermcap.so.2 => /lib/libtermcap.so.2 (0x0037a000)
libnsl.so.1 => /lib/libnsl.so.1 (0x00ab8000)
libresolv.so.2 => /lib/libresolv.so.2 (0x00983000)
libc.so.6 => /lib/libc.so.6 (0x0037e000)
/lib/ld-linux.so.2 (0x00833000)
/usr/lib/amanda/versionsuffix:
linux-gate.so.1 => (0x00110000)
libamclient-2.5.1.so => /usr/lib/libamclient-2.5.1.so (0x0068f000)
libamandad-2.5.1.so => /usr/lib/libamandad-2.5.1.so (0x003e3000)
libamanda-2.5.1.so => /usr/lib/libamanda-2.5.1.so (0x00a49000)
libm.so.6 => /lib/libm.so.6 (0x0043c000)
libreadline.so.5 => /usr/lib/libreadline.so.5 (0x009a0000)
libtermcap.so.2 => /lib/libtermcap.so.2 (0x00111000)
libnsl.so.1 => /lib/libnsl.so.1 (0x00c59000)
libresolv.so.2 => /lib/libresolv.so.2 (0x00b03000)
libc.so.6 => /lib/libc.so.6 (0x001e1000)
/lib/ld-linux.so.2 (0x00402000)
It's a new thing in amanda-2.5.1 that /usr/lib/amanda/amandad is linked against
/usr/lib/libamandad-2.5.1.so. Perhaps amandad should be installed elsewhere,
being an executable? Although, I don't get prelink errors with any of the other
items in /usr/lib/amanda.
Ok, I can fix the /usr/lib/amanda/amandad problem but what about the tmpfs_t? I guess I assumed that if the first succeeded it wouldn't try the other two, but maybe they are unrelated. All of these bugs should be fixed in FC6, You could attempt to use the FC6 policy on FC5 or upgrade. Or you could use audit2allow -M mypolicy -i /var/log/audit/audit.log and build local customized policy |
Description of problem: This very well may be related to a local custom amanda package, but I'm baffled: Nov 19 04:03:42 marie kernel: audit(1163934222.154:319): avc: denied { add_name } for pid=19401 comm="prelink" name="amandad.#prelink#.DNwy8j" scontext=user_u:system_r:prelink_t:s0 tcontext=system_u:object_r:amanda_usr_lib_t:s0 tclass=dir Nov 19 04:03:42 marie kernel: audit(1163934222.154:320): avc: denied { add_name } for pid=19401 comm="prelink" name="#prelink#.gSyC8t" scontext=user_u:system_r:prelink_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir Nov 19 04:03:42 marie kernel: audit(1163934222.154:321): avc: denied { add_name } for pid=19401 comm="prelink" name="#prelink#.9kzvlE" scontext=user_u:system_r:prelink_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=dir -rwxr-xr-x amanda disk system_u:object_r:amanda_inetd_exec_t /usr/lib/amanda/amandad Version-Release number of selected component (if applicable): selinux-policy-2.3.7-2.fc5 How reproducible: Infrequent, weekly prelink run?