Bug 596444
Summary: | SELinux empêche /usr/sbin/prelink d'"read" au périphérique /etc/pki/tls/certs/Makefile. | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Carl G. <carlg> |
Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> |
Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | 13 | CC: | dwalsh, mgrepl |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | x86_64 | ||
OS: | Linux | ||
Whiteboard: | setroubleshoot_trace_hash:93f117ea120c58e6aa8671b43a5a886308d8de0ccdb3e516a242ea4d840197a4 | ||
Fixed In Version: | selinux-policy-3.7.19-33.fc13 | Doc Type: | Bug Fix |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2010-07-06 17:08:27 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Carl G.
2010-05-26 18:37:46 UTC
Why is prelink in reading these files? Are they all marked as executables? -rw-r--r--. 1 root root 720649 15 janv. 12:11 ca-bundle.crt -rwxr-xr-x. 1 root root 610 18 mai 12:12 make-dummy-cert -rw-r--r--. 1 root root 2242 18 mai 12:12 Makefile -rwxr-xr-x. 1 root root 5178 18 mai 12:11 CA -rwxr-xr-x. 1 root root 119 18 mai 12:11 c_hash -rwxr-xr-x. 1 root root 152 18 mai 12:11 c_info -rwxr-xr-x. 1 root root 112 18 mai 12:11 c_issuer -rwxr-xr-x. 1 root root 110 18 mai 12:11 c_name The AVC appeared when i was executing yum updates (GnuTLS got updated). system_u:object_r:cert_t:s0 is the label of the files above. Right are these files executables. The problem is prelink needs to be able to /read/write all executables on the system. Since these are in the cert directory it seems pretty strange place for exes. If you relabel them to bin_t this AVC will go away. Should we label these as bin_t by default? (In reply to comment #4) > Right are these files executables. The problem is prelink needs to be able to > /read/write all executables on the system. Since these are in the cert > directory it seems pretty strange place for exes. If you relabel them to bin_t > this AVC will go away. Should we label these as bin_t by default? CC tmraz? Miroslav add labeling /etc/pki/tls/certs/make-dummy-cert -- gen_context(system_u:object_r:bin_t,s0) /etc/pki/tls/misc(/.*)? -- gen_context(system_u:object_r:bin_t,s0) Fixed in selinux-policy-3.7.19-30.fc13 selinux-policy-3.7.19-33.fc13 has been submitted as an update for Fedora 13. http://admin.fedoraproject.org/updates/selinux-policy-3.7.19-33.fc13 selinux-policy-3.7.19-33.fc13 has been pushed to the Fedora 13 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update selinux-policy'. You can provide feedback for this update here: http://admin.fedoraproject.org/updates/selinux-policy-3.7.19-33.fc13 selinux-policy-3.7.19-33.fc13 has been pushed to the Fedora 13 stable repository. If problems still persist, please make note of it in this bug report. |