143783 – FC3 " avc: denied" issue with selinux

Bug 143783 - FC3 " avc: denied" issue with selinux

Summary: FC3 " avc: denied" issue with selinux

Keywords:
Status:	CLOSED RAWHIDE
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy-targeted
Sub Component:
Version:	3
Hardware:	i386
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Daniel Walsh
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2004-12-27 19:43 UTC by Erwin J. Prinz
Modified:	2007-11-30 22:10 UTC (History)
CC List:	2 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2005-02-09 16:01:57 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Erwin J. Prinz 2004-12-27 19:43:56 UTC

From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.3)
Gecko/20041020

Description of problem:
I have a fully upgraded (as of today) FC3 system on which I always
could install the NVIDIA drivers. But, to get a successful install
after the last upgrade (today) (which included
selinux-policy-targeted.noarch 1.17.30-2.58) I now have to "setenforce
0" before installing the NVIDIA drivers. Otherwise, the install fails
due to several access denied issues, e.g.:

Dec 25 18:51:34 tiger kernel: audit(1104022294.445:0): avc:  denied  {
write } for  pid=3956 exe=/sbin/ldconfig
path=/var/log/nvidia-installer.log dev=hda6 ino=517383
scontext=root:system_r:ldconfig_t tcontext=system_u:object_r:var_log_t
tclass=file
Dec 25 18:51:34 tiger kernel: audit(1104022294.801:0): avc:  denied  {
read } for  pid=3956 exe=/sbin/ldconfig name=libXvMCNVIDIA.so.1.0.6629
dev=hda4 ino=194830 scontext=root:system_r:ldconfig_t
tcontext=root:object_r:lib_t tclass=file
Dec 25 18:51:35 tiger kernel: audit(1104022295.012:0): avc:  denied  {
getattr } for  pid=3956 exe=/sbin/ldconfig
path=/usr/X11R6/lib/libXvMCNVIDIA.so.1.0.6629 dev=hda4 ino=194830
scontext=root:system_r:ldconfig_t tcontext=root:object_r:lib_t tclass=file
Dec 25 18:51:38 tiger kernel: audit(1104022298.997:0): avc:  denied  {
getattr } for  pid=3956 exe=/sbin/ldconfig
path=/usr/lib/libGL.so.1.0.6629 dev=hda4 ino=521611
scontext=root:system_r:ldconfig_t tcontext=root:object_r:lib_t
tclass=file/avc

The initial context of root is "root:system_r:unconfined_t" and I
can't change to "root:sysadm_r:sysadm_t". I did a "fixfiles relabel"
and reboot without changing the outcome.

I don't think the issue is with the NVIDIA drivers as they worked on
FC3 before, and as "setenforce 0" "fixes" the issue.

I would appreciate pointers to what could be wrong.

This bug could be related to #143633.

Best regards, Erwin 

Version-Release number of selected component (if applicable):
selinux-policy-targeted-1.17.30-2.58

How reproducible:
Always

Steps to Reproduce:
1. Fully upgrade FC3 as of 12/26/04.
2. Set "setenforce 1"
3. Try to install NVIDIA drivers.
4. Obtain error messages in /var/log/messages, see above.
5. Set "setenforce 0"
6. Try to install NVIDIA drivers again.
7. Success!
    

Actual Results:  I concluded that the selinux policy prevents the
install to go through. Specifically, some libraries can't be found
when needed after the install with "setenforce 1".

Expected Results:  Install of packages should not require selinux
commands to be issued. If the rpm or install script does not customize
the selinux permissions, a sensible default should be given by the
selinux system.

Additional info:

I don't think the issue is specific to the NVIDIA driver install. This
issue occurred only recently (after the last update). With earlier
updates, I could always install the NVIDIA drivers. Note that the
selinx FAQ is also no longer applicable to the
selinux-policy-targeted, as the "id -Z" for root does not give the
results shown in the FAQ.

Comment 1 Daniel Walsh 2005-01-03 20:55:20 UTC

For now we don't have a good solution for this, other then to relabel
the file system.

Basically to get it to work with SELinux you can
setenforce 0
install NVIDIA
touch /.autorelabel
reboot

Comment 2 Sitsofe Wheeler 2005-01-04 23:28:01 UTC

Daniel,
Will using setenforce Permissive still allow the installed files to labelled
correctly without the autorelabel/reboot?

Comment 3 Daniel Walsh 2005-01-05 13:13:38 UTC

No.  You need a to use a SELinux aware application in order to label the files
correctly.  (restorecon, rpm, setfiles ...)  What we can do is allow ldconfig to
read the mislabeled files (lib_t instead of shlib_t) and this will allow all not
protected processes to work correctly.  (All of userspace).

Comment 4 Stephen Haffly 2005-01-06 03:32:42 UTC

I can confirm that the same bug happens to me.

Linux topaz 2.6.9-1.724_FC3 #1 Sun Jan 2 15:43:49 EST 2005 i686 athlon
i386 GNU/Linux

NVIDIA GeForce2

I've gotten around this by using the System Settings/Security Level
tool to disable SELinux and then rebooting, installing the NVIDIA
driver and then issuing startx, reenabling SELinux, then rebooting.

Regards,

Stephen

Comment 5 Daniel Walsh 2005-01-06 14:52:21 UTC

You should never disable/renable SELinux.  As soon as you disable
SELinux and boot, files will be written without proper File Context
and you will need to relabel in order for the SELinux system to
function properly.  You can run SELinux in non enforcing mode if you
want to install a piece of software that the SELinux system will not
allow you to install.  

setenforce 0
INSTALL NVIDIA
setenforce 1

Should work fine on a targeted SELinux system.

Note You need to log in before you can comment on or make changes to this bug.