Bug 617832

Summary: SELinux impedisce l'accesso sh "execute" on /sbin/ldconfig.
Product: [Fedora] Fedora Reporter: Antonio T. (sagitter) <anto.trande>
Component: telepathy-mission-controlAssignee: Peter Robinson <pbrobinson>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: low    
Version: 14CC: anto.trande, bdpepple, bruce, christian.joensson, cleitoncfl, dwalsh, james.brown, johannbg, kanelxake, mgrepl, pbrobinson, peter, renich
Target Milestone: ---   
Target Release: ---   
Hardware: i386   
OS: Linux   
Whiteboard: setroubleshoot_trace_hash:e083ee5fd09a795ac14a46169970f425165370baef691a16c80c2c5a369a52b1
Fixed In Version: telepathy-mission-control-5.5.3-1.fc14 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2010-08-21 20:37:30 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Antonio T. (sagitter) 2010-07-24 10:07:45 UTC 
Sommario:

SELinux impedisce l'accesso sh "execute" on /sbin/ldconfig.

Descrizione dettagliata:

SELinux ha negato l'accesso richiesto da sh. Non è previsto che questo accesso
venga richiesto da sh, e tale accesso può segnalare un tentativo di intrusione.
È anche possibile che questo sia provocato dalla specifica versione o dalla
configurazione dell'applicazione per richiedere un ulteriore accesso.

Abilitazione accesso in corso:

E' possibile generare un modulo di politica locale per consentire questo accesso
- consultare le FAQ (http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385)
Inviare un bug report.

Informazioni aggiuntive:

Contesto della sorgente       unconfined_u:unconfined_r:telepathy_msn_t
                              :SystemLow-SystemHigh
Contesto target               system_u:object_r:ldconfig_exec_t:SystemLow
Oggetti target                /sbin/ldconfig [ file ]
Sorgente                      sh
Percorso della sorgente       sh
Porta                         <Sconosciuto>
Host                          (rimosso)
Sorgente Pacchetti RPM        
Pacchetti RPM target          glibc-2.12.90-6
RPM della policy              selinux-policy-3.8.8-3.fc14
Selinux abilitato             True
Tipo di policy                targeted
Modalità Enforcing           Enforcing
Nome plugin                   catchall
Host Name                     (rimosso)
Piattaforma                   Linux (rimosso)
                              2.6.34-43.fc14.i686 #1 SMP Thu Jun 17 10:29:59 UTC
                              2010 i686 i686
Conteggio avvisi              5
Primo visto                   sab 24 lug 2010 12:06:07 CEST
Ultimo visto                  sab 24 lug 2010 12:06:10 CEST
ID locale                     f370f923-b57e-4ef2-94c4-ae56080e830d
Numeri di linea               

Messaggi Raw Audit            

node=(rimosso) type=AVC msg=audit(1279965970.423:23179): avc:  denied  { execute } for  pid=1936 comm="sh" name="ldconfig" dev=sda7 ino=30272 scontext=unconfined_u:unconfined_r:telepathy_msn_t:s0-s0:c0.c1023 tcontext=system_u:object_r:ldconfig_exec_t:s0 tclass=file



Hash String generated from  catchall,sh,telepathy_msn_t,ldconfig_exec_t,file,execute
audit2allow suggests:

#============= telepathy_msn_t ==============
allow telepathy_msn_t ldconfig_exec_t:file execute;
Comment 1 Daniel Walsh 2010-07-26 21:26:52 UTC 
Why is telepath executing ldconfig?
Comment 2 Bug Zapper 2010-07-30 12:48:58 UTC 
This bug appears to have been reported against 'rawhide' during the Fedora 14 development cycle.
Changing version to '14'.

More information and reason for this action is here:
http://fedoraproject.org/wiki/BugZappers/HouseKeeping
Comment 3 Fedora Update System 2010-08-21 21:56:49 UTC 
telepathy-mission-control-5.4.3-2.fc14 has been submitted as an update for Fedora 14.
http://admin.fedoraproject.org/updates/telepathy-mission-control-5.4.3-2.fc14
Comment 4 Fedora Update System 2010-08-23 19:17:54 UTC 
telepathy-mission-control-5.5.3-1.fc14 has been submitted as an update for Fedora 14.
http://admin.fedoraproject.org/updates/telepathy-mission-control-5.5.3-1.fc14
Comment 5 Daniel Walsh 2010-08-23 19:57:15 UTC 
Peter did you take away the execution of ldconfig?
Comment 6 Peter Robinson 2010-08-23 20:17:09 UTC 
(In reply to comment #5)
> Peter did you take away the execution of ldconfig?

I did in 5.4.3-2 but then 5.5.x added some other libraries:
%{_libdir}/libmission-control-plugins.so.0
%{_libdir}/libmission-control-plugins.so.0.2.0

So as far as I can tell from the package guidelines I can need it. If you can tell me otherwise I'll happily remove it.
Comment 7 Daniel Walsh 2010-08-23 20:22:22 UTC 
You can run ldconfig in the post install 

%post
/sbin/ldconfig
exit 0

Not the running of the app.
Comment 8 Fedora Update System 2010-09-02 03:59:37 UTC 
telepathy-mission-control-5.5.3-1.fc14 has been pushed to the Fedora 14 stable repository.  If problems still persist, please make note of it in this bug report.