Bug 288771
Summary: | SELinux "denied access" error attempting to execute SDK samples. | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 5 | Reporter: | Denise Eckstein <denise.eckstein> |
Component: | selinux-policy | Assignee: | Daniel Walsh <dwalsh> |
Status: | CLOSED ERRATA | QA Contact: | Ben Levenson <benl> |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | 5.1 | CC: | ebenes, mmalik, vcrhonek |
Target Milestone: | rc | ||
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | RHBA-2008-0465 | Doc Type: | Bug Fix |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2008-05-21 16:05:37 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Denise Eckstein
2007-09-13 05:50:25 UTC
Change component from tog-pegasus to selinux-policy. I am not sure why these are labeled this way. It does not make sense. but there is a line in policy /usr/share(/.*)?/lib(64)?(/.*)? gen_context(system_u:object_r:usr_t,s0) I am going to remove this from rawhide to see if it causes problems. If not I will make this change in the next RHEL5 Update release. Fixed in selinux-policy-2.4.6-107 This request was evaluated by Red Hat Product Management for inclusion in a Red Hat Enterprise Linux maintenance release. Product Management has requested further review of this request by Red Hat Engineering, for potential inclusion in a Red Hat Enterprise Linux Update release for currently deployed products. This request is not yet committed for inclusion in an Update release. I believe your labeling got screwed up somehow putting back in on_qa This is strange. For the first few attempts to reproduce the bug, it produced AVC denials. But later they "somehow disappeared" and running the test does not produce them anymore (restarting tog-pegasus service does no change). The restorecon had no affect on this. There might be some explanation from the tog- pegasus point of view, cc-ing Vitezslav Crhonek. From the collected AVC messages it looks like cimserver is trying to do execute on libSDKInstanceProvider.so, right? # rpm -q selinux-policy selinux-policy-2.4.6-122.el5 # /etc/init.d/tog-pegasus start Starting up CIM server: [ OK ] # make setupSDK ... +++++ Repository created. make[1]: Leaving directory `/usr/share/Pegasus/samples/Providers/Load' make[1]: Entering directory `/usr/share/Pegasus/samples/Providers/Load' +++++ Registering providers for SDKExamples/DefaultCXX namespace ... Warning: the instance already exists. In this implementation, that means it cannot be changed. Warning: the instance already exists. In this implementation, that means it cannot be changed. Parsing error: parse error: Error adding an instance: CIM_ERR_FAILED: A general error occurred that is not covered by a more specific error code: "A provider is already registered for the specified capability." make[1]: *** [registerproviders] Error 250 make[1]: Leaving directory `/usr/share/Pegasus/samples/Providers/Load' make: *** [setupSDK] Error 2 # ausearch -m AVC -sv no -ts recent <no matches> # make testSDK make[1]: Entering directory `/usr/share/Pegasus/samples/Clients' make[2]: Entering directory `/usr/share/Pegasus/samples/Clients/DefaultC++' make[3]: Entering directory `/usr/share/Pegasus/samples/Clients/DefaultC++/ EnumInstances' Error: CIM_ERR_FAILED: A general error occurred that is not covered by a more specific error code: "ProviderLoadFailure (/usr/lib64/Pegasus/providers/ libSDKInstanceProvider.so:SampleInstanceProvider):Cannot load library, error: / usr/lib64/Pegasus/providers/libSDKInstanceProvider.so: failed to map segment from shared object: Permission denied" make[3]: *** [testSDK] Error 1 make[3]: Leaving directory `/usr/share/Pegasus/samples/Clients/DefaultC++/ EnumInstances' make[2]: *** [testSDK] Error 2 make[2]: Leaving directory `/usr/share/Pegasus/samples/Clients/DefaultC++' make[1]: *** [testSDK] Error 2 make[1]: Leaving directory `/usr/share/Pegasus/samples/Clients' make: *** [testSDK] Error 2 # ausearch -m AVC -sv no -ts recent ---- time->Thu Feb 28 15:48:31 2008 type=SYSCALL msg=audit(1204210111.755:273): arch=c000003e syscall=9 success=no exit=-13 a0=0 a1=2067c0 a2=5 a3=802 items=0 ppid=1 pid=11367 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=25 comm="cimserver" exe="/usr/sbin/cimserver" subj=root:system_r:pegasus_t:s0 key=(null) type=AVC msg=audit(1204210111.755:273): avc: denied { execute } for pid=11367 comm="cimserver" path="/usr/share/Pegasus/samples/lib/ libSDKInstanceProvider.so" dev=dm-0 ino=2654599 scontext=root:system_r:pegasus_t:s0 tcontext=root:object_r:usr_t:s0 tclass=file # ll -Z /usr/share/Pegasus/samples/lib/libSDKInstanceProvider.so -rwxr-xr-x root root root:object_r:usr_t /usr/share/Pegasus/ samples/lib/libSDKInstanceProvider.so # restorecon -R -v /usr/share/Pegasus/ And here comes the strange thing. After few attemtps/time the avc denials are not produced anymore?! And the test seems to run fine. # make testSDK ... runs smoothly and with no avc denials ... After you do the restorecon what does the ll -Z show? ll -Z /usr/share/Pegasus/samples/lib/libSDKInstanceProvider.so As noted in the previous comment, after running make it shows: # ll -Z /usr/share/Pegasus/samples/lib/libSDKInstanceProvider.so -rwxr-xr-x root root root:object_r:usr_t /usr/share/Pegasus/ samples/lib/libSDKInstanceProvider.so Fixed in selinux-policy-2.4.6-124 Dan, what should be the correnct context on the .so files in /usr/share/Pegasus/ samples/lib/ directory? There are two file contexts, defined in the targeted version of file_contexts file, that could match this files (in this order): /usr/(.*/)?lib(/.*)? system_u:object_r:lib_t:s0 ... /usr/(.*/)?lib/.+\.so -- system_u:object_r:shlib_t:s0 The files are beeing labeled with type lib_t. And when I try to manually change the context to shlib_t it show message about the change, but nothig does happen. Are there any restrictions I'm missing here? I thought the file should get the last context found in the file_context file. Here is what happens when I try to change the context manually: # chcon -Rcv -t shlib_t lib/ context of lib/ changed to system_u:object_r:shlib_t context of lib//libSDKFilesAndDirectories.so changed to root:object_r:shlib_t context of lib//libSDKAssociationProvider.so changed to root:object_r:shlib_t context of lib//libSDKIndicationProvider.so changed to root:object_r:shlib_t context of lib//libSDKcmpiCWS_Util.so changed to root:object_r:shlib_t context of lib//libSDKDisplayConsumer.so changed to root:object_r:shlib_t context of lib//libSDKMethodProvider.so changed to root:object_r:shlib_t context of lib//libSDKInstanceProvider.so changed to root:object_r:shlib_t context of lib//target changed to system_u:object_r:shlib_t # ll -Zd lib/ drwxr-xr-x root pegasus system_u:object_r:lib_t lib/ [root@rasputin samples]# ll -Z lib/ -rwxr-xr-x root root root:object_r:lib_t libSDKAssociationProvider.so -rwxr-xr-x root root root:object_r:lib_t libSDKcmpiCWS_Util.so -rwxr-xr-x root root root:object_r:lib_t libSDKDisplayConsumer.so -rwxr-xr-x root root root:object_r:lib_t libSDKFilesAndDirectories.so -rwxr-xr-x root root root:object_r:lib_t libSDKIndicationProvider.so -rwxr-xr-x root root root:object_r:lib_t libSDKInstanceProvider.so -rwxr-xr-x root root root:object_r:lib_t libSDKMethodProvider.so -rw-r--r-- root pegasus system_u:object_r:lib_t target # rpm -q selinux-policy selinux-policy-2.4.6-125.el5 And almost forgot to mention that running the SDK samples does not give AVC denials any more. shlib_t == lib_t in targeted policy. They are aliases for each other. An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on the solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHBA-2008-0465.html |