Bug 156696 - Syslogd refuses to start, claiming that libc has a permission denied error
Syslogd refuses to start, claiming that libc has a permission denied error
Status: CLOSED CURRENTRELEASE
Product: Red Hat Enterprise Linux 4
Classification: Red Hat
Component: selinux-policy-targeted (Show other bugs)
4.0
All Linux
medium Severity high
: ---
: ---
Assigned To: Jakub Jelinek
Brian Brock
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2005-05-03 10:08 EDT by Christian Rose
Modified: 2007-11-30 17:07 EST (History)
1 user (show)

See Also:
Fixed In Version: 1.25.4-10.1
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2005-09-15 12:00:10 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Christian Rose 2005-05-03 10:08:26 EDT
Since bug 146892 relates to FC3, I thought a seperate bug report about what
appears to be the same problem in RHEL4 might be appropriate.

The problem is that syslog won't start (or restart). The machine is a RHEL3 WS
machine upgraded to RHEL4 WS through anaconda, and where SELinux with the
default policy was later manually enabled.

Versions:
# rpm -q glibc sysklogd
glibc-2.3.4-2
sysklogd-1.4.1-26_EL

Symptoms:
# /sbin/service syslog restart
Shutting down kernel logger:                               [  OK  ]
Shutting down system logger:                               [FAILED]
Starting system logger: syslogd: error while loading shared libraries:
libc.so.6: cannot open shared object file: Permission denied
                                                           [FAILED]
Starting kernel logger:                                    [  OK  ]

But the security contexts appear to be correct:
# ls -lZ /lib/tls/lib*.so
-rwxr-xr-x  root     root     system_u:object_r:shlib_t       
/lib/tls/libc-2.3.4.so
-rwxr-xr-x  root     root     system_u:object_r:shlib_t       
/lib/tls/libm-2.3.4.so
-rwxr-xr-x  root     root     system_u:object_r:shlib_t       
/lib/tls/libpthread-2.3.4.so
-rwxr-xr-x  root     root     system_u:object_r:shlib_t       
/lib/tls/librt-2.3.4.so
-rwxr-xr-x  root     root     system_u:object_r:shlib_t       
/lib/tls/libthread_db-1.0.so
Comment 1 Jakub Jelinek 2005-05-03 11:06:36 EDT
Any audit messages in dmesg?
Comment 2 Christian Rose 2005-05-03 17:04:36 EDT
Yes, it seems so. Below are some possibly relevant pieces from dmesg:

[....]
apm: BIOS version 1.2 Flags 0x03 (Driver version 1.16ac)
apm: overridden by ACPI.
audit: initializing netlink socket (disabled)
audit(1115160882.003:0): initialized
Total HugeTLB memory allocated, 0
VFS: Disk quotas dquot_6.5.1
Dquot-cache hash table entries: 1024 (order 0, 4096 bytes)
SELinux:  Registering netfilter hooks
Initializing Cryptographic API
[...]
Freeing unused kernel memory: 140k freed
kjournald starting.  Commit interval 5 seconds
EXT3-fs: mounted filesystem with ordered data mode.
security:  3 users, 4 roles, 316 types, 20 bools
security:  53 classes, 9815 rules
SELinux:  Completing initialization.
SELinux:  Setting up existing superblocks.
SELinux: initialized (dev hda3, type ext3), uses xattr
SELinux: initialized (dev tmpfs, type tmpfs), uses transition SIDs
SELinux: initialized (dev selinuxfs, type selinuxfs), uses genfs_contexts
SELinux: initialized (dev mqueue, type mqueue), not configured for labeling
SELinux: initialized (dev hugetlbfs, type hugetlbfs), not configured for labeling
SELinux: initialized (dev devpts, type devpts), uses transition SIDs
SELinux: initialized (dev eventpollfs, type eventpollfs), uses genfs_contexts
SELinux: initialized (dev pipefs, type pipefs), uses task SIDs
SELinux: initialized (dev tmpfs, type tmpfs), uses transition SIDs
SELinux: initialized (dev futexfs, type futexfs), uses genfs_contexts
SELinux: initialized (dev sockfs, type sockfs), uses task SIDs
SELinux: initialized (dev proc, type proc), uses genfs_contexts
SELinux: initialized (dev bdev, type bdev), uses genfs_contexts
SELinux: initialized (dev rootfs, type rootfs), uses genfs_contexts
SELinux: initialized (dev sysfs, type sysfs), uses genfs_contexts
SELinux: initialized (dev usbfs, type usbfs), uses genfs_contexts
inserting floppy driver for 2.6.9-5.0.5.EL
[...]
cdrom: open failed.
kjournald starting.  Commit interval 5 seconds
EXT3 FS on hdb2, internal journal
EXT3-fs: mounted filesystem with ordered data mode.
SELinux: initialized (dev hdb2, type ext3), uses xattr
kjournald starting.  Commit interval 5 seconds
EXT3 FS on hda1, internal journal
EXT3-fs: mounted filesystem with ordered data mode.
SELinux: initialized (dev hda1, type ext3), uses xattr
kjournald starting.  Commit interval 5 seconds
EXT3 FS on hda7, internal journal
EXT3-fs: mounted filesystem with ordered data mode.
SELinux: initialized (dev hda7, type ext3), uses xattr
SELinux: initialized (dev tmpfs, type tmpfs), uses transition SIDs
kjournald starting.  Commit interval 5 seconds
EXT3 FS on hda6, internal journal
EXT3-fs: mounted filesystem with ordered data mode.
SELinux: initialized (dev hda6, type ext3), uses xattr
kjournald starting.  Commit interval 5 seconds
EXT3 FS on hda2, internal journal
EXT3-fs: mounted filesystem with ordered data mode.
SELinux: initialized (dev hda2, type ext3), uses xattr
[...]
SELinux: initialized (dev binfmt_misc, type binfmt_misc), uses genfs_contexts
parport0: PC-style at 0x378 (0x778) [PCSPP,TRISTATE]
parport0: irq 7 detected
ip_tables: (C) 2000-2002 Netfilter core team
ip_conntrack version 2.1 (3839 buckets, 30712 max) - 356 bytes per conntrack
eth0: Media Link On 100mbps full-duplex
i2c /dev entries driver
NET: Registered protocol family 10
Disabled Privacy Extensions on device c03670a0(lo)
IPv6 over IPv4 tunneling driver
divert: not allocating divert_blk for non-ethernet device sit0
audit(1115153718.384:0): avc:  denied  { search } for  pid=2067
exe=/usr/sbin/ntpd name=/ dev=hda3 ino=2 scontext=user_u:system_r:ntpd_t
tcontext=system_u:object_r:file_t tclass=dir
audit(1115153718.385:0): avc:  denied  { search } for  pid=2067
exe=/usr/sbin/ntpd name=/ dev=hda3 ino=2 scontext=user_u:system_r:ntpd_t
tcontext=system_u:object_r:file_t tclass=dir
audit(1115153718.385:0): avc:  denied  { search } for  pid=2067
exe=/usr/sbin/ntpd name=/ dev=hda3 ino=2 scontext=user_u:system_r:ntpd_t
tcontext=system_u:object_r:file_t tclass=dir
audit(1115153718.385:0): avc:  denied  { search } for  pid=2067
exe=/usr/sbin/ntpd name=/ dev=hda3 ino=2 scontext=user_u:system_r:ntpd_t
tcontext=system_u:object_r:file_t tclass=dir
audit(1115153718.385:0): avc:  denied  { search } for  pid=2067
exe=/usr/sbin/ntpd name=/ dev=hda3 ino=2 scontext=user_u:system_r:ntpd_t
tcontext=system_u:object_r:file_t tclass=dir
audit(1115153718.385:0): avc:  denied  { search } for  pid=2067
exe=/usr/sbin/ntpd name=/ dev=hda3 ino=2 scontext=user_u:system_r:ntpd_t
tcontext=system_u:object_r:file_t tclass=dir
audit(1115153718.385:0): avc:  denied  { search } for  pid=2067
exe=/usr/sbin/ntpd name=/ dev=hda3 ino=2 scontext=user_u:system_r:ntpd_t
tcontext=system_u:object_r:file_t tclass=dir
audit(1115153718.385:0): avc:  denied  { search } for  pid=2067
exe=/usr/sbin/ntpd name=/ dev=hda3 ino=2 scontext=user_u:system_r:ntpd_t
tcontext=system_u:object_r:file_t tclass=dir
audit(1115153718.385:0): avc:  denied  { search } for  pid=2067
exe=/usr/sbin/ntpd name=/ dev=hda3 ino=2 scontext=user_u:system_r:ntpd_t
tcontext=system_u:object_r:file_t tclass=dir
audit(1115153718.386:0): avc:  denied  { search } for  pid=2067
exe=/usr/sbin/ntpd name=/ dev=hda3 ino=2 scontext=user_u:system_r:ntpd_t
tcontext=system_u:object_r:file_t tclass=dir
audit(1115153718.386:0): avc:  denied  { search } for  pid=2067
exe=/usr/sbin/ntpd name=/ dev=hda3 ino=2 scontext=user_u:system_r:ntpd_t
tcontext=system_u:object_r:file_t tclass=dir
audit(1115153718.386:0): avc:  denied  { search } for  pid=2067
exe=/usr/sbin/ntpd name=/ dev=hda3 ino=2 scontext=user_u:system_r:ntpd_t
tcontext=system_u:object_r:file_t tclass=dir
audit(1115153718.386:0): avc:  denied  { search } for  pid=2067
exe=/usr/sbin/ntpd name=/ dev=hda3 ino=2 scontext=user_u:system_r:ntpd_t
tcontext=system_u:object_r:file_t tclass=dir
audit(1115153718.386:0): avc:  denied  { search } for  pid=2067
exe=/usr/sbin/ntpd name=/ dev=hda3 ino=2 scontext=user_u:system_r:ntpd_t
tcontext=system_u:object_r:file_t tclass=dir
audit(1115153718.386:0): avc:  denied  { search } for  pid=2067
exe=/usr/sbin/ntpd name=/ dev=hda3 ino=2 scontext=user_u:system_r:ntpd_t
tcontext=system_u:object_r:file_t tclass=dir
audit(1115153718.386:0): avc:  denied  { search } for  pid=2067
exe=/usr/sbin/ntpd name=/ dev=hda3 ino=2 scontext=user_u:system_r:ntpd_t
tcontext=system_u:object_r:file_t tclass=dir
audit(1115153718.386:0): avc:  denied  { search } for  pid=2067
exe=/usr/sbin/ntpd name=/ dev=hda3 ino=2 scontext=user_u:system_r:ntpd_t
tcontext=system_u:object_r:file_t tclass=dir
audit(1115153718.386:0): avc:  denied  { search } for  pid=2067
exe=/usr/sbin/ntpd name=/ dev=hda3 ino=2 scontext=user_u:system_r:ntpd_t
tcontext=system_u:object_r:file_t tclass=dir
audit(1115153718.386:0): avc:  denied  { search } for  pid=2067
exe=/usr/sbin/ntpd name=/ dev=hda3 ino=2 scontext=user_u:system_r:ntpd_t
tcontext=system_u:object_r:file_t tclass=dir
audit(1115153718.387:0): avc:  denied  { search } for  pid=2067
exe=/usr/sbin/ntpd name=/ dev=hda3 ino=2 scontext=user_u:system_r:ntpd_t
tcontext=system_u:object_r:file_t tclass=dir
audit(1115153718.387:0): avc:  denied  { search } for  pid=2067
exe=/usr/sbin/ntpd name=/ dev=hda3 ino=2 scontext=user_u:system_r:ntpd_t
tcontext=system_u:object_r:file_t tclass=dir
audit(1115153718.387:0): avc:  denied  { search } for  pid=2067
exe=/usr/sbin/ntpd name=/ dev=hda3 ino=2 scontext=user_u:system_r:ntpd_t
tcontext=system_u:object_r:file_t tclass=dir
audit(1115153718.387:0): avc:  denied  { search } for  pid=2067
exe=/usr/sbin/ntpd name=/ dev=hda3 ino=2 scontext=user_u:system_r:ntpd_t
tcontext=system_u:object_r:file_t tclass=dir
audit(1115153718.387:0): avc:  denied  { search } for  pid=2067
exe=/usr/sbin/ntpd name=/ dev=hda3 ino=2 scontext=user_u:system_r:ntpd_t
tcontext=system_u:object_r:file_t tclass=dir
audit(1115153718.387:0): avc:  denied  { search } for  pid=2067
exe=/usr/sbin/ntpd name=/ dev=hda3 ino=2 scontext=user_u:system_r:ntpd_t
tcontext=system_u:object_r:file_t tclass=dir
audit(1115153718.387:0): avc:  denied  { search } for  pid=2067
exe=/usr/sbin/ntpd name=/ dev=hda3 ino=2 scontext=user_u:system_r:ntpd_t
tcontext=system_u:object_r:file_t tclass=dir
audit(1115153718.387:0): avc:  denied  { search } for  pid=2067
exe=/usr/sbin/ntpd name=/ dev=hda3 ino=2 scontext=user_u:system_r:ntpd_t
tcontext=system_u:object_r:file_t tclass=dir
audit(1115153718.387:0): avc:  denied  { search } for  pid=2067
exe=/usr/sbin/ntpd name=/ dev=hda3 ino=2 scontext=user_u:system_r:ntpd_t
tcontext=system_u:object_r:file_t tclass=dir
audit(1115153718.388:0): avc:  denied  { search } for  pid=2067
exe=/usr/sbin/ntpd name=/ dev=hda3 ino=2 scontext=user_u:system_r:ntpd_t
tcontext=system_u:object_r:file_t tclass=dir
audit(1115153718.388:0): avc:  denied  { search } for  pid=2067
exe=/usr/sbin/ntpd name=/ dev=hda3 ino=2 scontext=user_u:system_r:ntpd_t
tcontext=system_u:object_r:file_t tclass=dir
audit(1115153718.388:0): avc:  denied  { search } for  pid=2067
exe=/usr/sbin/ntpd name=/ dev=hda3 ino=2 scontext=user_u:system_r:ntpd_t
tcontext=system_u:object_r:file_t tclass=dir
audit(1115153718.388:0): avc:  denied  { search } for  pid=2067
exe=/usr/sbin/ntpd name=/ dev=hda3 ino=2 scontext=user_u:system_r:ntpd_t
tcontext=system_u:object_r:file_t tclass=dir
audit(1115153718.388:0): avc:  denied  { search } for  pid=2067
exe=/usr/sbin/ntpd name=/ dev=hda3 ino=2 scontext=user_u:system_r:ntpd_t
tcontext=system_u:object_r:file_t tclass=dir
audit(1115153718.388:0): avc:  denied  { search } for  pid=2067
exe=/usr/sbin/ntpd name=/ dev=hda3 ino=2 scontext=user_u:system_r:ntpd_t
tcontext=system_u:object_r:file_t tclass=dir
eth0: no IPv6 routers present
Comment 3 Christian Rose 2005-05-03 17:08:55 EDT
Furthermore:

# /sbin/service ntpd status
ntpd is stopped
# /sbin/service ntpd restart
Shutting down ntpd:                                        [FAILED]
Starting ntpd: ntpd: error while loading shared libraries: libm.so.6: cannot
open shared object file: Permission denied
                                                           [FAILED]
# ls -lZ /lib/libm.so.6 /lib/libm-2.3.4.so
-rwxr-xr-x  root     root     system_u:object_r:shlib_t        /lib/libm-2.3.4.so
lrwxrwxrwx  root     root     system_u:object_r:lib_t          /lib/libm.so.6 ->
libm-2.3.4.so
Comment 5 Colin Walters 2005-05-03 17:15:44 EDT
Hmmm....it looks like some of your filesystem is labeled, since you have shlib_t
and lib_t.  Is /dev/hda3 a separate filesystem?  Is it labeled?

Can you give us the avc denial messages associated with the service restart?
Comment 6 Christian Rose 2005-05-04 18:03:41 EDT
Thanks, the solution in comment #4 seems to have solved the problem.
Yes, /dev/hda3 is a seperate file system. It's the root file system on this machine.

Note You need to log in before you can comment on or make changes to this bug.