Bug 595977
Summary: | SELinux is preventing unix_chkpwd "getattr" access on /usr/sbin/prelink. | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Joel Kirchmeyer <kirchmeyer> |
Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> |
Status: | CLOSED CURRENTRELEASE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | medium | Docs Contact: | |
Priority: | low | ||
Version: | 13 | CC: | cz172638, dwalsh, eparis, jakub, jfeeney, jmorris, mgrepl, sdsmall, sgrubb, tmraz |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | x86_64 | ||
OS: | Linux | ||
Whiteboard: | setroubleshoot_trace_hash:0357a34ab2753c82bc3d35df8554b735fbfaaea625dcb8453dc133ba3c8f5e68 | ||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2011-02-22 17:30:35 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Joel Kirchmeyer
2010-05-26 03:20:01 UTC
Why would unix_chkpwd be looking at the prelink executable? i registered this error in fips mode, when packagekit asked me for root password. when password entered, auth. was successfull, operation performed despite of selinux denial. In fips mode the crypto libraries do during startup a mandated self-test against accidentail corruption of itself. It uses prelink -o - -u library to output the unprelinked library's content to stdout (which is then checksummed or whatever the library wants to do with it). Well SELinux is not going to get along with this... Does this mean every login app and potentially evey app needs to run prelink? I wonder if prelink_exec is enough, since it is not modifying the content on disk. Well, not just every login app, in FIPS mode any app that loads in the crypto libs (libfreebl3.so). Sure, prelink in that mode doesn't need very special priviledges, all it needs is to be able to read the library, write a temporary file in /tmp/ (O_RDWR|O_CREAT|O_EXCL) and that's about it. You can strace it to see what it does. This means I need new prelink domain prelink_fips_t, and prelink_fips_tmp_t if fips_mode { prelink_domtrans_fips(domain) } Then allow the prelink_fips_t to write to prelink_fips_tmp_t. But I am not sure how we handle prelink_domtrans separately. I guess I could add a attribute to all domains that call prelink_domtrans prelink_domain and then have policy that says if fips_mode { prelink_domtrans_fips(domain -prelink_domain) } This package has changed ownership in the Fedora Package Database. Reassigning to the new owner of this component. This package has changed ownership in the Fedora Package Database. Reassigning to the new owner of this component. This package has changed ownership in the Fedora Package Database. Reassigning to the new owner of this component. |