Bug 139860 - ntpd, httpd: /usr/lib/libgssapi_krb5.so.2.2
ntpd, httpd: /usr/lib/libgssapi_krb5.so.2.2
Status: CLOSED RAWHIDE
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted (Show other bugs)
rawhide
i386 Linux
medium Severity medium
: ---
: ---
Assigned To: Daniel Walsh
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2004-11-18 10:07 EST by Ivan Gyurdiev
Modified: 2007-11-30 17:10 EST (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2004-11-23 13:12:24 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Ivan Gyurdiev 2004-11-18 10:07:50 EST
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.5)
Gecko/20041114 Firefox/1.0

Description of problem:
audit(1100790519.330:0): avc:  denied  { execute } for  pid=3006
path=/usr/lib/l ibgssapi_krb5.so.2.2 dev=dm-0 ino=1030221
scontext=root:system_r:ntpd_t tcontext =root:object_r:lib_t tclass=file

audit(1100790523.495:0): avc:  denied  { execute } for  pid=3014
path=/usr/lib/l ibgssapi_krb5.so.2.2 dev=dm-0 ino=1030221
scontext=root:system_r:httpd_t tcontex t=root:object_r:lib_t tclass=file


Version-Release number of selected component (if applicable):
selinux-policy-targeted-1.19.1-13

How reproducible:
Always

Steps to Reproduce:
1. See summary
    

Additional info:
Comment 1 Daniel Walsh 2004-11-18 10:21:22 EST
These have the wrong context on them.  
restorecon /usr/lib/libgssapi_krb5.so.2.2  
Should fix the problem.
The real question is why is this happening?  Did you just do a yum
update on this machine and the context get screwed up?  Any chance
prelink caused this problem.  IE check /var/log/prelink.log for any
mention of this file.

Thanks for your help.

Dan
Comment 2 Ivan Gyurdiev 2004-11-18 11:19:21 EST
Yes, restorecon /usr/lib/* and /lib/* fixed the problem.
Affected libraries were all over the place,
and they seemed to come from krb5-libs, compat-db
and things I upgraded today via yum.

Also, in the middle of the upgrade I started
getting lots of selinux policy warnings. They went
away after I rebooted. 

The upgrade included libselinux and libselinux-devel.
I also might have upgraded selinux-policy-targeted 
today, not sure in what order I did all of this.
Yum is broken so I upgraded packages manually. 

As far as prelink is concerned you'll have to be more specific - 
there's lots of things in that file, including the libgssapi.
Comment 3 Daniel Walsh 2004-11-18 11:48:35 EST
Basically on prelink, I want to know if it is reporting any errors on
matchpatchcon, selinux, or file context, that might be causing the
problem.  

So you believe the problem might be yum/RPM?

Dan
Comment 4 Ivan Gyurdiev 2004-11-18 13:13:22 EST
There are no permission related or selinux errors in
the prelink file at all. The problem is most likely 
related to RPM somehow.

Disregard yum above - I didn't use yum anywhere because it's 
currently broken - don't know why I wrote that.
Comment 5 Ivan Gyurdiev 2004-11-20 10:55:23 EST
More problems - upgraded libselinux and selinux-policy-targeted
again, and now I get this:

[root@cobra ~]# ldconfig
ldconfig: Input file /usr/lib/qt-3.3/lib/libqt-mt.so.3.3.3 not found.

ldconfig: Input file /usr/lib/qt-3.3/lib/libqui.so.1.0.0 not found.

ldconfig: Input file /usr/X11R6/lib/libXvMCNVIDIA.so.1.0.6629 not found.

ldconfig: Input file /usr/lib/tls/libnvidia-tls.so.1.0.6629 not found.

[root@cobra ~]#

because the context of those libs is
 root:object_r:lib_t 

Restorecon fixes the problem.



Comment 6 Ivan Gyurdiev 2004-11-21 20:52:46 EST
See, this is what I'm talking about - what causes those warnings:

[root@cobra tmp]# rpm -Uvh sel*
Preparing...               
########################################### [100%]
  
1:selinux-policy-targeted###########################################
[100%]
[root@cobra tmp]# rm -f sel*
[root@cobra tmp]# rpm -Uvh apmd*
/etc/selinux/targeted/contexts/files/file_contexts:  invalid context
system_u:object_r:xconsole_device_t on line number 161
Preparing...               
########################################### [100%]
   1:apmd                  
########################################### [100%]

Comment 7 Daniel Walsh 2004-11-22 11:40:36 EST
This looks like the file_contexts file got replaced without  a policy
load.

Dan
Comment 8 Daniel Walsh 2004-11-22 14:26:30 EST
The only way I can see this happening is the SELINUXTYPE in the config
file does not match the type in the policy rpm, so the file_contexts
gets updated in the post install of the source RPM but the policy does
not get loaded, since this only happens when the SELINUXTYPE and the
type of the rpm match.

Dan
Comment 9 Ivan Gyurdiev 2004-11-22 16:24:16 EST
That is not the case. 
SELINUXTYPE is targeted, and so is the policy I am installing. 

cat /etc/selinux/config

# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
#       enforcinfg - SELinux security policy is enforced.
#       permissive - SELinux prints warnings instead of enforcing.
#       disabled - No SELinux policy is loaded.
SELINUX=enforcing

# SELINUXTYPE= can take one of these two values:
#       targeted - Only targeted network daemons are protected.
#       strict - Full SELinux protection.
SELINUXTYPE=targeted
Comment 10 Ivan Gyurdiev 2004-11-22 16:27:40 EST
However as far as I can see selinuxenabled is located in sbin,
not in bin.
Comment 11 Daniel Walsh 2004-11-22 16:40:03 EST
Yup that's the problem, nice catch.  
Fixed in selinux-policy-*-1.19.4-3

Note You need to log in before you can comment on or make changes to this bug.