Bug 471218

Summary: tanukiwrapper generates execmod AVC denial
Product: [Community] Spacewalk Reporter: Jan Pazdziora <jpazdziora>
Component: ServerAssignee: Jan Pazdziora <jpazdziora>
Status: CLOSED CURRENTRELEASE QA Contact: Red Hat Satellite QA List <satqe-list>
Severity: medium Docs Contact:
Priority: medium    
Version: 0.3CC: msuchy
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 480189 (view as bug list) Environment:
Last Closed: 2009-01-22 16:30:30 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 456552    

Description Jan Pazdziora 2008-11-12 14:27:58 UTC
Description of problem:

When starting Spacewalk 0.3, an execmod AVC denial is logged:

type=AVC msg=audit(1226431153.819:93): avc:  denied  { execmod } for  pid=3364 comm="java" path="/usr/lib/libwrapper.so" dev=dm-0 ino=883661 scontext=root:system_r:java_t:s0 tcontext=system_u:object_r:lib_t:s0 tclass=file

Version-Release number of selected component (if applicable):

Spacewalk 0.3 with tanukiwrapper-3.2.1-2jpp.ep1.1.el5.

How reproducible:

Deterministic.

Steps to Reproduce:
1. eu-findtextrel /usr/lib/libwrapper.so
  
Actual results:

the file containing the function 'Java_org_tanukisoftware_wrapper_WrapperManager_nativeGetUser' is not compiled with -fpic/-fPIC
the file containing the function 'Java_org_tanukisoftware_wrapper_WrapperManager_nativeGetInteractiveUser' is not compiled with -fpic/-fPIC
the file containing the function 'Java_org_tanukisoftware_wrapper_WrapperManager_nativeSetConsoleTitle' is not compiled with -fpic/-fPIC
the file containing the function 'Java_org_tanukisoftware_wrapper_WrapperManager_nativeRequestThreadDump' is not compiled with -fpic/-fPIC
the file containing the function 'Java_org_tanukisoftware_wrapper_WrapperManager_nativeInit' is not compiled with -fpic/-fPIC
the file containing the function '_init' might not be compiled with -fpic/-fPIC
the file containing the function '_init' might not be compiled with -fpic/-fPIC
the file containing the function '_init' might not be compiled with -fpic/-fPIC
the file containing the function '_init' might not be compiled with -fpic/-fPIC
the file containing the function '_init' might not be compiled with -fpic/-fPIC
the file containing the function '_init' might not be compiled with -fpic/-fPIC
the file containing the function '_init' might not be compiled with -fpic/-fPIC
the file containing the function '_init' might not be compiled with -fpic/-fPIC
the file containing the function '_init' might not be compiled with -fpic/-fPIC
the file containing the function '_init' might not be compiled with -fpic/-fPIC
the file containing the function '_init' might not be compiled with -fpic/-fPIC
the file containing the function '_init' might not be compiled with -fpic/-fPIC
the file containing the function '_init' might not be compiled with -fpic/-fPIC
the file containing the function '_init' might not be compiled with -fpic/-fPIC
the file containing the function '_init' might not be compiled with -fpic/-fPIC
the file containing the function 'Java_org_tanukisoftware_wrapper_WrapperManager_nativeGetJavaPID' is not compiled with -fpic/-fPIC
the file containing the function 'handleInterrupt' is not compiled with -fpic/-fPIC
the file containing the function 'handleTermination' is not compiled with -fpic/-fPIC
the file containing the function 'wrapperJNIHandleSignal' is not compiled with -fpic/-fPIC
the file containing the function 'Java_org_tanukisoftware_wrapper_WrapperManager_nativeGetControlEvent' is not compiled with -fpic/-fPIC
the file containing the function 'Java_org_tanukisoftware_wrapper_WrapperManager_nativeGetLibraryVersion' is not compiled with -fpic/-fPIC
the file containing the function 'getLastErrorText' is not compiled with -fpic/-fPIC

Expected results:

eu-findtextrel: no text relocations reported in '/usr/lib/libwrapper.so'

Additional info:

The strange thing is that tanukiwrapper-3.1.2-4jpp_3rhn.2.el5 (which we shipped with Satellite 5.2.0) does not have the problem, and starting Spacewalk 0.3 with tanukiwrapper downgraded to 3.1.2 does not generate the AVC denial. I've compared the build.logs and did not find any reason why the results should differ -- there is -fPIC there in both cases.

Comment 1 Jan Pazdziora 2008-11-12 14:33:57 UTC
Jesus says:

jmrodri adelton, one thing that is different is the makefile patches for tanukiwrapper
jmrodri adelton, 3.2.1 has this for the compile
jmrodri $(COMPILE) -pthread $(wrapper_SOURCE) -o $(BIN)/wrapper -lm
jmrodri while 3.1.2 has this
jmrodri $(COMPILE) -lm $(wrapper_SOURCE) -o $(BIN)/wrapper
jmrodri diff is -pthread

Comment 2 Jesus M. Rodriguez 2008-11-12 14:37:34 UTC
3.1.2 rpm also patch the %.o: %.c section of the Makefile.linux

3.1.2 orig
$(COMPILE) $(DEFS) -Wp,-MD,.deps/$(*F).pp -c $<

3.1.2 patch
$(COMPILE) $(DEFS) -fPIC -Wp,-MD,.deps/$(*F).pp -c $<

3.2.1 orig
$(COMPILE) $(DEFS) -Wp,-MD,.deps/$(*F).pp -c $<

I'm not sure if -fPIC makes a difference here or not.

Comment 3 Jan Pazdziora 2008-11-12 14:47:08 UTC
adelton jmrodri: It's the pthread which seems to be the difference.
adelton jmrodri: Yes, at least if my vi and /fPIC do not lie.
jmrodri adelton, the odd part is the 3.1.2 has 2 fPIC one for libwrapper.so: $(libwrapper_so_OBJECTS)
jmrodri adn another one in %.o: %.c
jmrodri while the 3.2.1 only has it in libwrapper.so: $(libwrapper_so_OBJECTS)
adelton jmrodri: Nod. But I do not see it in the build.log.
jmrodri adelton, agreed I don't see it in build.log either.

Comment 5 Jan Pazdziora 2008-12-18 08:32:01 UTC
It looks like Dennis built / imported

# rpm -q tanukiwrapper
tanukiwrapper-3.1.2-4jpp_3rhn.2.el5

on 2008-11-09 to koji which fixes the problem as well:

# eu-findtextrel /usr/lib/libwrapper.so
eu-findtextrel: no text relocations reported in '/usr/lib/libwrapper.so'

Moving to MODIFIED, taking this bugzilla for possible kickbacks.

Comment 6 Miroslav Suchý 2009-01-15 09:53:16 UTC
# rpm -q tanukiwrapper
tanukiwrapper-3.1.2-4jpp_3rhn.2.el5

And I do not see the given message in audit.log