Bug 584550
Summary: | SELinux is preventing /usr/sbin/prelink "setattr" access . | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Christian Kujau <redhat> |
Component: | selinux-policy | Assignee: | Daniel Walsh <dwalsh> |
Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | medium | Docs Contact: | |
Priority: | low | ||
Version: | 13 | CC: | dwalsh, mgrepl, redhat |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | x86_64 | ||
OS: | Linux | ||
Whiteboard: | setroubleshoot_trace_hash:5563c4ef721151795ca9b0372445e8335c59f027d499214381552437d1157298 | ||
Fixed In Version: | selinux-policy-3.7.19-6.fc13 | Doc Type: | Bug Fix |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2010-04-28 03:07:31 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Attachments: |
Description
Christian Kujau
2010-04-21 20:27:40 UTC
Fresh install of F13 on an Intel iMac. The only big change so far is that /tmp is a tmpfs, /home is mounted via NFS and the system configured as an NIS client: # egrep 'home|/tmp' /proc/mounts tmpfs /tmp tmpfs rw,rootcontext=system_u:object_r:tmp_t:s0,seclabel,nosuid,relatime 0 0 gate:/home /home nfs rw,relatime,vers=3,rsize=65536,wsize=65536,namlen=255,hard,proto=tcp,timeo=600,retrans=2,sec=sys,mountaddr=10.200.0.10,mountvers=3,mountport=4002,mountproto=udp,fsc,addr=10.200.0.10 0 0 Hm, this looks like #546771 - which said to be "fixed in abrt-1.0.2" (F12/updates-testing), but the bug is still tagged NEW. And rightly so, I guess :-\ No I don't think this is the same. Did you run prelink in a terminal or were you installing some apps which caused prelink to run? No, I did not use prelink manually. I just "reproduced" this: I'm logging in to Gnome after a fresh reboot, started a terminal, running nothing else. I'm waiting a while for things to calm down. No Yum; PackageKit is uninstalled already. But when I start Firefox I'm presented with the SELinux warning. Running Firefox through strace(1) reveals a few prelink calls: stat("/usr/sbin/prelink", {st_mode=S_IFREG|0755, st_size=1262168, ...}) = 0 execve("/usr/sbin/prelink", ["/usr/sbin/prelink", "-u", "-o", "-", "/usr/lib64/libnssdbm3.so"], [/* 55 vars */]) = 0 open("/tmp/undo.#prelink#.iVmjXE", O_RDWR|O_CREAT|O_EXCL, 0600) = 2 utime("/tmp/undo.#prelink#.iVmjXE", [2010/04/21-17:39:23, 2010/04/15-08:43:28]) = 0 read(0, "unconfined_u:unconfined_r:prelink_t:s0-s0:c0.c1023\0", 4095) = 51 setxattr("/tmp/undo.#prelink#.iVmjXE", "security.selinux", "system_u:object_r:lib_t:s0", 27, 0) = 0 unlink("/tmp/undo.#prelink#.iVmjXE") = 0 execve("/usr/sbin/prelink", ["/usr/sbin/prelink", "-u", "-o", "-", "/usr/lib64/libfreebl3.so"], [/* 55 vars */]) = 0 [...] and so on. Created attachment 408203 [details]
strace -ff -tt -F -s1024 -o /tmp/strace-firefox.log /usr/lib64/firefox-3.6/firefox -P default
Created attachment 408204 [details]
strace -ff -tt -F -s1024 -o /tmp/strace-firefox.log /usr/lib64/firefox-3.6/firefox -P tmp
Somehow I cannot reproduce the SELinux warning when I'm starting a pristine Firefox Profile ("tmp") but only when starting Firefox with my "default" profile, where all sorts of things are tuned and stored (esp. password manager, FIPS is enabled). I've created the strace logs, if it is any good.... Ok, I will add a dontaudit in next release. Fixed in selinux-policy-3.7.19-5.fc13.noarch selinux-policy-3.7.19-6.fc13 has been submitted as an update for Fedora 13. http://admin.fedoraproject.org/updates/selinux-policy-3.7.19-6.fc13 selinux-policy-3.7.19-6.fc13 has been pushed to the Fedora 13 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update selinux-policy'. You can provide feedback for this update here: http://admin.fedoraproject.org/updates/selinux-policy-3.7.19-6.fc13 selinux-policy-3.7.19-6.fc13 has been pushed to the Fedora 13 stable repository. If problems still persist, please make note of it in this bug report. Hm, strange. I had updates-testing enabled anyway, but even "--enablerepo=updates-testing" did not get me 3.7.19-6. Manually downloading selinux-policy and selinux-policy-targeted, forcefully removing the old packages and installing the new ones fix this issue. Now Firefox starts w/o the SELinux warning. Thanks! Just means it had not been pushed to your mirror yet. |