139860 – ntpd, httpd: /usr/lib/libgssapi_krb5.so.2.2

Bug 139860 - ntpd, httpd: /usr/lib/libgssapi_krb5.so.2.2

Summary: ntpd, httpd: /usr/lib/libgssapi_krb5.so.2.2

Keywords:
Status:	CLOSED RAWHIDE
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy-targeted
Sub Component:
Version:	rawhide
Hardware:	i386
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Daniel Walsh
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2004-11-18 15:07 UTC by Ivan Gyurdiev
Modified:	2007-11-30 22:10 UTC (History)
CC List:	1 user (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2004-11-23 18:12:24 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Ivan Gyurdiev 2004-11-18 15:07:50 UTC

From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.5)
Gecko/20041114 Firefox/1.0

Description of problem:
audit(1100790519.330:0): avc:  denied  { execute } for  pid=3006
path=/usr/lib/l ibgssapi_krb5.so.2.2 dev=dm-0 ino=1030221
scontext=root:system_r:ntpd_t tcontext =root:object_r:lib_t tclass=file

audit(1100790523.495:0): avc:  denied  { execute } for  pid=3014
path=/usr/lib/l ibgssapi_krb5.so.2.2 dev=dm-0 ino=1030221
scontext=root:system_r:httpd_t tcontex t=root:object_r:lib_t tclass=file


Version-Release number of selected component (if applicable):
selinux-policy-targeted-1.19.1-13

How reproducible:
Always

Steps to Reproduce:
1. See summary
    

Additional info:

Comment 1 Daniel Walsh 2004-11-18 15:21:22 UTC

These have the wrong context on them.  
restorecon /usr/lib/libgssapi_krb5.so.2.2  
Should fix the problem.
The real question is why is this happening?  Did you just do a yum
update on this machine and the context get screwed up?  Any chance
prelink caused this problem.  IE check /var/log/prelink.log for any
mention of this file.

Thanks for your help.

Dan

Comment 2 Ivan Gyurdiev 2004-11-18 16:19:21 UTC

Yes, restorecon /usr/lib/* and /lib/* fixed the problem.
Affected libraries were all over the place,
and they seemed to come from krb5-libs, compat-db
and things I upgraded today via yum.

Also, in the middle of the upgrade I started
getting lots of selinux policy warnings. They went
away after I rebooted. 

The upgrade included libselinux and libselinux-devel.
I also might have upgraded selinux-policy-targeted 
today, not sure in what order I did all of this.
Yum is broken so I upgraded packages manually. 

As far as prelink is concerned you'll have to be more specific - 
there's lots of things in that file, including the libgssapi.

Comment 3 Daniel Walsh 2004-11-18 16:48:35 UTC

Basically on prelink, I want to know if it is reporting any errors on
matchpatchcon, selinux, or file context, that might be causing the
problem.  

So you believe the problem might be yum/RPM?

Dan

Comment 4 Ivan Gyurdiev 2004-11-18 18:13:22 UTC

There are no permission related or selinux errors in
the prelink file at all. The problem is most likely 
related to RPM somehow.

Disregard yum above - I didn't use yum anywhere because it's 
currently broken - don't know why I wrote that.

Comment 5 Ivan Gyurdiev 2004-11-20 15:55:23 UTC

More problems - upgraded libselinux and selinux-policy-targeted
again, and now I get this:

[root@cobra ~]# ldconfig
ldconfig: Input file /usr/lib/qt-3.3/lib/libqt-mt.so.3.3.3 not found.

ldconfig: Input file /usr/lib/qt-3.3/lib/libqui.so.1.0.0 not found.

ldconfig: Input file /usr/X11R6/lib/libXvMCNVIDIA.so.1.0.6629 not found.

ldconfig: Input file /usr/lib/tls/libnvidia-tls.so.1.0.6629 not found.

[root@cobra ~]#

because the context of those libs is
 root:object_r:lib_t 

Restorecon fixes the problem.

Comment 6 Ivan Gyurdiev 2004-11-22 01:52:46 UTC

See, this is what I'm talking about - what causes those warnings:

[root@cobra tmp]# rpm -Uvh sel*
Preparing...               
########################################### [100%]
  
1:selinux-policy-targeted###########################################
[100%]
[root@cobra tmp]# rm -f sel*
[root@cobra tmp]# rpm -Uvh apmd*
/etc/selinux/targeted/contexts/files/file_contexts:  invalid context
system_u:object_r:xconsole_device_t on line number 161
Preparing...               
########################################### [100%]
   1:apmd                  
########################################### [100%]

Comment 7 Daniel Walsh 2004-11-22 16:40:36 UTC

This looks like the file_contexts file got replaced without  a policy
load.

Dan

Comment 8 Daniel Walsh 2004-11-22 19:26:30 UTC

The only way I can see this happening is the SELINUXTYPE in the config
file does not match the type in the policy rpm, so the file_contexts
gets updated in the post install of the source RPM but the policy does
not get loaded, since this only happens when the SELINUXTYPE and the
type of the rpm match.

Dan

Comment 9 Ivan Gyurdiev 2004-11-22 21:24:16 UTC

That is not the case. 
SELINUXTYPE is targeted, and so is the policy I am installing. 

cat /etc/selinux/config

# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
#       enforcinfg - SELinux security policy is enforced.
#       permissive - SELinux prints warnings instead of enforcing.
#       disabled - No SELinux policy is loaded.
SELINUX=enforcing

# SELINUXTYPE= can take one of these two values:
#       targeted - Only targeted network daemons are protected.
#       strict - Full SELinux protection.
SELINUXTYPE=targeted

Comment 10 Ivan Gyurdiev 2004-11-22 21:27:40 UTC

However as far as I can see selinuxenabled is located in sbin,
not in bin.

Comment 11 Daniel Walsh 2004-11-22 21:40:03 UTC

Yup that's the problem, nice catch.  
Fixed in selinux-policy-*-1.19.4-3

Note You need to log in before you can comment on or make changes to this bug.