Bug 523511

Summary: setroubleshoot: SELinux is preventing /sbin/ldconfig "read" access on /usr/share/ibus-pinyin/engine/pysqlitedb.py.
Product: [Fedora] Fedora Reporter: Jesse Leal dos Santos <jesse>
Component: ibus-pinyinAssignee: Peng Huang <phuang>
Status: CLOSED NOTABUG QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: low    
Version: 12CC: dwalsh, eparis, gczarcinski, i18n-bugs, idht4n, mgrepl, phuang, sdsmall
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard: setroubleshoot_trace_hash:4cd37f37b4c65cb9c8b4b5feea1f9091d9ec265444a59e9061e1e58182a0fcd7
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2009-11-24 05:13:32 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Jesse Leal dos Santos 2009-09-15 19:01:14 UTC 
The following was filed automatically by setroubleshoot:

Summary:

SELinux is preventing /sbin/ldconfig "read" access on
/usr/share/ibus-pinyin/engine/pysqlitedb.py.

Detailed Description:

[ldconfig has a permissive type (ldconfig_t). This access was not denied.]

SELinux denied access requested by ldconfig. It is not expected that this access
is required by ldconfig and this access may signal an intrusion attempt. It is
also possible that the specific version or configuration of the application is
causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Please file a bug
report.

Additional Information:

Source Context                system_u:system_r:ldconfig_t:s0-s0:c0.c1023
Target Context                system_u:object_r:usr_t:s0
Target Objects                /usr/share/ibus-pinyin/engine/pysqlitedb.py [ file
                              ]
Source                        ldconfig
Source Path                   /sbin/ldconfig
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           glibc-2.10.90-21
Target RPM Packages           ibus-pinyin-1.2.0.20090617-2.fc12
Policy RPM                    selinux-policy-3.6.31-3.fc12
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   catchall
Host Name                     (removed)
Platform                      Linux (removed)
                              2.6.31-0.125.4.2.rc5.git2.fc12.x86_64 #1 SMP Tue
                              Aug 11 21:00:45 EDT 2009 x86_64 x86_64
Alert Count                   1
First Seen                    Tue 15 Sep 2009 03:41:43 PM BRT
Last Seen                     Tue 15 Sep 2009 03:41:43 PM BRT
Local ID                      bd57aa1b-4a46-432f-af6e-f9e4a55b0270
Line Numbers                  

Raw Audit Messages            

node=(removed) type=AVC msg=audit(1253040103.907:45): avc:  denied  { read } for  pid=2140 comm="ldconfig" path="/usr/share/ibus-pinyin/engine/pysqlitedb.py" dev=sda3 ino=64471 scontext=system_u:system_r:ldconfig_t:s0-s0:c0.c1023 tcontext=system_u:object_r:usr_t:s0 tclass=file

node=(removed) type=SYSCALL msg=audit(1253040103.907:45): arch=c000003e syscall=59 success=yes exit=0 a0=16ac9b0 a1=16abde0 a2=16abac0 a3=7fff2c0e1a20 items=0 ppid=2139 pid=2140 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ldconfig" exe="/sbin/ldconfig" subj=system_u:system_r:ldconfig_t:s0-s0:c0.c1023 key=(null)


audit2allow suggests:

#============= ldconfig_t ==============
allow ldconfig_t usr_t:file read;
Comment 1 Daniel Walsh 2009-09-15 19:30:39 UTC 
I beleive this is a leaked file descriptor to  /usr/share/ibus-pinyin/engine/pysqlitedb.py

Did this happen during the yum update or rpm install?
Comment 2 Peng Huang 2009-09-15 22:56:20 UTC 
Below is the %files section in ibus-pinyin.spec. Dose it have any problem? What should I do to fix this problem?

%files -f %{name}.lang
%defattr(-,root,root,-)
%doc AUTHORS COPYING README
%{_datadir}/ibus-pinyin               # *.py files is in this folder
%{_datadir}/ibus/component/*
%{_libexecdir}/ibus-engine-pinyin
%{_libexecdir}/ibus-setup-pinyin
Comment 3 Daniel Walsh 2009-09-16 12:23:32 UTC 
Eric do you have any ideas?
Comment 4 Bug Zapper 2009-11-16 12:27:00 UTC 
This bug appears to have been reported against 'rawhide' during the Fedora 12 development cycle.
Changing version to '12'.

More information and reason for this action is here:
http://fedoraproject.org/wiki/BugZappers/HouseKeeping
Comment 5 Peng Huang 2009-11-24 05:13:32 UTC 
I think ldconfig should not access this file. It is not a share library. So I will close it as notabug.