Bug 532506
| Summary: | gcj-dbtool: Permission denied (SELinux issue) | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Andrew Overholt <overholt> |
| Component: | selinux-policy | Assignee: | Daniel Walsh <dwalsh> |
| Status: | CLOSED CURRENTRELEASE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | 12 | CC: | aph, awilliam, dwalsh, jakub, mgrepl |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2009-12-23 14:16:54 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
Andrew Overholt
2009-11-02 16:52:26 UTC
I saw some rather similar messages when updating last night: Updating : libgcj-4.4.2-7.fc12.x86_64 16/220 /var/tmp/rpm-tmp.e4hq6h: line 3: /usr/bin/gij: Permission denied Updating : 1:openoffice.org-impress-core-3.1.1-19.14.fc12.x86 33/220 /usr/lib64/openoffice.org3/program/unopkg: line 85: /usr/lib64/openoffice.org3/program/../basis-link/ure-link/bin/javaldx: Permission denied Updating : 1:openoffice.org-presenter-screen-3.1.1-19.14.fc12 34/220 /usr/lib64/openoffice.org3/program/unopkg: line 85: /usr/lib64/openoffice.org3/program/../basis-link/ure-link/bin/javaldx: Permission denied /usr/lib64/openoffice.org/basis3.1/program/../ure-link/bin/uno: line 44: /usr/lib64/openoffice.org/basis3.1/program/../ure-link/bin/javaldx: Permission denied Updating : 1:openoffice.org-draw-core-3.1.1-19.14.fc12.x86_64 56/220 /usr/lib64/openoffice.org3/program/unopkg: line 85: /usr/lib64/openoffice.org3/program/../basis-link/ure-link/bin/javaldx: Permission denied Updating : 1:openoffice.org-pdfimport-3.1.1-19.14.fc12.x86_64 57/220 /usr/lib64/openoffice.org3/program/unopkg: line 85: /usr/lib64/openoffice.org3/program/../basis-link/ure-link/bin/javaldx: Permission denied /usr/lib64/openoffice.org/basis3.1/program/../ure-link/bin/uno: line 44: /usr/lib64/openoffice.org/basis3.1/program/../ure-link/bin/javaldx: Permission denied I notice that all the problematic commands seem to be Java-related... -- Fedora Bugzappers volunteer triage team https://fedoraproject.org/wiki/BugZappers There have been no libjava/gcc-java related changes in the last few months and from what I've seen reported gij is properly labeled with java_exec_t, so I bet this is a selinux policy issue. despite what I said on the list (to assign this to the package with the problematic executables), on second thoughts I guess it's probably SELinux related...CCing Dan. Dan? -- Fedora Bugzappers volunteer triage team https://fedoraproject.org/wiki/BugZappers heh, jinx! -- Fedora Bugzappers volunteer triage team https://fedoraproject.org/wiki/BugZappers On F11 in F12 mock chroot latest gij shows:
[pid 24810] statfs("/selinux", {f_type=0xf97cff8c, f_bsize=4096, f_blocks=0, f_bfree=0, f_bavail=0, f_files=0, f_ffree=0, f_fsid={0, 0}, f_namelen=255, f_frsize=4096}) = 0
[pid 24810] open("/tmp/ffibvudJI", O_RDWR|O_CREAT|O_EXCL, 0600) = 8
[pid 24810] unlink("/tmp/ffibvudJI") = 0
[pid 24810] ftruncate(8, 4096) = 0
[pid 24810] mmap(NULL, 4096, PROT_READ|PROT_EXEC, MAP_SHARED, 8, 0) = 0x7f5733419000
[pid 24810] mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_SHARED, 8, 0) = 0x7f5733418000
which looks correct. So, either something is wrong in the policy, or selinuxfs magic changed (or isn't mounted at /selinux).
I just tried both updates and I am seeing neither problem. rpm -q selinux-policy selinux-policy-3.6.32-38.fc12.noarch What policy are you trying this with? I was on selinux-policy-3.6.32-35.fc12.noarch . Neither 36, 37 nor 38 has been tagged for F12 final, so none of them is in the F12 repos at present. If you think these builds should be in F12 final, you should file a tag request...ah, I see there's one for 37 - https://fedorahosted.org/rel-eng/ticket/2916 - but it hasn't been accepted yet. I've updated to 38, I'll stick some feedback on the tag request later. Would you expect this to have been broken in 35 and fixed by one of the changes since? -- Fedora Bugzappers volunteer triage team https://fedoraproject.org/wiki/BugZappers No, but I just wanted to see why it does not happen on my machine. yum reinstall swing-layout [root@adam Fedora]# yum reinstall swing-layout Loaded plugins: dellsysidplugin2, fastestmirror, presto, refresh-packagekit Setting up Reinstall Process Loading mirror speeds from cached hostfile * rawhide: mirrors.tummy.com * rpmfusion-free-rawhide: mirrors.tummy.com * rpmfusion-nonfree-rawhide: mirrors.tummy.com No Match for argument: swing-layout Package(s) swing-layout available, but not installed. Nothing to do [root@adam Fedora]# rpm -q swing-layout package swing-layout is not installed -- Fedora Bugzappers volunteer triage team https://fedoraproject.org/wiki/BugZappers Try yum install swing-layout oh, sorry, now I see what you're trying to do, that was the OP's reproduction case. trying... that completed with no errors. I'm running selinux-policy -38 now, and I've rebooted since I had my problems with openoffice.org-related components (see my comment). -- Fedora Bugzappers volunteer triage team https://fedoraproject.org/wiki/BugZappers This bug appears to have been reported against 'rawhide' during the Fedora 12 development cycle. Changing version to '12'. More information and reason for this action is here: http://fedoraproject.org/wiki/BugZappers/HouseKeeping |