From Bugzilla Helper: User-Agent: Mozilla/5.0 (X11; U; Linux ppc; en-US; rv:1.7.5) Gecko/20050109 Fedora/1.7.5-3 Description of problem: Since just after build 766 of the FC devel PPC kernel, selinux has been broken to the point where many of the init services fail to start: arping: error while loading shared libraries: cannot restore segment prot after reloc: Permission denied Starting system logger: syslogd: error while loading shared libraries: libc.so.6: failed to map segment from shared object: Permission denied audit(1109380338.264:0): avc: denied { execmem } for pid=2340 comm=portmap scontext=user_u:system_r:portmap_t tcontext=user_u:system_r:portmap_t tclass=process portmap: error while loading shared libraries: libnsl.so.1: failed to map segment from shared object: Permission denied audit(1109380338.463:0): avc: denied { execmem } for pid=2357 comm=rpc.statd scontext=user_u:system_r:rpcd_t tcontext=user_u:system_r:rpcd_t tclass=process rpc.statd: error while loading shared libraries: libwrap.so.0: failed to map segment from shared object: Permission denied audit(1109380339.031:0): avc: denied { execmem } for pid=2392 comm=rpc.idmapd scontext=user_u:system_r:r rpc.idmapd: error while loading shared libraries: libldap-2.2.so.7: failed to map segment from shared object: Permission denied audit(1109380340.832:0): avc: denied { execmod } for pid=2510 comm=smartd path=/usr/sbin/smartd dev=hda5 ino=663228 scontext=user_u:system_r:initrc_t tcontext=system_u:object_r:sbin_t tclass=file /usr/sbin/smartd: error while loading shared libraries: cannot restore segment prot after reloc: Permission denied Starting xinetd: audit(1109380341.053:0): avc: denied { execmod } for pid=2519 comm=xinetd path=/usr/sbin/xinetd dev=hda5 ino=663469 scontext=user_u:system_r:initrc_t tcontext=system_u:object_r:sbin_t tclass=file xinetd: error while loading shared libraries: cannot restore segment prot after reloc: Permission denied audit(1109380341.266:0): avc: denied { execmem } for pid=2531 comm=ntpdate scontext=user_u:system_r:ntpd_t tcontext=user_u:system_r:ntpd_t tclass=process audit(1109380341.330:0): avc: denied { execmem } for pid=2533 comm=ntpd scontext=user_u:system_r:ntpd_t tcontext=user_u:system_r:ntpd_t tclass=process ntpd: error while loading shared libraries: libm.so.6: failed to map segment from shared object: Permission denied audit(1109380343.738:0): avc: denied { execmod } for pid=2604 comm=crond path=/usr/sbin/crond dev=hda5 ino=662889 scontext=user_u:system_r:initrc_t tcontext=system_u:object_r:sbin_t tclass=file crond: error while loading shared libraries: cannot restore segment prot after reloc: Permission denied audit(1109380346.308:0): avc: denied { execmod } for pid=2654 comm=atd path=/usr/sbin/atd dev=hda5 ino=662510 scontext=user_u:system_r:initrc_t tcontext=system_u:object_r:sbin_t tclass=file /usr/sbin/atd: error while loading shared libraries: cannot restore segment prot after reloc: Permission denied This problem has persisted across the following kernels: kernel-2.6.10-1.1148_FC4 kernel-2.6.10-1.1149_FC4 kernel-2.6.10-1.1153_FC4 kernel-2.6.10-1.1154_FC4 kernel-2.6.10-1.1155_FC4 Version-Release number of selected component (if applicable): kernel-2.6.10-1.1148_FC4 How reproducible: Always Steps to Reproduce: 1. Install fc-devel on your ppc 2. Update to the latest packages (incl. kernel) with you 3. Watch services crash with above error messages Actual Results: init scripts failed to launch their daemons, because of shared library "Permission denied" problems Expected Results: All init scripts start and produce pretty green [ OK ]s. Additional info:
Created attachment 111755 [details] Change SELinux execute-related permission checking This attachment contains a patch to change the SELinux execute-related checking both to address the specific bug in this report (for ppc32) as well as to address more widely reported issues with the same checks for legacy binaries and binaries requiring PT_GNU_STACK RWE on x86. This patch was submitted against 2.6.11-mm1 to Andrew Morton today, but I was told to also submit in bugzilla to help ensure that it gets into Fedora Core devel soon. The patch does have one overlap with another patch also submitted upstream today for enhanced MLS support, so you will likely need to hand merge the Kconfig change (or if necessary, I can try to grab the Fedora Core devel SRPM and re-base the diff, but that is obviously more painful for me ;).
BTW, I'd recommend changing component to kernel and changing architecture to all, as the kernel patch I just attached to the prior comment is obviously a kernel fix and addresses more than just the ppc-specific issue. And this presumably means that the bug should be assigned to davej instead of dwalsh...
Well, as of kernel-2.6.11-1.1176_FC4, the problem is still present, although it doesn't complain about bringing up interface lo anymore.
The patch hasn't been included in the FC devel kernel yet AFAIK. I need someone else to change component to kernel and assigned to to davej so that he will queue it up for future FC devel kernels; I can't do it myself.
BTW, the patch is now included in 2.6.11-mm2. So if davej rebases to that, he'll get it automatically.
the -mm kernels are too volatile to consider rebasing to. I've picked this patch up (and tweaked it slightly, it rejected in Kconfig as you mentioned above), it'll be in tomorrows rawhide, and should make it into FC4 test1