Bug 139860 - ntpd, httpd: /usr/lib/libgssapi_krb5.so.2.2
Summary: ntpd, httpd: /usr/lib/libgssapi_krb5.so.2.2
Status: CLOSED RAWHIDE
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted   
(Show other bugs)
Version: rawhide
Hardware: i386
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact:
URL:
Whiteboard:
Keywords:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2004-11-18 15:07 UTC by Ivan Gyurdiev
Modified: 2007-11-30 22:10 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2004-11-23 18:12:24 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

Description Ivan Gyurdiev 2004-11-18 15:07:50 UTC
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.5)
Gecko/20041114 Firefox/1.0

Description of problem:
audit(1100790519.330:0): avc:  denied  { execute } for  pid=3006
path=/usr/lib/l ibgssapi_krb5.so.2.2 dev=dm-0 ino=1030221
scontext=root:system_r:ntpd_t tcontext =root:object_r:lib_t tclass=file

audit(1100790523.495:0): avc:  denied  { execute } for  pid=3014
path=/usr/lib/l ibgssapi_krb5.so.2.2 dev=dm-0 ino=1030221
scontext=root:system_r:httpd_t tcontex t=root:object_r:lib_t tclass=file


Version-Release number of selected component (if applicable):
selinux-policy-targeted-1.19.1-13

How reproducible:
Always

Steps to Reproduce:
1. See summary
    

Additional info:

Comment 1 Daniel Walsh 2004-11-18 15:21:22 UTC
These have the wrong context on them.  
restorecon /usr/lib/libgssapi_krb5.so.2.2  
Should fix the problem.
The real question is why is this happening?  Did you just do a yum
update on this machine and the context get screwed up?  Any chance
prelink caused this problem.  IE check /var/log/prelink.log for any
mention of this file.

Thanks for your help.

Dan

Comment 2 Ivan Gyurdiev 2004-11-18 16:19:21 UTC
Yes, restorecon /usr/lib/* and /lib/* fixed the problem.
Affected libraries were all over the place,
and they seemed to come from krb5-libs, compat-db
and things I upgraded today via yum.

Also, in the middle of the upgrade I started
getting lots of selinux policy warnings. They went
away after I rebooted. 

The upgrade included libselinux and libselinux-devel.
I also might have upgraded selinux-policy-targeted 
today, not sure in what order I did all of this.
Yum is broken so I upgraded packages manually. 

As far as prelink is concerned you'll have to be more specific - 
there's lots of things in that file, including the libgssapi.


Comment 3 Daniel Walsh 2004-11-18 16:48:35 UTC
Basically on prelink, I want to know if it is reporting any errors on
matchpatchcon, selinux, or file context, that might be causing the
problem.  

So you believe the problem might be yum/RPM?

Dan

Comment 4 Ivan Gyurdiev 2004-11-18 18:13:22 UTC
There are no permission related or selinux errors in
the prelink file at all. The problem is most likely 
related to RPM somehow.

Disregard yum above - I didn't use yum anywhere because it's 
currently broken - don't know why I wrote that.

Comment 5 Ivan Gyurdiev 2004-11-20 15:55:23 UTC
More problems - upgraded libselinux and selinux-policy-targeted
again, and now I get this:

[root@cobra ~]# ldconfig
ldconfig: Input file /usr/lib/qt-3.3/lib/libqt-mt.so.3.3.3 not found.

ldconfig: Input file /usr/lib/qt-3.3/lib/libqui.so.1.0.0 not found.

ldconfig: Input file /usr/X11R6/lib/libXvMCNVIDIA.so.1.0.6629 not found.

ldconfig: Input file /usr/lib/tls/libnvidia-tls.so.1.0.6629 not found.

[root@cobra ~]#

because the context of those libs is
 root:object_r:lib_t 

Restorecon fixes the problem.





Comment 6 Ivan Gyurdiev 2004-11-22 01:52:46 UTC
See, this is what I'm talking about - what causes those warnings:

[root@cobra tmp]# rpm -Uvh sel*
Preparing...               
########################################### [100%]
  
1:selinux-policy-targeted###########################################
[100%]
[root@cobra tmp]# rm -f sel*
[root@cobra tmp]# rpm -Uvh apmd*
/etc/selinux/targeted/contexts/files/file_contexts:  invalid context
system_u:object_r:xconsole_device_t on line number 161
Preparing...               
########################################### [100%]
   1:apmd                  
########################################### [100%]



Comment 7 Daniel Walsh 2004-11-22 16:40:36 UTC
This looks like the file_contexts file got replaced without  a policy
load.

Dan

Comment 8 Daniel Walsh 2004-11-22 19:26:30 UTC
The only way I can see this happening is the SELINUXTYPE in the config
file does not match the type in the policy rpm, so the file_contexts
gets updated in the post install of the source RPM but the policy does
not get loaded, since this only happens when the SELINUXTYPE and the
type of the rpm match.

Dan

Comment 9 Ivan Gyurdiev 2004-11-22 21:24:16 UTC
That is not the case. 
SELINUXTYPE is targeted, and so is the policy I am installing. 

cat /etc/selinux/config

# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
#       enforcinfg - SELinux security policy is enforced.
#       permissive - SELinux prints warnings instead of enforcing.
#       disabled - No SELinux policy is loaded.
SELINUX=enforcing

# SELINUXTYPE= can take one of these two values:
#       targeted - Only targeted network daemons are protected.
#       strict - Full SELinux protection.
SELINUXTYPE=targeted


Comment 10 Ivan Gyurdiev 2004-11-22 21:27:40 UTC
However as far as I can see selinuxenabled is located in sbin,
not in bin.

Comment 11 Daniel Walsh 2004-11-22 21:40:03 UTC
Yup that's the problem, nice catch.  
Fixed in selinux-policy-*-1.19.4-3


Note You need to log in before you can comment on or make changes to this bug.