Bug 1472078 - SELinux is preventing fpart from 'execute' accesses on the file /etc/ld.so.cache.
SELinux is preventing fpart from 'execute' accesses on the file /etc/ld.so.ca...
Status: NEW
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
26
x86_64 Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Lukas Vrabec
Fedora Extras Quality Assurance
abrt_hash:f3eafa4686aec909ba785ac81f6...
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2017-07-18 00:08 EDT by Stewart Smith
Modified: 2017-07-18 00:08 EDT (History)
7 users (show)

See Also:
Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed:
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Stewart Smith 2017-07-18 00:08:28 EDT
Description of problem:
Running custom build binary which isn't linked to anything too special:

$ ldd ./x86/fpart 
	linux-vdso.so.1 (0x00007ffe5e18e000)
	libpthread.so.0 => /lib64/libpthread.so.0 (0x00007f9e143d0000)
	libdl.so.2 => /lib64/libdl.so.2 (0x00007f9e141cc000)
	librt.so.1 => /lib64/librt.so.1 (0x00007f9e13fc4000)
	libc.so.6 => /lib64/libc.so.6 (0x00007f9e13bf3000)
	/lib64/ld-linux-x86-64.so.2 (0x000055f6010fe000)


and the strace isn't special either:
$ strace ./x86/fpart 
execve("./x86/fpart", ["./x86/fpart"], 0x7fffa7496260 /* 55 vars */) = 0
brk(NULL)                               = 0x1873000
mmap(NULL, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f13c48f5000
access("/etc/ld.so.preload", R_OK)      = -1 ENOENT (No such file or directory)
open("/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 3
fstat(3, {st_mode=S_IFREG|0644, st_size=149103, ...}) = 0
mmap(NULL, 149103, PROT_READ, MAP_PRIVATE, 3, 0) = -1 EACCES (Permission denied)
close(3)                                = 0
open("/lib64/tls/x86_64/libpthread.so.0", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
stat("/lib64/tls/x86_64", 0x7fff0b696ca0) = -1 ENOENT (No such file or directory)
open("/lib64/tls/libpthread.so.0", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
stat("/lib64/tls", {st_mode=S_IFDIR|0555, st_size=6, ...}) = 0
open("/lib64/x86_64/libpthread.so.0", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
stat("/lib64/x86_64", 0x7fff0b696ca0)   = -1 ENOENT (No such file or directory)
open("/lib64/libpthread.so.0", O_RDONLY|O_CLOEXEC) = 3
read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\340^\0\0\0\0\0\0"..., 832) = 832
fstat(3, {st_mode=S_IFREG|0755, st_size=153896, ...}) = 0
mmap(NULL, 2220552, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7f13c44b2000
mprotect(0x7f13c44cb000, 2097152, PROT_NONE) = 0
mmap(0x7f13c46cb000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x19000) = 0x7f13c46cb000
mmap(0x7f13c46cd000, 12808, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x7f13c46cd000
close(3)                                = 0
open("/lib64/tls/libdl.so.2", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
open("/lib64/libdl.so.2", O_RDONLY|O_CLOEXEC) = 3
read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\340\r\0\0\0\0\0\0"..., 832) = 832
fstat(3, {st_mode=S_IFREG|0755, st_size=19496, ...}) = 0
mmap(NULL, 2109584, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7f13c42ae000
mprotect(0x7f13c42b1000, 2093056, PROT_NONE) = 0
mmap(0x7f13c44b0000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x2000) = 0x7f13c44b0000
close(3)                                = 0
open("/lib64/tls/librt.so.1", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
open("/lib64/librt.so.1", O_RDONLY|O_CLOEXEC) = 3
read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\240\37\0\0\0\0\0\0"..., 832) = 832
fstat(3, {st_mode=S_IFREG|0755, st_size=43648, ...}) = 0
mmap(NULL, 2128384, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7f13c40a6000
mprotect(0x7f13c40ad000, 2093056, PROT_NONE) = 0
mmap(0x7f13c42ac000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x6000) = 0x7f13c42ac000
close(3)                                = 0
open("/lib64/tls/libc.so.6", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
open("/lib64/libc.so.6", O_RDONLY|O_CLOEXEC) = 3
read(3, "\177ELF\2\1\1\3\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\360\5\2\0\0\0\0\0"..., 832) = 832
fstat(3, {st_mode=S_IFREG|0755, st_size=2163104, ...}) = 0
mmap(NULL, 4000096, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7f13c3cd5000
mprotect(0x7f13c3e9c000, 2097152, PROT_NONE) = 0
mmap(0x7f13c409c000, 24576, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x1c7000) = 0x7f13c409c000
mmap(0x7f13c40a2000, 14688, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x7f13c40a2000
close(3)                                = 0
mmap(NULL, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f13c48f3000
arch_prctl(ARCH_SET_FS, 0x7f13c48f3fc0) = 0
mprotect(0x7f13c409c000, 16384, PROT_READ) = 0
mprotect(0x7f13c46cb000, 4096, PROT_READ) = 0
mprotect(0x7f13c42ac000, 4096, PROT_READ) = 0
mprotect(0x7f13c44b0000, 4096, PROT_READ) = 0
mprotect(0x615000, 4096, PROT_READ)     = 0
mprotect(0x7f13c48f7000, 4096, PROT_READ) = 0
set_tid_address(0x7f13c48f4290)         = 21636
set_robust_list(0x7f13c48f42a0, 24)     = 0
rt_sigaction(SIGRTMIN, {sa_handler=0x7f13c44b7960, sa_mask=[], sa_flags=SA_RESTORER|SA_SIGINFO, sa_restorer=0x7f13c44c42c0}, NULL, 8) = 0
rt_sigaction(SIGRT_1, {sa_handler=0x7f13c44b7a00, sa_mask=[], sa_flags=SA_RESTORER|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f13c44c42c0}, NULL, 8) = 0
rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0
prlimit64(0, RLIMIT_STACK, NULL, {rlim_cur=8192*1024, rlim_max=RLIM64_INFINITY}) = 0
futex(0x616320, FUTEX_WAKE_PRIVATE, 2147483647) = 0
write(2, "fpart - FFS Partition Tool v1.0."..., 65fpart - FFS Partition Tool v1.0.0 -- Authors: <shaun@us.ibm.com>
) = 65
write(2, "\nUsage:\n", 8
Usage:
)               = 8
write(2, "  fpart <command> <options>...\n", 31  fpart <command> <options>...
) = 31
write(2, "\nExamples:\n", 11
Examples:
)           = 11
write(2, "  fpart -C -t nor -s 64MiB -b 64"..., 55  fpart -C -t nor -s 64MiB -b 64k -p 0x3f0000,0x7f0000
) = 55
write(2, "  fpart -A -t nor -p 0x3f0000,0x"..., 69  fpart -A -t nor -p 0x3f0000,0x7f0000 -s 1Mb -o 0M -g 0 -n boot0 -l
) = 69
write(2, "  fpart --add --target nor --siz"..., 81  fpart --add --target nor --size 1mb --offset 1MiB --flags 0x0 --name boot0/ipl
) = 81
write(2, "  fpart --delete --target nor no"..., 51  fpart --delete --target nor nor --name boot0/ipl
) = 51
write(2, "  fpart --target nor --write ipl"..., 54  fpart --target nor --write ipl.bin --name boot1/ipl
) = 54
write(2, "  fpart --user 0 -t nor -n boot0"..., 56  fpart --user 0 -t nor -n boot0/ipl --value 0xFF500FF5
) = 56
write(2, "  fpart --copy new_nor -t nor -n"..., 37  fpart --copy new_nor -t nor -n ipl
) = 37
write(2, "  fpart --compare new_nor -t nor"..., 42  fpart --compare new_nor -t nor -n bank0
) = 42
write(2, "\nCommands:\n", 11
Commands:
)           = 11
write(2, "  -C, --create         [options]"..., 33  -C, --create         [options]
) = 33
write(2, "  -A, --add            [options]"..., 33  -A, --add            [options]
) = 33
write(2, "  -D, --delete         [options]"..., 33  -D, --delete         [options]
) = 33
write(2, "  -E, --erase          [options]"..., 33  -E, --erase          [options]
) = 33
write(2, "  -L, --list           [options]"..., 33  -L, --list           [options]
) = 33
write(2, "  -T, --trunc          [options]"..., 33  -T, --trunc          [options]
) = 33
write(2, "  -U, --user    <num>  [options]"..., 33  -U, --user    <num>  [options]
) = 33
write(2, "\nOptions:\n", 10
Options:
)            = 10
write(2, "  -p, --partition-offset <offset"..., 43  -p, --partition-offset <offset[,offset]>
) = 43
write(2, "  -t, --target           <target"..., 34  -t, --target           <target>
) = 34
write(2, "  -n, --name             <name>\n", 32  -n, --name             <name>
) = 32
write(2, "  -o, --offset           <offset"..., 34  -o, --offset           <offset>
) = 34
write(2, "  -s, --size             <size>\n", 32  -s, --size             <size>
) = 32
write(2, "  -b, --block-size       <size>\n", 32  -b, --block-size       <size>
) = 32
write(2, "  -u, --value            <value>"..., 33  -u, --value            <value>
) = 33
write(2, "  -g, --flags            <value>"..., 33  -g, --flags            <value>
) = 33
write(2, "  -a, --pad              <value>"..., 33  -a, --pad              <value>
) = 33
write(2, "\nFlags:\n", 8
Flags:
)               = 8
write(2, "  -f, --force\n", 14  -f, --force
)         = 14
write(2, "  -l, --logical\n", 16  -l, --logical
)       = 16
write(2, "  -v, --verbose\n", 16  -v, --verbose
)       = 16
write(2, "  -d, --debug\n", 14  -d, --debug
)         = 14
write(2, "  -h, --help\n", 13  -h, --help
)          = 13
write(2, "\n", 1
)                       = 1
write(2, "Report bugs to <https://bugzilla"..., 73Report bugs to <https://bugzilla.linux.ibm.com/> (vendor='MCP for FSP*')
) = 73
exit_group(1)                           = ?
+++ exited with 1 +++
SELinux is preventing fpart from 'execute' accesses on the file /etc/ld.so.cache.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that fpart should be allowed execute access on the ld.so.cache file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'fpart' --raw | audit2allow -M my-fpart
# semodule -X 300 -i my-fpart.pp

Additional Information:
Source Context                staff_u:staff_r:staff_t:s0-s0:c0.c1023
Target Context                system_u:object_r:ld_so_cache_t:s0
Target Objects                /etc/ld.so.cache [ file ]
Source                        fpart
Source Path                   fpart
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           
Target RPM Packages           glibc-2.25-6.fc26.x86_64
Policy RPM                    selinux-policy-3.13.1-259.fc26.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 4.11.8-300.fc26.x86_64 #1 SMP Thu
                              Jun 29 20:09:48 UTC 2017 x86_64 x86_64
Alert Count                   446
First Seen                    2017-07-18 14:00:11 AEST
Last Seen                     2017-07-18 14:03:23 AEST
Local ID                      aa165fcf-3c62-4e93-a3a9-2847a9a47586

Raw Audit Messages
type=AVC msg=audit(1500350603.883:1088): avc:  denied  { execute } for  pid=21199 comm="fpart" path="/etc/ld.so.cache" dev="dm-1" ino=100686624 scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=system_u:object_r:ld_so_cache_t:s0 tclass=file permissive=0


Hash: fpart,staff_t,ld_so_cache_t,file,execute

Version-Release number of selected component:
selinux-policy-3.13.1-259.fc26.noarch

Additional info:
component:      selinux-policy
reporter:       libreport-2.9.1
hashmarkername: setroubleshoot
kernel:         4.11.8-300.fc26.x86_64
type:           libreport

Note You need to log in before you can comment on or make changes to this bug.