Bug 1583084 - SELinux is preventing ldconfig from map access on the file /usr/lib64/libfreeblpriv3.so
Summary: SELinux is preventing ldconfig from map access on the file /usr/lib64/libfree...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: selinux-policy
Version: 7.6
Hardware: All
OS: Linux
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: Lukas Vrabec
QA Contact: Milos Malik
URL:
Whiteboard:
: 1594832 1595785 1597608 (view as bug list)
Depends On:
Blocks: 1568427
TreeView+ depends on / blocked
 
Reported: 2018-05-28 08:13 UTC by Lukas Slebodnik
Modified: 2019-01-29 11:41 UTC (History)
13 users (show)

Fixed In Version: selinux-policy-3.13.1-205.el7
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2018-10-30 10:04:11 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2018:3111 None None None 2018-10-30 10:04:48 UTC

Description Lukas Slebodnik 2018-05-28 08:13:20 UTC
SELinux is preventing ldconfig from map access on the file /usr/lib64/libfreeblpriv3.so.

*****  Plugin restorecon (99.5 confidence) suggests   ************************

If you want to fix the label. 
/usr/lib64/libfreeblpriv3.so default label should be lib_t.
Then you can run restorecon. The access attempt may have been stopped due to insufficient permissions to access a parent directory in which case try to change the following command accordingly.
Do
# /sbin/restorecon -v /usr/lib64/libfreeblpriv3.so

*****  Plugin catchall (1.49 confidence) suggests   **************************

If you believe that ldconfig should be allowed map access on the libfreeblpriv3.so file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'ldconfig' --raw | audit2allow -M my-ldconfig
# semodule -i my-ldconfig.pp


Additional Information:
Source Context                system_u:system_r:ldconfig_t:s0
Target Context                system_u:object_r:kdumpctl_tmp_t:s0
Target Objects                /usr/lib64/libfreeblpriv3.so [ file ]
Source                        ldconfig
Source Path                   ldconfig
Port                          <Unknown>
Host                          bkr-hv01-guest24.example.com
Source RPM Packages           
Target RPM Packages           nss-softokn-freebl-3.36.0-5.el7_5.x86_64
Policy RPM                    selinux-policy-3.13.1-197.el7.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Permissive
Host Name                     bkr-hv01-guest24.example.com
Platform                      Linux bkr-hv01-guest24.example.com
                              3.10.0-893.el7.x86_64 #1 SMP Thu May 24 21:37:14
                              UTC 2018 x86_64 x86_64
Alert Count                   1
First Seen                    2018-05-26 09:12:44 EDT
Last Seen                     2018-05-26 09:12:44 EDT
Local ID                      359d8431-4654-48eb-a1f9-0d97c4d23ed2

Raw Audit Messages
type=AVC msg=audit(1527340364.451:62): avc:  denied  { map } for  pid=9288 comm="ldconfig" path="/usr/lib64/libfreeblpriv3.so" dev="dm-0" ino=493560 scontext=system_u:system_r:ldconfig_t:s0 tcontext=system_u:object_r:kdumpctl_tmp_t:s0 tclass=file permissive=1


Hash: ldconfig,ldconfig_t,kdumpctl_tmp_t,file,map

Comment 2 Lukas Vrabec 2018-06-03 15:40:42 UTC
Are you able to reproduce it after: 

*****  Plugin restorecon (99.5 confidence) suggests   ************************

If you want to fix the label. 
/usr/lib64/libfreeblpriv3.so default label should be lib_t.
Then you can run restorecon. The access attempt may have been stopped due to insufficient permissions to access a parent directory in which case try to change the following command accordingly.
Do
# /sbin/restorecon -v /usr/lib64/libfreeblpriv3.so


THanks,
Lukas.

Comment 3 Lukas Slebodnik 2018-06-04 11:54:37 UTC
sh# ls -lZ /usr/lib64/libfreeblpriv3.so
-rwxr-xr-x. root root system_u:object_r:lib_t:s0       /usr/lib64/libfreeblpriv3.so

sh# matchpathcon /usr/lib64/libfreeblpriv3.so
/usr/lib64/libfreeblpriv3.so    system_u:object_r:lib_t:s0

I am not sure whether it will help.
But I might check this AVC later in enforcing mode after fixing other mmap related AVCs.

Comment 4 Milos Malik 2018-06-07 21:12:07 UTC
Seen a lot of these denials related to different libraries:
----
type=PROCTITLE msg=audit(06/07/2018 16:58:42.101:187) : proctitle=ldconfig -r /var/tmp/dracut.wbz0MV/initramfs 
type=MMAP msg=audit(06/07/2018 16:58:42.101:187) : fd=4 flags=MAP_SHARED 
type=SYSCALL msg=audit(06/07/2018 16:58:42.101:187) : arch=x86_64 syscall=mmap success=no exit=EACCES(Permission denied) a0=0x0 a1=0x56f18 a2=PROT_READ a3=MAP_SHARED items=0 ppid=2635 pid=9496 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=ldconfig exe=/usr/sbin/ldconfig subj=system_u:system_r:ldconfig_t:s0 key=(null) 
type=AVC msg=audit(06/07/2018 16:58:42.101:187) : avc:  denied  { map } for  pid=9496 comm=ldconfig path=/usr/lib64/libdevmapper.so.1.02 dev="dm-0" ino=9592421 scontext=system_u:system_r:ldconfig_t:s0 tcontext=system_u:object_r:kdumpctl_tmp_t:s0 tclass=file permissive=0 
----
type=PROCTITLE msg=audit(06/07/2018 16:58:42.101:188) : proctitle=ldconfig -r /var/tmp/dracut.wbz0MV/initramfs 
type=MMAP msg=audit(06/07/2018 16:58:42.101:188) : fd=4 flags=MAP_SHARED 
type=SYSCALL msg=audit(06/07/2018 16:58:42.101:188) : arch=x86_64 syscall=mmap success=no exit=EACCES(Permission denied) a0=0x0 a1=0xa12f8 a2=PROT_READ a3=MAP_SHARED items=0 ppid=2635 pid=9496 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=ldconfig exe=/usr/sbin/ldconfig subj=system_u:system_r:ldconfig_t:s0 key=(null) 
type=AVC msg=audit(06/07/2018 16:58:42.101:188) : avc:  denied  { map } for  pid=9496 comm=ldconfig path=/usr/lib64/libsepol.so.1 dev="dm-0" ino=9592422 scontext=system_u:system_r:ldconfig_t:s0 tcontext=system_u:object_r:kdumpctl_tmp_t:s0 tclass=file permissive=0 
----

Comment 5 Lukas Slebodnik 2018-06-16 09:01:36 UTC
I can see them as well with selinux-policy-3.13.1-204.el7.noarch
it seems that dracut it seems to be related to dracut

Jun 16 04:41:06 host.example.com dracut[3083]: *** Installing kernel module dependencies and firmware done ***
Jun 16 04:41:06 host.example.com dracut[3083]: *** Resolving executable dependencies ***
Jun 16 04:41:07 host.example.com beah-srv[3516]: 2018-06-16 04:41:07,067 beah buildProtocol: INFO TaskListener: New client connected from remote address UNIXAddress('')
Jun 16 04:41:07 host.example.com dracut[3083]: *** Resolving executable dependencies done***
Jun 16 04:41:07 host.example.com kdumpctl[1378]: ldconfig: Cannot mmap file /lib64/libfreeblpriv3.so.
Jun 16 04:41:07 host.example.com kdumpctl[1378]: ldconfig: Cannot mmap file /lib64/libfreebl3.so.
Jun 16 04:41:07 host.example.com kdumpctl[1378]: ldconfig: Cannot mmap file /lib64/libdevmapper-event.so.1.02.
Jun 16 04:41:07 host.example.com kdumpctl[1378]: ldconfig: Cannot mmap file /lib64/libdevmapper-event-lvm2mirror.so.
Jun 16 04:41:07 host.example.com kdumpctl[1378]: ldconfig: Cannot mmap file /lib64/libdevmapper-event-lvm2raid.so.
Jun 16 04:41:07 host.example.com kdumpctl[1378]: ldconfig: Cannot mmap file /lib64/libdevmapper-event-lvm2snapshot.so.
Jun 16 04:41:07 host.example.com kdumpctl[1378]: ldconfig: Cannot mmap file /lib64/libdevmapper-event-lvm2thin.so.
Jun 16 04:41:07 host.example.com kdumpctl[1378]: ldconfig: Cannot mmap file /lib64/libnss_files-2.17.so.
Jun 16 04:41:07 host.example.com kdumpctl[1378]: ldconfig: Cannot mmap file /lib64/libnss_files.so.
Jun 16 04:41:07 host.example.com kdumpctl[1378]: ldconfig: Cannot mmap file /lib64/libnss_files.so.2.
Jun 16 04:41:07 host.example.com kdumpctl[1378]: ldconfig: Cannot mmap file /lib64/libtinfo.so.5.9.
Jun 16 04:41:07 host.example.com kdumpctl[1378]: ldconfig: Cannot mmap file /lib64/libtinfo.so.5.
Jun 16 04:41:07 host.example.com kdumpctl[1378]: ldconfig: Cannot mmap file /lib64/libdl-2.17.so.
Jun 16 04:41:07 host.example.com kdumpctl[1378]: ldconfig: Cannot mmap file /lib64/libdl.so.2.
Jun 16 04:41:07 host.example.com kdumpctl[1378]: ldconfig: Cannot mmap file /lib64/libdl.so.
Jun 16 04:41:07 host.example.com kdumpctl[1378]: ldconfig: Cannot mmap file /lib64/libc-2.17.so.
Jun 16 04:41:07 host.example.com kdumpctl[1378]: ldconfig: Cannot mmap file /lib64/libc.so.6.
Jun 16 04:41:07 host.example.com kdumpctl[1378]: ldconfig: Cannot mmap file /lib64/libc.so.
Jun 16 04:41:07 host.example.com kdumpctl[1378]: ldconfig: Cannot mmap file /lib64/ld-2.17.so.
Jun 16 04:41:07 host.example.com kdumpctl[1378]: ldconfig: Cannot mmap file /lib64/ld-linux-x86-64.so.2.
Jun 16 04:41:07 host.example.com kdumpctl[1378]: ldconfig: Cannot mmap file /lib64/librt-2.17.so.
Jun 16 04:41:07 host.example.com kdumpctl[1378]: ldconfig: Cannot mmap file /lib64/librt.so.1.
Jun 16 04:41:07 host.example.com kdumpctl[1378]: ldconfig: Cannot mmap file /lib64/librt.so.
Jun 16 04:41:07 host.example.com kdumpctl[1378]: ldconfig: Cannot mmap file /lib64/libcap.so.2.22.
Jun 16 04:41:07 host.example.com kdumpctl[1378]: ldconfig: Cannot mmap file /lib64/libcap.so.2.
Jun 16 04:41:07 host.example.com kdumpctl[1378]: ldconfig: Cannot mmap file /lib64/libgcc_s-4.8.5-20150702.so.1.
Jun 16 04:41:07 host.example.com kdumpctl[1378]: ldconfig: Cannot mmap file /lib64/libgcc_s.so.1.
Jun 16 04:41:07 host.example.com kdumpctl[1378]: ldconfig: Cannot mmap file /lib64/libpthread-2.17.so.
Jun 16 04:41:07 host.example.com kdumpctl[1378]: ldconfig: Cannot mmap file /lib64/libpthread.so.0.
Jun 16 04:41:07 host.example.com kdumpctl[1378]: ldconfig: Cannot mmap file /lib64/libpthread.so.
Jun 16 04:41:07 host.example.com kdumpctl[1378]: ldconfig: Cannot mmap file /lib64/libattr.so.1.1.0.
Jun 16 04:41:07 host.example.com kdumpctl[1378]: ldconfig: Cannot mmap file /lib64/libattr.so.1.
Jun 16 04:41:07 host.example.com kdumpctl[1378]: ldconfig: Cannot mmap file /lib64/libmount.so.1.1.0.
Jun 16 04:41:07 host.example.com kdumpctl[1378]: ldconfig: Cannot mmap file /lib64/libmount.so.1.
Jun 16 04:41:07 host.example.com kdumpctl[1378]: ldconfig: Cannot mmap file /lib64/libblkid.so.1.1.0.
Jun 16 04:41:07 host.example.com kdumpctl[1378]: ldconfig: Cannot mmap file /lib64/libblkid.so.1.
Jun 16 04:41:07 host.example.com kdumpctl[1378]: ldconfig: Cannot mmap file /lib64/libuuid.so.1.3.0.
Jun 16 04:41:07 host.example.com kdumpctl[1378]: ldconfig: Cannot mmap file /lib64/libuuid.so.1.
Jun 16 04:41:07 host.example.com kdumpctl[1378]: ldconfig: Cannot mmap file /lib64/libselinux.so.1.
Jun 16 04:41:07 host.example.com kdumpctl[1378]: ldconfig: Cannot mmap file /lib64/libpcre.so.1.2.0.
Jun 16 04:41:07 host.example.com kdumpctl[1378]: ldconfig: Cannot mmap file /lib64/libpcre.so.1.
Jun 16 04:41:07 host.example.com dbus[1015]: [system] Activating service name='org.fedoraproject.Setroubleshootd' (using servicehelper)
Jun 16 04:41:07 host.example.com dracut[3083]: *** Hardlinking files ***
Jun 16 04:41:07 host.example.com kdumpctl[1378]: ldconfig: Cannot mmap file /lib64/libkmod.so.2.2.10.
Jun 16 04:41:07 host.example.com kdumpctl[1378]: ldconfig: Cannot mmap file /lib64/libkmod.so.2.
Jun 16 04:41:07 host.example.com kdumpctl[1378]: ldconfig: Cannot mmap file /lib64/libacl.so.1.1.0.
Jun 16 04:41:07 host.example.com kdumpctl[1378]: ldconfig: Cannot mmap file /lib64/libacl.so.1.
Jun 16 04:41:07 host.example.com kdumpctl[1378]: ldconfig: Cannot mmap file /lib64/liblzma.so.5.2.2.
Jun 16 04:41:07 host.example.com kdumpctl[1378]: ldconfig: Cannot mmap file /lib64/liblzma.so.5.
Jun 16 04:41:07 host.example.com kdumpctl[1378]: ldconfig: Cannot mmap file /lib64/libz.so.1.2.7.
Jun 16 04:41:07 host.example.com kdumpctl[1378]: ldconfig: Cannot mmap file /lib64/libz.so.1.
Jun 16 04:41:07 host.example.com kdumpctl[1378]: ldconfig: Cannot mmap file /lib64/liblz4.so.1.7.5.
Jun 16 04:41:07 host.example.com kdumpctl[1378]: ldconfig: Cannot mmap file /lib64/liblz4.so.1.
Jun 16 04:41:07 host.example.com kdumpctl[1378]: ldconfig: Cannot mmap file /lib64/libgcrypt.so.11.8.2.
Jun 16 04:41:07 host.example.com kdumpctl[1378]: ldconfig: Cannot mmap file /lib64/libgcrypt.so.11.
Jun 16 04:41:07 host.example.com kdumpctl[1378]: ldconfig: Cannot mmap file /lib64/libqrencode.so.3.4.1.
Jun 16 04:41:07 host.example.com kdumpctl[1378]: ldconfig: Cannot mmap file /lib64/libqrencode.so.3.
Jun 16 04:41:07 host.example.com kdumpctl[1378]: ldconfig: Cannot mmap file /lib64/libgpg-error.so.0.10.0.
Jun 16 04:41:07 host.example.com kdumpctl[1378]: ldconfig: Cannot mmap file /lib64/libgpg-error.so.0.
Jun 16 04:41:07 host.example.com kdumpctl[1378]: ldconfig: Cannot mmap file /lib64/libudev.so.1.6.2.
Jun 16 04:41:07 host.example.com kdumpctl[1378]: ldconfig: Cannot mmap file /lib64/libudev.so.1.
Jun 16 04:41:07 host.example.com kdumpctl[1378]: ldconfig: Cannot mmap file /lib64/libm-2.17.so.
Jun 16 04:41:07 host.example.com kdumpctl[1378]: ldconfig: Cannot mmap file /lib64/libm.so.6.
Jun 16 04:41:07 host.example.com kdumpctl[1378]: ldconfig: Cannot mmap file /lib64/libm.so.
Jun 16 04:41:07 host.example.com kdumpctl[1378]: ldconfig: Cannot mmap file /lib64/libdw-0.172.so.
Jun 16 04:41:07 host.example.com kdumpctl[1378]: ldconfig: Cannot mmap file /lib64/libdw.so.1.
Jun 16 04:41:07 host.example.com kdumpctl[1378]: ldconfig: Cannot mmap file /lib64/libelf-0.172.so.
Jun 16 04:41:07 host.example.com kdumpctl[1378]: ldconfig: Cannot mmap file /lib64/libelf.so.1.
Jun 16 04:41:07 host.example.com kdumpctl[1378]: ldconfig: Cannot mmap file /lib64/libbz2.so.1.0.6.
Jun 16 04:41:07 host.example.com kdumpctl[1378]: ldconfig: Cannot mmap file /lib64/libbz2.so.1.
Jun 16 04:41:07 host.example.com kdumpctl[1378]: ldconfig: Cannot mmap file /lib64/libprocps.so.4.0.0.
Jun 16 04:41:07 host.example.com kdumpctl[1378]: ldconfig: Cannot mmap file /lib64/libprocps.so.4.
Jun 16 04:41:07 host.example.com kdumpctl[1378]: ldconfig: Cannot mmap file /lib64/libsystemd.so.0.6.0.
Jun 16 04:41:07 host.example.com kdumpctl[1378]: ldconfig: Cannot mmap file /lib64/libsystemd.so.0.
Jun 16 04:41:07 host.example.com kdumpctl[1378]: ldconfig: Cannot mmap file /lib64/libresolv-2.17.so.
Jun 16 04:41:07 host.example.com kdumpctl[1378]: ldconfig: Cannot mmap file /lib64/libresolv.so.2.
Jun 16 04:41:07 host.example.com kdumpctl[1378]: ldconfig: Cannot mmap file /lib64/libresolv.so.
Jun 16 04:41:07 host.example.com kdumpctl[1378]: ldconfig: Cannot mmap file /lib64/libdevmapper.so.1.02.
Jun 16 04:41:07 host.example.com kdumpctl[1378]: ldconfig: Cannot mmap file /lib64/libsepol.so.1.
Jun 16 04:41:07 host.example.com kdumpctl[1378]: ldconfig: Cannot mmap file /lib64/libaio.so.1.0.1.
Jun 16 04:41:07 host.example.com kdumpctl[1378]: ldconfig: Cannot mmap file /lib64/libaio.so.1.
Jun 16 04:41:07 host.example.com kdumpctl[1378]: ldconfig: Cannot mmap file /lib64/libreadline.so.6.2.
Jun 16 04:41:07 host.example.com kdumpctl[1378]: ldconfig: Cannot mmap file /lib64/libreadline.so.6.
Jun 16 04:41:07 host.example.com kdumpctl[1378]: ldconfig: Cannot mmap file /lib64/libpci.so.3.5.1.
Jun 16 04:41:07 host.example.com kdumpctl[1378]: ldconfig: Cannot mmap file /lib64/libpci.so.3.
Jun 16 04:41:07 host.example.com kdumpctl[1378]: ldconfig: Cannot mmap file /lib64/libsnappy.so.1.1.4.
Jun 16 04:41:07 host.example.com kdumpctl[1378]: ldconfig: Cannot mmap file /lib64/libsnappy.so.1.
Jun 16 04:41:07 host.example.com kdumpctl[1378]: ldconfig: Cannot mmap file /lib64/liblzo2.so.2.0.0.
Jun 16 04:41:07 host.example.com kdumpctl[1378]: ldconfig: Cannot mmap file /lib64/liblzo2.so.2.
Jun 16 04:41:07 host.example.com kdumpctl[1378]: ldconfig: Cannot mmap file /lib64/libstdc++.so.6.0.19.
Jun 16 04:41:07 host.example.com kdumpctl[1378]: ldconfig: Cannot mmap file /lib64/libstdc++.so.6.
Jun 16 04:41:07 host.example.com kdumpctl[1378]: ldconfig: Cannot mmap file /lib64/libpam.so.0.83.1.
Jun 16 04:41:07 host.example.com kdumpctl[1378]: ldconfig: Cannot mmap file /lib64/libpam.so.0.
Jun 16 04:41:07 host.example.com kdumpctl[1378]: ldconfig: Cannot mmap file /lib64/libaudit.so.1.0.0.
Jun 16 04:41:07 host.example.com kdumpctl[1378]: ldconfig: Cannot mmap file /lib64/libaudit.so.1.
Jun 16 04:41:07 host.example.com kdumpctl[1378]: ldconfig: Cannot mmap file /lib64/libcap-ng.so.0.0.0.
Jun 16 04:41:07 host.example.com kdumpctl[1378]: ldconfig: Cannot mmap file /lib64/libcap-ng.so.0.
Jun 16 04:41:07 host.example.com kdumpctl[1378]: ldconfig: Cannot mmap file /lib64/libdevmapper-event-lvm2.so.2.02.
Jun 16 04:41:07 host.example.com kdumpctl[1378]: ldconfig: Cannot mmap file /lib64/liblvm2cmd.so.2.02.
Jun 16 04:41:07 host.example.com dracut[3083]: *** Hardlinking files done ***
Jun 16 04:41:07 host.example.com dracut[3083]: *** Stripping files ***
Jun 16 04:41:07 host.example.com dracut[3083]: *** Stripping files done ***
Jun 16 04:41:07 host.example.com dracut[3083]: *** Generating early-microcode cpio image contents ***
Jun 16 04:41:07 host.example.com dracut[3083]: *** No early-microcode cpio image needed ***
Jun 16 04:41:07 host.example.com dracut[3083]: *** Store current command line parameters ***
Jun 16 04:41:07 host.example.com dracut[3083]: *** Creating image file ***
Jun 16 04:41:08 host.example.com dbus[1015]: [system] Successfully activated service 'org.fedoraproject.Setroubleshootd'
Jun 16 04:41:08 host.example.com setroubleshoot[9781]: SELinux is preventing /usr/sbin/ldconfig from map access on the file /usr/lib64/libfreeblpriv3.so.

//snip

Jun 16 04:41:14 host.example.com dracut[3083]: drwxr-xr-x  13 root     root            0 Jun 16 04:41 .
Jun 16 04:41:14 host.example.com dracut[3083]: crw-r--r--   1 root     root       5,   1 Jun 16 04:41 dev/console
Jun 16 04:41:14 host.example.com dracut[3083]: crw-r--r--   1 root     root       1,  11 Jun 16 04:41 dev/kmsg
Jun 16 04:41:14 host.example.com dracut[3083]: crw-r--r--   1 root     root       1,   3 Jun 16 04:41 dev/null

Comment 6 Jan Pazdziora 2018-06-25 09:42:03 UTC
This is a regression against RHEL 7.5.

Comment 9 Lukas Vrabec 2018-06-25 16:22:24 UTC
*** Bug 1594832 has been marked as a duplicate of this bug. ***

Comment 11 Lukas Vrabec 2018-06-27 15:02:09 UTC
*** Bug 1595785 has been marked as a duplicate of this bug. ***

Comment 12 Lukas Vrabec 2018-07-03 13:33:15 UTC
*** Bug 1597608 has been marked as a duplicate of this bug. ***

Comment 15 errata-xmlrpc 2018-10-30 10:04:11 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:3111


Note You need to log in before you can comment on or make changes to this bug.