Bug 438308
| Summary: | changes in rhel5.2 gcc caused gdb.base/prelink.exp to FAIL | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 5 | Reporter: | Petr Muller <pmuller> | ||||||||
| Component: | selinux-policy-targeted | Assignee: | Daniel Walsh <dwalsh> | ||||||||
| Status: | CLOSED ERRATA | QA Contact: | |||||||||
| Severity: | low | Docs Contact: | |||||||||
| Priority: | low | ||||||||||
| Version: | 5.2 | CC: | ebenes, jakub, jan.kratochvil, ohudlick | ||||||||
| Target Milestone: | rc | ||||||||||
| Target Release: | --- | ||||||||||
| Hardware: | All | ||||||||||
| OS: | Linux | ||||||||||
| Whiteboard: | |||||||||||
| Fixed In Version: | RHBA-2008-0465 | Doc Type: | Bug Fix | ||||||||
| Doc Text: | Story Points: | --- | |||||||||
| Clone Of: | Environment: | ||||||||||
| Last Closed: | 2008-05-21 16:43:12 UTC | Type: | --- | ||||||||
| Regression: | --- | Mount Type: | --- | ||||||||
| Documentation: | --- | CRM: | |||||||||
| Verified Versions: | Category: | --- | |||||||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||||||
| Embargoed: | |||||||||||
| Attachments: |
|
||||||||||
|
Description
Petr Muller
2008-03-20 10:59:02 UTC
Created attachment 298681 [details]
PASSing log
test log with
gcc-4.1.2-41.el5
gdb-6.5-37.el5
Created attachment 298682 [details]
FAILing log
testcase log for
gcc-4.1.2-41.el5
gdb-6.5-37.el5
sorry, comment 1 should state gcc-4.1.2-14.el5, not -41 Tested on: http://qafiler.boston.redhat.com/redhat/nightly/RHEL5.2-Server-20080319.nightly/5/i386/os/ # runtest gdb.base/prelink.exp ... Running ../../../gdb/testsuite/gdb.base/prelink.exp ... prelink: Could not set security context for /root/jkratoch/redhat/gdb-6.5-37.el5.src/gdb-6.5/build-i386-redhat-linux-gnu/gdb/testsuite/gdb.base/prelink.so: Permission denied prelink: /root/jkratoch/redhat/gdb-6.5-37.el5.src/gdb-6.5/build-i386-redhat-linux-gnu/gdb/testsuite/gdb.base/prelink.so does not have .gnu.prelink_undo section ... `setenforce 0' "fixes" this problem. But it behaves randomly/unreproducively. Not sure if it is related to whether auditd is running - IMO I also fixed the problem by `service auditd start'. Reproducer (but in some machine mood it works): # touch empty.c; gcc -o empty.so -shared -fPIC -Wall empty.c; prelink -qNR ./empty.so prelink: Could not set security context for /root/jkratoch/redhat/empty.so: Permission denied setxattr("/root/jkratoch/redhat/empty.so.#prelink#.SdWpnf", "security.selinux"..., "root:object_r:user_home_t:s0", 29, 0) = -1 EACCES (Permission denied) write(2, "prelink: ", 9) = 9 write(2, "Could not set security context f"..., 65) = 65 No selinux messages in the system log found. Fixed in /selinux-policy-2.4.6-126.el5.src.rpm ad comment 4: that is IMO different issue. My tests were run with permissive mode and the only difference between PASS and FAIL is the version of gcc as stated on comment 0 For the selinux part: (In reply to comment #5) > Fixed in /selinux-policy-2.4.6-126.el5.src.rpm I do not see a %changelog entry for it but the files changed there for prelink: * Tue Mar 11 2008 Dan Walsh <dwalsh> 2.4.6-126 - Allow lvm to create fifo_file - Fix building of policy modules with Makefile Resolves: #438234 And I can confirm it no longer fails during my attempt (although it was not always reproducible even before). Created attachment 298807 [details]
GDB testcase fix.
For the GDB part:
It is only a testcase problem, no need for a RHEL-5.2 GDB respin.
Explanation to be possibly approved by Jakub:
`--no-exec-shield' is for i386 where prelink in the exec-shield mode is
forced to push all the libraries tight together to fit into the first two
memory areas (either the ASCII Shield area or at least below the executable).
In this case its -R option cannot be applied and we falsely FAIL here as if
the system is already prelinked prelink has no choice how to randomize the
single new unprelinked library address without wasting the first one/two
memory areas. We do not care of the efficiency of loading such resulting
exec-shield unfriendly prelinked library.
THe change was to make prelink and unconfined app, Since it can currently rewrite every executable on the system, having it confined makes no sense. It has been unconfined in F7, F8, F9 Plus people expect prelink to be able to read every directory on the system since they could put an executable anywhere. An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on the solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHBA-2008-0465.html |