From Bugzilla Helper: User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.5) Gecko/20041114 Firefox/1.0 Description of problem: audit(1100790519.330:0): avc: denied { execute } for pid=3006 path=/usr/lib/l ibgssapi_krb5.so.2.2 dev=dm-0 ino=1030221 scontext=root:system_r:ntpd_t tcontext =root:object_r:lib_t tclass=file audit(1100790523.495:0): avc: denied { execute } for pid=3014 path=/usr/lib/l ibgssapi_krb5.so.2.2 dev=dm-0 ino=1030221 scontext=root:system_r:httpd_t tcontex t=root:object_r:lib_t tclass=file Version-Release number of selected component (if applicable): selinux-policy-targeted-1.19.1-13 How reproducible: Always Steps to Reproduce: 1. See summary Additional info:
These have the wrong context on them. restorecon /usr/lib/libgssapi_krb5.so.2.2 Should fix the problem. The real question is why is this happening? Did you just do a yum update on this machine and the context get screwed up? Any chance prelink caused this problem. IE check /var/log/prelink.log for any mention of this file. Thanks for your help. Dan
Yes, restorecon /usr/lib/* and /lib/* fixed the problem. Affected libraries were all over the place, and they seemed to come from krb5-libs, compat-db and things I upgraded today via yum. Also, in the middle of the upgrade I started getting lots of selinux policy warnings. They went away after I rebooted. The upgrade included libselinux and libselinux-devel. I also might have upgraded selinux-policy-targeted today, not sure in what order I did all of this. Yum is broken so I upgraded packages manually. As far as prelink is concerned you'll have to be more specific - there's lots of things in that file, including the libgssapi.
Basically on prelink, I want to know if it is reporting any errors on matchpatchcon, selinux, or file context, that might be causing the problem. So you believe the problem might be yum/RPM? Dan
There are no permission related or selinux errors in the prelink file at all. The problem is most likely related to RPM somehow. Disregard yum above - I didn't use yum anywhere because it's currently broken - don't know why I wrote that.
More problems - upgraded libselinux and selinux-policy-targeted again, and now I get this: [root@cobra ~]# ldconfig ldconfig: Input file /usr/lib/qt-3.3/lib/libqt-mt.so.3.3.3 not found. ldconfig: Input file /usr/lib/qt-3.3/lib/libqui.so.1.0.0 not found. ldconfig: Input file /usr/X11R6/lib/libXvMCNVIDIA.so.1.0.6629 not found. ldconfig: Input file /usr/lib/tls/libnvidia-tls.so.1.0.6629 not found. [root@cobra ~]# because the context of those libs is root:object_r:lib_t Restorecon fixes the problem.
See, this is what I'm talking about - what causes those warnings: [root@cobra tmp]# rpm -Uvh sel* Preparing... ########################################### [100%] 1:selinux-policy-targeted########################################### [100%] [root@cobra tmp]# rm -f sel* [root@cobra tmp]# rpm -Uvh apmd* /etc/selinux/targeted/contexts/files/file_contexts: invalid context system_u:object_r:xconsole_device_t on line number 161 Preparing... ########################################### [100%] 1:apmd ########################################### [100%]
This looks like the file_contexts file got replaced without a policy load. Dan
The only way I can see this happening is the SELINUXTYPE in the config file does not match the type in the policy rpm, so the file_contexts gets updated in the post install of the source RPM but the policy does not get loaded, since this only happens when the SELINUXTYPE and the type of the rpm match. Dan
That is not the case. SELINUXTYPE is targeted, and so is the policy I am installing. cat /etc/selinux/config # This file controls the state of SELinux on the system. # SELINUX= can take one of these three values: # enforcinfg - SELinux security policy is enforced. # permissive - SELinux prints warnings instead of enforcing. # disabled - No SELinux policy is loaded. SELINUX=enforcing # SELINUXTYPE= can take one of these two values: # targeted - Only targeted network daemons are protected. # strict - Full SELinux protection. SELINUXTYPE=targeted
However as far as I can see selinuxenabled is located in sbin, not in bin.
Yup that's the problem, nice catch. Fixed in selinux-policy-*-1.19.4-3