Bug 243658
Summary: | Many ldconfig AVC denials on update | ||||||
---|---|---|---|---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Ingemar Nilsson <init> | ||||
Component: | selinux-policy | Assignee: | Daniel Walsh <dwalsh> | ||||
Status: | CLOSED CURRENTRELEASE | QA Contact: | Ben Levenson <benl> | ||||
Severity: | low | Docs Contact: | |||||
Priority: | low | ||||||
Version: | 7 | CC: | dwalsh | ||||
Target Milestone: | --- | Keywords: | Reopened | ||||
Target Release: | --- | ||||||
Hardware: | All | ||||||
OS: | Linux | ||||||
Whiteboard: | |||||||
Fixed In Version: | Current | Doc Type: | Bug Fix | ||||
Doc Text: | Story Points: | --- | |||||
Clone Of: | Environment: | ||||||
Last Closed: | 2008-01-30 19:19:17 UTC | Type: | --- | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Attachments: |
|
Description
Ingemar Nilsson
2007-06-11 10:18:26 UTC
This looks like some app placed a shared library under a bin directory? Since I did not get a response on this, I think it is either a labeling problem or some other bad application. Closing as not a bug for now. How should I know what the answer to your question is? I see these AVC errors at almost every "yum update" (last time today), but I've gotten so used to them that I hardly notice them any more. Since the error message does not contain any file reference except the program (ldconfig), how could I know where to start looking? I understand that ldconfig did *something* that the SELinux policy didn't allow, but what? Ok so please attach you audit.log to this bugzilla. ausearch -m avc | less Then look for ldconfig might give you more information. Created attachment 161727 [details]
My audit.log
Well, here is my audit.log. I briefly tried to read it, but it isn't very
intelligible to me.
Ok, I will add policy to allow this, but I still have no idea what ldconfig is looking for in bin_t directories. Fixed in selinux-policy-2.6.4-39 Okay, I get it. I ran an strace on ldconfig, and it turns out that it gets three "Permission denied", all associated with libraries in my IBM Tivoli Storage Manager client that I use for backups to our tape robot. The client has its libraries (and everything else, binaries, config files, you name it) in /opt/tivoli/tsm/client/ba/bin which is a bin_t directory. The reason ldconfig tries to access them is that the rpm that I used to install them placed symbolic links to three libraries in /usr/lib. Sorry for bothering you. I certainly understand that you cannot support proprietary software. One could wish though that SELinux could give information about what files or directories it could not permit access to. That could have simplifies this process a lot (if I had known immediately that the messages were related to my Tivoli client, I would not have filed this report at all). Could such a feature be possible? This is actually a bug in the kernel/audit system that is preventing the gathering of this information. It is fixed or being fixed in the upstream kernels. BTW, We do strive to fix problems in Proprietary code as well. Bulk closing all bugs in Fedora updates in the modified state. If you bug is not fixed, please reopen. |