Bug 288771

Change component from tog-pegasus to selinux-policy.

I am not sure why these are labeled this way.  It does not make sense. but there
is a line in policy

/usr/share(/.*)?/lib(64)?(/.*)?	gen_context(system_u:object_r:usr_t,s0)

I am going to remove this from rawhide to see if it causes problems.  If not I
will make this change in the next RHEL5 Update release.

Fixed in selinux-policy-2.4.6-107

This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux maintenance release.  Product Management has requested
further review of this request by Red Hat Engineering, for potential
inclusion in a Red Hat Enterprise Linux Update release for currently deployed
products.  This request is not yet committed for inclusion in an Update
release.

QE ack for RHEL5.2.  Reproducer in comment 0.

I believe your labeling got screwed up somehow putting back in on_qa

This is strange. For the first few attempts to reproduce the bug, it produced 
AVC denials. But later they "somehow disappeared" and running the test does not 
produce them anymore (restarting tog-pegasus service does no change). The 
restorecon had no affect on this. There might be some explanation from the tog-
pegasus point of view, cc-ing Vitezslav Crhonek. From the collected AVC 
messages it looks like cimserver is trying to do execute on 
libSDKInstanceProvider.so, right? 

# rpm -q selinux-policy
selinux-policy-2.4.6-122.el5
# /etc/init.d/tog-pegasus start
Starting up CIM server:                                    [  OK  ]
# make setupSDK
...
+++++ Repository created.
make[1]: Leaving directory `/usr/share/Pegasus/samples/Providers/Load'
make[1]: Entering directory `/usr/share/Pegasus/samples/Providers/Load'
+++++ Registering providers for SDKExamples/DefaultCXX namespace  ...
Warning: the instance already exists.
In this implementation, that means it cannot be changed.
Warning: the instance already exists.
In this implementation, that means it cannot be changed.
Parsing error: parse error: Error adding an instance: CIM_ERR_FAILED: A general 
error occurred that is not covered by a more specific error code: "A provider 
is already registered for the specified capability."
make[1]: *** [registerproviders] Error 250
make[1]: Leaving directory `/usr/share/Pegasus/samples/Providers/Load'
make: *** [setupSDK] Error 2

# ausearch -m AVC -sv no -ts recent
<no matches>

# make testSDK
make[1]: Entering directory `/usr/share/Pegasus/samples/Clients'
make[2]: Entering directory `/usr/share/Pegasus/samples/Clients/DefaultC++'
make[3]: Entering directory `/usr/share/Pegasus/samples/Clients/DefaultC++/
EnumInstances'
Error: CIM_ERR_FAILED: A general error occurred that is not covered by a more 
specific error code: "ProviderLoadFailure (/usr/lib64/Pegasus/providers/
libSDKInstanceProvider.so:SampleInstanceProvider):Cannot load library, error: /
usr/lib64/Pegasus/providers/libSDKInstanceProvider.so: failed to map segment 
from shared object: Permission denied"
make[3]: *** [testSDK] Error 1
make[3]: Leaving directory `/usr/share/Pegasus/samples/Clients/DefaultC++/
EnumInstances'
make[2]: *** [testSDK] Error 2
make[2]: Leaving directory `/usr/share/Pegasus/samples/Clients/DefaultC++'
make[1]: *** [testSDK] Error 2
make[1]: Leaving directory `/usr/share/Pegasus/samples/Clients'
make: *** [testSDK] Error 2

# ausearch -m AVC -sv no -ts recent
----
time->Thu Feb 28 15:48:31 2008
type=SYSCALL msg=audit(1204210111.755:273): arch=c000003e syscall=9 success=no 
exit=-13 a0=0 a1=2067c0 a2=5 a3=802 items=0 ppid=1 pid=11367 auid=0 uid=0 gid=0 
euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=25 comm="cimserver" 
exe="/usr/sbin/cimserver" subj=root:system_r:pegasus_t:s0 key=(null)
type=AVC msg=audit(1204210111.755:273): avc:  denied  { execute } for  
pid=11367 comm="cimserver" path="/usr/share/Pegasus/samples/lib/
libSDKInstanceProvider.so" dev=dm-0 ino=2654599 
scontext=root:system_r:pegasus_t:s0 tcontext=root:object_r:usr_t:s0 tclass=file

# ll -Z /usr/share/Pegasus/samples/lib/libSDKInstanceProvider.so
-rwxr-xr-x  root root root:object_r:usr_t              /usr/share/Pegasus/
samples/lib/libSDKInstanceProvider.so

# restorecon -R -v /usr/share/Pegasus/

And here comes the strange thing. After few attemtps/time the avc denials are 
not produced anymore?! And the test seems to run fine.

# make testSDK
... runs smoothly and with no avc denials ...

After you do the restorecon what does the ll -Z show?

ll -Z /usr/share/Pegasus/samples/lib/libSDKInstanceProvider.so

As noted in the previous comment, after running make it shows:

# ll -Z /usr/share/Pegasus/samples/lib/libSDKInstanceProvider.so
-rwxr-xr-x  root root root:object_r:usr_t              /usr/share/Pegasus/
samples/lib/libSDKInstanceProvider.so

Fixed in selinux-policy-2.4.6-124

Dan, what should be the correnct context on the .so files in /usr/share/Pegasus/
samples/lib/ directory?
There are two file contexts, defined in the targeted version of file_contexts 
file, that could match this files (in this order):

/usr/(.*/)?lib(/.*)?    system_u:object_r:lib_t:s0
...
/usr/(.*/)?lib/.+\.so   --      system_u:object_r:shlib_t:s0

The files are beeing labeled with type lib_t. And when I try to manually change 
the context to shlib_t it show message about the change, but nothig does 
happen. Are there any restrictions I'm missing here? I thought the file should 
get the last context found in the file_context file. 

Here is what happens when I try to change the context manually: 

# chcon -Rcv -t shlib_t lib/
context of lib/ changed to system_u:object_r:shlib_t
context of lib//libSDKFilesAndDirectories.so changed to root:object_r:shlib_t
context of lib//libSDKAssociationProvider.so changed to root:object_r:shlib_t
context of lib//libSDKIndicationProvider.so changed to root:object_r:shlib_t
context of lib//libSDKcmpiCWS_Util.so changed to root:object_r:shlib_t
context of lib//libSDKDisplayConsumer.so changed to root:object_r:shlib_t
context of lib//libSDKMethodProvider.so changed to root:object_r:shlib_t
context of lib//libSDKInstanceProvider.so changed to root:object_r:shlib_t
context of lib//target changed to system_u:object_r:shlib_t

# ll -Zd lib/
drwxr-xr-x  root pegasus system_u:object_r:lib_t          lib/
[root@rasputin samples]# ll -Z lib/
-rwxr-xr-x  root root    root:object_r:lib_t              
libSDKAssociationProvider.so
-rwxr-xr-x  root root    root:object_r:lib_t              libSDKcmpiCWS_Util.so
-rwxr-xr-x  root root    root:object_r:lib_t              
libSDKDisplayConsumer.so
-rwxr-xr-x  root root    root:object_r:lib_t              
libSDKFilesAndDirectories.so
-rwxr-xr-x  root root    root:object_r:lib_t              
libSDKIndicationProvider.so
-rwxr-xr-x  root root    root:object_r:lib_t              
libSDKInstanceProvider.so
-rwxr-xr-x  root root    root:object_r:lib_t              
libSDKMethodProvider.so
-rw-r--r--  root pegasus system_u:object_r:lib_t          target

# rpm -q selinux-policy
selinux-policy-2.4.6-125.el5

And almost forgot to mention that running the SDK samples does not give AVC 
denials any more.

shlib_t == lib_t in targeted policy.

They are aliases for each other.

An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2008-0465.html