Bug 625910
Summary: | SELinux is preventing /sbin/ldconfig "execute" access on /sbin/ldconfig. | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Joachim Frieben <jfrieben> |
Component: | selinux-policy | Assignee: | Daniel Walsh <dwalsh> |
Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | medium | Docs Contact: | |
Priority: | low | ||
Version: | 14 | CC: | christian.joensson, domg444, dominick.grift, dwalsh, mgrepl, mildred-bug.redhat |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | x86_64 | ||
OS: | Linux | ||
Whiteboard: | setroubleshoot_trace_hash:fbbdae4716799b88d0ca6c80d53aa1866d7357ed9b2e65209f3b53c2f80e91c7 | ||
Fixed In Version: | selinux-policy-3.9.3-1.fc14 | Doc Type: | Bug Fix |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2010-09-11 03:42:49 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Joachim Frieben
2010-08-20 19:07:55 UTC
Anyone have any idea why this tool would be executing ldconfig? Why this is happening i do not know, and the folk on #telepathy seem to not know either. to quote "dgrift: butterfly is a python app, I don't see why it should run ldconfig" What i do know is that telepathy-butterfly (probably not haze) needs it. I had to add the following to my policy to make this work: libs_run_ldconfig($1_tp_butterfly_t, $2) exec_files_pattern($1_tp_butterfly_t, tp_butterfly_tmp_t, tp_butterfly_tmp_t) please note that in Fedora, telepathy-butterfly runs in the telepathy_msn_t domain. *** Bug 624763 has been marked as a duplicate of this bug. *** Wouldn't it be better to just let it execute it and see what access is needed. ldconfig_t is a pretty powerful domain. Agreed, i will remove that rules, and see if i can reproduce with just execute_no_trans. will report back Well i loaded it with corecmd_exec_bin commented and with libs_exec_ldconfig. It seems to only run uname so far, and if it runs ldconfig then so far it appears it does not need any permissions it doesnt have already. Note though that i havent been able to test butterfly long and thorougly (i dont have butterfly contacts fortunately) Not sure if you got these already: it manage a dir, file and sock file in /tmp it stream connects to gvfsd (for you thats userdom), plus it also read/write gvfsd inherited stream sockets. I will lets it run for a while , maybe some new issues arise, if so i will report back I noticed that issue as well, if you need a MSN contact, you could contact me at: mildred.msn<at>free.fr I cannot reproduce it but it runs ldconfig on its temporary file. (Do not ask me why) So my suggestion is: Allow telepathy_msn_t to execute ldconfig_exec_t (ldconfig_exec(telepathy_msn_t)). Allow telepathy_msn_t to execute its own temporary files (can_exec(telepathy_msn_t, telepathy_msn_tmp_t). Fixed in selinux-policy-3.9.3-1.fc14 selinux-policy-3.9.3-1.fc14 has been submitted as an update for Fedora 14. https://admin.fedoraproject.org/updates/selinux-policy-3.9.3-1.fc14 selinux-policy-3.9.3-1.fc14 has been pushed to the Fedora 14 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update selinux-policy'. You can provide feedback for this update here: https://admin.fedoraproject.org/updates/selinux-policy-3.9.3-1.fc14 selinux-policy-3.9.3-1.fc14 has been pushed to the Fedora 14 stable repository. If problems still persist, please make note of it in this bug report. |