Bug 132458 - avc: denied {execute} for pid=1
Summary: avc: denied {execute} for pid=1
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy-strict
Version: 3
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact:
Depends On:
Blocks: FC3Blocker FC3BugWeekQA
TreeView+ depends on / blocked
Reported: 2004-09-13 17:15 UTC by Leonard den Ottolander
Modified: 2007-11-30 22:10 UTC (History)
0 users

Clone Of:
Last Closed: 2004-10-05 19:58:41 UTC

Attachments (Terms of Use)

Description Leonard den Ottolander 2004-09-13 17:15:38 UTC
FC3t1 updated a few days ago. Booting doesn't get me very far:

avc: denied {execute} for pid=1 path=/lib/tls/i486/libc-2.3.3.so
dev=hda6 ino=137734 scontext=system_u:system_r:init_t
tcontext=system_u:object_r:lib_t tclass=file

And what follows is obviously a kernel panic.

This is a K6-450.

Comment 1 Leonard den Ottolander 2004-09-13 18:09:27 UTC
fixfiles relabel did *not* fix this issue.

Comment 2 Daniel Walsh 2004-09-15 15:34:11 UTC
Try selinux-policy-strict-1.17.16-3

Or just patch
--- nsapolicy/file_contexts/types.fc	2004-09-14 09:18:10.000000000 -0400
+++ policy-1.17.16/file_contexts/types.fc	2004-09-15
11:25:43.459813532 -0400
@@ -298,6 +298,7 @@
 /lib(64)?/[^/]*/lib[^/]*\.so(\.[^/]*)*	--	system_u:object_r:shlib_t
 /lib(64)?/security/[^/]*\.so(\.[^/]*)*	--	system_u:object_r:shlib_t
 /lib(64)?/tls/i686/cmov/[^/]*\.so(\.[^/]*)* --	system_u:object_r:shlib_t
+/lib(64)?/tls/i486/[^/]*\.so(\.[^/]*)* --	system_u:object_r:shlib_t
 # /sbin

And restorecon on the shared library

Comment 3 Leonard den Ottolander 2004-09-19 16:14:17 UTC
I'd love to try selinux-policy-strict-1.17.16-3, but RawHide is still
at  1.17.16-2. Why is that?

Comment 4 Daniel Walsh 2004-09-20 10:25:41 UTC
Rawhide is frozen until FC3Test2 is released.  Policy is available via
my people page for now.


Comment 5 Leonard den Ottolander 2004-09-20 10:31:18 UTC
Let's hope not too many people start testing the strict policy on
FC3t2 on i586s then ;-) . Or is this issue mentioned in the release notes?

Comment 6 Ben Levenson 2004-10-05 19:58:41 UTC
I don't have an i586 up and running to verify this, but I see the
following in /etc/selinux/strict/src/policy/file_contexts/types.fc 
which should fix the problem:

/lib(64)?/tls/i.86/[^/]*\.so(\.[^/]*)* -- system_u:object_r:shlib_t


Note You need to log in before you can comment on or make changes to this bug.