Bug 603606

Summary: SELinux is preventing /usr/sbin/prelink "getattr" access to /usr/libexec/telepathy-sofiasip.
Product: Red Hat Enterprise Linux 6 Reporter: Matěj Cepl <mcepl>
Component: selinux-policyAssignee: Daniel Walsh <dwalsh>
Status: CLOSED NOTABUG QA Contact: BaseOS QE Security Team <qe-baseos-security>
Severity: medium Docs Contact:
Priority: medium    
Version: 6.0   
Target Milestone: rc   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard: setroubleshoot_trace_hash:85e46c092a313e8f7365b50beed46b48442063bf1064e06967d02eccf6ed965a
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2010-06-14 22:43:49 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Matěj Cepl 2010-06-14 05:22:19 UTC 
Souhrn:

SELinux is preventing /usr/sbin/prelink "getattr" access to
/usr/libexec/telepathy-sofiasip.

Podrobný popis:

[SELinux je v tolerantním režimu. Přístup byl povolen.]

SELinux denied prelink getattr on /usr/libexec/telepathy-sofiasip. The prelink
program is only allowed to manipulate files that are identified as executables
or shared libraries by SELinux. Libraries that get placed in lib directories get
labeled by default as a shared library. Similarly, executables that get placed
in a bin or sbin directory get labeled as executables by SELinux. However, if
these files get installed in other directories they might not get the correct
label. If prelink is trying to manipulate a file that is not a binary or share
library this may indicate an intrusion attack.

Povolení přístupu:

You can alter the file context by executing "chcon -t bin_t
'/usr/libexec/telepathy-sofiasip'" or "chcon -t lib_t
'/usr/libexec/telepathy-sofiasip'" if it is a shared library. If you want to
make these changes permanent you must execute the semanage command. "semanage
fcontext -a -t bin_t '/usr/libexec/telepathy-sofiasip'" or "semanage fcontext -a
-t lib_t '/usr/libexec/telepathy-sofiasip'". If you feel this executable/shared
library is in the wrong location please file a bug against the package that
includes the file. If you feel that SELinux should know about this file and
label it correctly please file a bug against SELinux policy.

Další informace:

Kontext zdroje                system_u:system_r:prelink_t:s0-s0:c0.c1023
Kontext cíle                 system_u:object_r:unlabeled_t:s0
Objekty cíle                 /usr/libexec/telepathy-sofiasip [ file ]
Zdroj                         prelink
Cesta zdroje                  /usr/sbin/prelink
Port                          <Neznámé>
Počítač                    (removed)
RPM balíčky zdroje          prelink-0.4.3-3.el6
RPM balíčky cíle           telepathy-sofiasip-0.6.2-1.el6
RPM politiky                  selinux-policy-3.7.19-24.el6
Selinux povolen               True
Typ politiky                  targeted
Vynucovací režim            Permissive
Název zásuvného modulu     prelink_mislabled
Název počítače            (removed)
Platforma                     Linux (removed) 2.6.32-33.el6.x86_64 #1
                              SMP Thu Jun 3 13:00:03 EDT 2010 x86_64 x86_64
Počet upozornění           1
Poprvé viděno               Po 14. červen 2010, 03:11:51 CEST
Naposledy viděno             Po 14. červen 2010, 03:11:51 CEST
Místní ID                   c24d1129-a6d7-4417-b808-e8661718a70a
Čísla řádků              

Původní zprávy auditu      

node=(removed) type=AVC msg=audit(1276477911.319:4451): avc:  denied  { getattr } for  pid=6008 comm="prelink" path="/usr/libexec/telepathy-sofiasip" dev=dm-1 ino=533575 scontext=system_u:system_r:prelink_t:s0-s0:c0.c1023 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file

node=(removed) type=SYSCALL msg=audit(1276477911.319:4451): arch=c000003e syscall=6 success=yes exit=0 a0=a2f790 a1=7fffbad84340 a2=7fffbad84340 a3=1000 items=0 ppid=5999 pid=6008 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=678 comm="prelink" exe="/usr/sbin/prelink" subj=system_u:system_r:prelink_t:s0-s0:c0.c1023 key=(null)



Hash String generated from  prelink_mislabled,prelink,prelink_t,unlabeled_t,file,getattr
audit2allow suggests:

#============= prelink_t ==============
allow prelink_t unlabeled_t:file getattr;
Comment 1 Matěj Cepl 2010-06-14 05:24:43 UTC 
Maybe that's just another aspect of my past experimental telepathy-sofiasip module:

johanka:~# restorecon -v -R /usr/libexec/
restorecon reset /usr/libexec/telepathy-sofiasip context system_u:object_r:telepathy_sofiasip_exec_t:s0->system_u:object_r:telepathysofiasip_exec_t:s0
johanka:~#
Comment 3 RHEL Program Management 2010-06-14 05:43:24 UTC 
This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux major release.  Product Management has requested further
review of this request by Red Hat Engineering, for potential inclusion in a Red
Hat Enterprise Linux Major release.  This request is not yet committed for
inclusion.
Comment 4 Daniel Walsh 2010-06-14 22:43:49 UTC 
This was caused by the bogus telepathy policy this machine had installed.