Bug 249165

Summary:	"rpm -V mesa-libGL" triggers SEtroubleshoot error
Product:	[Fedora] Fedora	Reporter:	Andre Robatino <robatino>
Component:	selinux-policy	Assignee:	Daniel Walsh <dwalsh>
Status:	CLOSED CURRENTRELEASE	QA Contact:	Fedora Extras Quality Assurance <extras-qa>
Severity:	low	Docs Contact:
Priority:	low
Version:	7	CC:	alwanza
Target Milestone:	---
Target Release:	---
Hardware:	All
OS:	Linux
Whiteboard:
Fixed In Version:	2.6.4-30.fc7	Doc Type:	Bug Fix
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2007-08-03 04:45:08 UTC	Type:	---
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:

Description Andre Robatino 2007-07-21 20:08:56 UTC

Description of problem:
[andre@localhost ~]$ rpm -V mesa-libGL
prelink: /tmp/#prelink#.W3gNHu Could not trace symbol resolving
S.?.....   /usr/lib/libGL.so.1.2
[andre@localhost ~]$

If this command is run repeatedly, each time a different filename appears.  In
addition, SEtroubleshoot shows the following error:

SummarySELinux is preventing /lib/ld-2.6.so from loading /tmp/#prelink#.W3gNHu
which requires text relocation.Detailed DescriptionThe /lib/ld-2.6.so
application attempted to load /tmp/#prelink#.W3gNHu which requires text
relocation. This is a potential security problem. Most libraries do not need
this permission. Libraries are sometimes coded incorrectly and request this
permission. The SELinux Memory Protection Tests web page explains how to remove
this requirement. You can configure SELinux temporarily to allow
/tmp/#prelink#.W3gNHu to use relocation as a workaround, until the library is
fixed. Please file a bug report against this package.Allowing AccessIf you trust
/tmp/#prelink#.W3gNHu to run correctly, you can change the file context to
textrel_shlib_t. "chcon -t textrel_shlib_t /tmp/#prelink#.W3gNHu"The following
command will allow this access:chcon -t textrel_shlib_t
/tmp/#prelink#.W3gNHuAdditional InformationSource
Context:  user_u:system_r:prelink_tTarget
Context:  user_u:object_r:prelink_tmp_tTarget Objects:  /tmp/#prelink#.W3gNHu [
file ]Affected RPM Packages:  glibc-2.6-4 [application]Policy
RPM:  selinux-policy-2.6.4-26.fc7Selinux Enabled:  TruePolicy Type:  targetedMLS
Enabled:  TrueEnforcing Mode:  EnforcingPlugin Name:  plugins.allow_execmodHost
Name:  localhost.localdomainPlatform:  Linux localhost.localdomain
2.6.22.1-27.fc7 #1 SMP Tue Jul 17 17:13:26 EDT 2007 i686 i686Alert
Count:  0First Seen:  Sat 21 Jul 2007 04:01:52 PM EDTLast Seen:  Sat 21 Jul 2007
04:01:52 PM EDTLocal ID:  635b91dd-d3af-43c6-9c4b-7d4d6ca65755Line Numbers:  Raw
Audit Messages :avc: denied { execmod } for comm="ld-linux.so.2" dev=dm-0
egid=500 euid=500 exe="/lib/ld-2.6.so" exit=-13 fsgid=500 fsuid=500 gid=500
items=0 name="#prelink#.W3gNHu" path="/tmp/#prelink#.W3gNHu" pid=6050
scontext=user_u:system_r:prelink_t:s0 sgid=500 subj=user_u:system_r:prelink_t:s0
suid=500 tclass=file tcontext=user_u:object_r:prelink_tmp_t:s0 tty=pts0 uid=500

Version-Release number of selected component (if applicable):
mesa-libGL-6.5.2-13.fc7

How reproducible:
always

Additional info:
  My father experiences the same thing on a F7 machine with substantially
different hardware, so it's fairly safe to assume everybody has the issue.  This
issue apparently prevents yum-presto from being able to use deltarpm to update
this package, though the update works normally using the full RPM.

Comment 1 Andre Robatino 2007-07-21 20:20:15 UTC

  Someone at fedoraforum notified me that he doesn't have the problem with
SELinux disabled, so the rpm verify error is triggered by the SELinux issue and
not the other way around.

http://forums.fedoraforum.org/showthread.php?p=833100

Comment 2 Andre Robatino 2007-07-21 23:11:10 UTC

  It was also reported that it's not triggered in permissive mode.  I and my
father both use the default enforcing mode.

Comment 3 Adam Jackson 2007-07-23 19:06:26 UTC

This isn't Mesa's fault, except inasmuch as it requires text relocations.  It's
either prelink or rpm.  But I suspect it's just not a bug that can be fixed,
because files that need textrels should be marked as such in selinux policy.

Shifting the blame to rpm for now.

Comment 4 Jeff Johnson 2007-07-23 20:44:02 UTC

Bzzzt! Nice guess, you lose. Wanna play again?

Try selinux and/or prelink. Note the hints in the above, at no point does the error spew say "rpm".

rpm has zippo control over how packages (in this case Mesa) are produced (with or without text 
relocations), or with policy controls that preventy execution when text relocations are present,
or with prelinking of elf executables

Comment 5 Andre Robatino 2007-07-24 04:53:07 UTC

  Switching the component to selinux-policy.

Comment 6 Daniel Walsh 2007-07-24 13:00:55 UTC

I am changing the prelink policy to allow execmod on prelink_tmp_t and lib_t files.

Fixed in selinux-policy-2.6.4-30

Comment 7 Andre Robatino 2007-07-24 13:09:46 UTC

  The way I originally noticed this problem was after noticing that Presto
didn't use the deltarpm for mesa-libGL to update it, and then failing to be able
to use applydeltarpm (from the deltarpm package) to update mesa-libGL using the
old installed package and the deltarpm from the Presto server

http://lesloueizeh.com/f7/i386/updates/DRPMS/mesa-libGL-6.5.2-10.fc7_6.5.2-13.fc7.i386.drpm

and having an SEtroubleshoot error pop up during the failed attempt (it works,
though, using the old RPM together with the deltarpm).  Just to be sure, will
this also fix that problem?

Comment 8 Andre Robatino 2007-07-24 13:29:35 UTC

  Actually, I can just wait until the updated selinux-policy package is
released, and if that fixes the immediate problem, then I'll just downgrade
mesa-libGL* and see if Presto can update it with deltarpms.  If not, I'll file
another bug.  So never mind.

Comment 9 Andre Robatino 2007-08-03 04:45:08 UTC

  Verified as fixed in updates-released selinux-policy-*2.6.4-30.fc7.  Also
verified that the Presto update problem is fixed by downgrading mesa-libGL* and
successfully using Presto to update both packages.  Closing.

Comment 10 Meryll Larkin 2009-11-21 01:01:37 UTC

RH VERSION=5.4
KERNEL RELEASE=2.6.18-164.6.1.el5
LAST UPDATE=-rw-r--r-- 1 root root 23186 Nov 20 04:03 /var/log/rpmpkgs
LAST REBOOT= system boot 2009-11-19 14:22
MEMORY TOTAL=MemTotal: 2074476 kB
PROCESSORS=1
PROC SPEED=cpu MHz : 2004.653

11/20/09  CentOS 5.4 has this bug.

 rpm -V mesa-libGL
prelink: /usr/lib/libGL.so.1.2.#prelink#.1HibCL Could not trace symbol resolving
S.?.....    /usr/lib/libGL.so.1.2

I am using selinux in enforcing mode.  I am confused about how a bug gets closed and still exists 2 years later.  There are probably details I don't understand, but just in case I thought I'd let you know.

Comment 11 Andre Robatino 2009-11-21 01:21:52 UTC

I'm not seeing the bug in Fedora 12.  Other than just now, haven't checked since this bug was closed.

[root@compaq-pc ~]# rpm -V mesa-libGL
[root@compaq-pc ~]#

Comment 12 Daniel Walsh 2009-11-23 13:29:38 UTC

Meryl please open a RHEL5 bugzilla if you see this problem.  Also make sure you have the RHEL5.4 selinux-policy installed.  The problem most likely is libGL.s0.1.2 is mislabale.  It should be labeled textrel_shlib_t.