Bug 995876
Summary: | cron reports "failed to issue method call: Access denied" from prelink daily job | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Paul DeStefano <prd-fedora> |
Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> |
Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | unspecified | Docs Contact: | |
Priority: | unspecified | ||
Version: | 19 | CC: | dominick.grift, dwalsh, jakub, john, mgrepl, mjw, mjw, notting, rocketraman, trailtotale |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | x86_64 | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | selinux-policy-3.12.1-71.fc19 | Doc Type: | Bug Fix |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2013-08-22 00:54:28 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Paul DeStefano
2013-08-11 18:20:27 UTC
I see something almost just like this, but I don't think gnucash is to blame (although I do have it installed). Here's what I found in prelink.log: /usr/sbin/prelink -av -mR /usr/sbin/prelink: /usr/lib64/gnucash/libgnc-core-utils.so.0: Could not find one of the dependencies /usr/sbin/prelink: /usr/lib64/thunderbird/plugin-container: Could not find one of the dependencies Laying out 40 libraries in virtual address space 0000003000000000-0000004000000000 I too have prelink-0.5.0-1.fc19.x86_64. Hmm, okay, you could be right. I rebooted yesterday and didn't get the error reported by cron, despite the fact that the prelink.log shows the same error line. Sounds like they could be two unrelated errors. And, mabye the prelink error from cron is fixed, now? Are you still getting errors reported from cron? I got one again this morning. With a little more investigating, I'm now mostly convinced this is a SELinux policy problem. I assume you have SEL enabled too? $ sudo grep prelink /var/log/audit/audit.log type=USER_AVC msg=audit(1375478420.341:116): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: denied { reload } for auid=0 uid=0 gid=0 cmdline="/sbin/telinit u" scontext=system_u:system_r:prelink_cron_system_t:s0-s0:c0.c1023 tcontext=system_u:system_r:init_t:s0 tclass=system exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?' type=USER_AVC msg=audit(1376378479.284:474): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: denied { reload } for auid=0 uid=0 gid=0 cmdline="/sbin/telinit u" scontext=system_u:system_r:prelink_cron_system_t:s0-s0:c0.c1023 tcontext=system_u:system_r:init_t:s0 tclass=system exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?' Paul, can you change the Component this bug is filed for? BTW, I have: $ rpm -qa selinux-policy\* selinux-policy-targeted-3.12.1-69.fc19.noarch selinux-policy-3.12.1-69.fc19.noarch selinux-policy-devel-3.12.1-69.fc19.noarch Hmm, I do have SELinux enabled. But I don't have any SELinux warnings showing up in the troubleshooter applet. I have that audit message, too: type=USER_AVC msg=audit(1376129768.248:4962): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: denie d { reload } for auid=0 uid=0 gid=0 cmdline="/sbin/telinit u" scontext=system_u:system_r:prelink_cron_system_t:s0-s0:c0.c1023 tcontext=sys tem_u:system_r:init_t:s0 tclass=system exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?' But, it's for telinit, not prelink. I agree, the prelink_cron_system_t bit is suspicious, but even then, I doubt it is related to the error regarding the gnucash library. The times match my e-mails, so these AVC events are clearly caused by the cron job. But, it's not clear than the library error is related to that. The fact that SETroubleshooter isn't reporting the violation makes me think that's a known issue, at least. How about this...Let's leave this bug for "/usr/sbin/prelink: /usr/lib64/gnucash/libgnc-core-utils.so.0: Could not find one of the dependencies". Do you want to start a new bug for the AVC message we are both getting? We can link the two bugs together. I think this isn't prelink, but systemd. It is systemd that reports the error message "failed to issue method call: Access denied" not prelink. But, I filed this bug against gnucash, not prelink. John and I figured that the two messages were unrelated. I think John opened a new bug for the "Access denied" message. John, can you link that bug to this one? I haven't had a chance to file another bug yet. I *do* think that the messages are related though. My impression is that SELinux policy is affecting systemd's telinit. It looks like the prelink task calls "telinit u" when done, which hardly seems surprising. Actually, in reading some more, pretty sure it's just a policy bug. Moving to selinux policy. (In reply to John Florian from comment #7) > My impression is that SELinux policy is > affecting systemd's telinit. It looks like the prelink task calls "telinit > u" when done, which hardly seems surprising. Indeed it does at the very end of /etc/cron.daily/prelink: # Restart init if needed [ -n "$(find `ldd /sbin/init | awk 'NF == 4 { print $3 }'` /sbin/init -ctime -1 2>/dev/null )" ] && /sbin/telinit u exit 0 Hehehe. Okay okay, I give. I clearly have lost this bug. When I posted this bug, I was reporting the message from prelink about a problem with the gnucash library. That has nothing to do with telinit which occurs, conditionally, at the end of the script. message "failed to issue method call: Access denied" is *not* related to message "/usr/sbin/prelink: /usr/lib64/gnucash/libgnc-core-utils.so.0: Could not find one of the dependencies" I guess this is my punishment for trying to write a more complete bug title. I should have changed it. I will open a new bug. Paul, I'm sorry. My intention was never to hijack a bug report. I assure you my actions weren't out of laziness but merely a desire for an efficient resolution to a bug whose only downside I'm aware of was annoying/concerning system generated email alerts. I do think your gnucash issue is related, I just don't think it's gnucash at fault here. As we've already seen prelink is calling telinit -u when this happens. Reading the man page for telinit's -u option makes me believe that every/any running process *might* look like a victim if there were a SEL policy issue with respect to systemd. I'm guessing you had gnucash running at the time. I know I had thunderbird running. In other words, I think this particular bug is one of those that make us look the wrong way first, but the ultimate correction yields improvements all over the place. I could be entirely wrong though. If I know how to consistently reproduce this issue, I'd simply do so with SEL disabled temporarily to see the effect. 394fa1cc64c9c47d5c5976664a3d080d907fe194 fixes the prelink problem in git. selinux-policy-3.12.1-71.fc19 has been submitted as an update for Fedora 19. https://admin.fedoraproject.org/updates/selinux-policy-3.12.1-71.fc19 John, no worries, the error is mine; I didn't (still don't really) understand the connection. But, I finally recognize what you are getting at. The mesg regarding gnucash libs seems to occur before the 'telinit -u' command, though, right? That was my main reason for assuming it couldn't be related. I'm still not sure under what conditions 'telinit' is issued, but that's not important. I also don't understand what systemd is doing, either; what does it mean to "re-serialize" in this context? But that's probably not for this bug. In any case, you are obviously right. Thanks to all for getting it fixed. Package selinux-policy-3.12.1-71.fc19: * should fix your issue, * was pushed to the Fedora 19 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.12.1-71.fc19' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2013-15088/selinux-policy-3.12.1-71.fc19 then log in and leave karma (feedback). selinux-policy-3.12.1-71.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report. |