Bug 160147 - Wrong context of /opt, not working '--'
Wrong context of /opt, not working '--'
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted (Show other bugs)
All Linux
medium Severity low
: ---
: ---
Assigned To: Daniel Walsh
Depends On:
  Show dependency treegraph
Reported: 2005-06-11 16:15 EDT by František Dvořák
Modified: 2007-11-30 17:11 EST (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2005-06-28 15:01:48 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description František Dvořák 2005-06-11 16:15:32 EDT
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.8) Gecko/20050513 Fedora/1.0.4-1.3.1 Firefox/1.0.4

Description of problem:
After upgrade selinux-policy-targeted from 1.17.30-2.96 to 1.17.30-3.2, so-plugins (shared libraries) in /opt/lib/* can't be loaded (and my xine crashes :-().

Also I found all entries with '--' in sources never match!

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
0. have some libraries in /opt/lib
1. install selinux-policy-targeted-1.17.30-3.2
2. enable selinux, targeted policy (it's default, I guess)
3. a) setfiles -n -d -W -vv /etc/selinux/targeted/contexts/files/file_contexts /opt/lib | less
   b) setfiles -n -d -W -vv /etc/selinux/targeted/contexts/files/file_contexts /usr/bin | grep bash

Actual Results:  a) 'root:object_r:usr_t' context on all shared libraries
b) setfiles:  Warning!  No matches for (/bin/bash, --, system_u:object_r:shell_exec_t)

Expected Results:  a) 'system_u:object_r:shlib_t' context on all shared libraries
b) 'system_u:object_r:shell_exec_t' context on /usr/bin/bash

Additional info:

I don't know about '--'-problem.

The opt-problem I fixed by using similar entries as for /usr:
  # with workaround here unlike to /usr: removed the '--'
  /opt(/.*)?                      system_u:object_r:usr_t
  /opt(/.*)?/lib(64)?(/.*)?                               system_u:object_r:lib_t
  /opt(/.*)?/lib(64)?/.*\.so(\.[^/]*)*    system_u:object_r:shlib_t
Comment 1 Boris Glawe 2005-06-12 08:43:59 EDT
I can confirm this. I've installed both openenoffice 1.1.4 and 2.0-beta in /opt.
Both version won't start anymore, while causing "avc denied" messages. 
In addition the flash plugin installed in my home directory
(~/.mozilla/plugins/) won't start while causing "avc denied" messages.

I've already extecuted "fixfiles relabel" and I've rebooted.

The severity of this bug is very high!
Comment 2 Boris Glawe 2005-06-12 15:53:01 EDT
I can't even load shared libraries from subfolders of my home directory !!

I hope there's a fix soon !!
Comment 3 Daniel Walsh 2005-06-12 16:14:33 EDT
What errors are you seeing?  What are the AVC messages?

Comment 4 Boris Glawe 2005-06-13 05:26:41 EDT
I wiped out some sensible data:

This message is the result when trying to load a shared library in my home
directory. LD_LIBRARY_PATH is set correctly and it worked before the latest
selinux-policy-targeted update.

Jun 13 11:17:03 mymachine kernel: audit(1118654223.196:0): avc:  denied  {
execmod } for  pid=6155 comm=testprog path=/home/user/workspace/prog/libprog.so
dev=hda5 ino=1458690 scontext=user_u:system_r:unconfined_t
tcontext=user_u:object_r:user_home_t tclass=file

This message appears thousands of times, caused by mozilla's flashplayer:

Jun 13 11:13:59 mymachine kernel: audit(1118654039.474:0): avc:  denied  {
execmod } for  pid=4663 comm=firefox-bin
path=/home/user/.mozilla/plugins/libflashplayer.so dev=hda5 ino=1409670
scontext=user_u:system_r:unconfined_t tcontext=system_u:object_r:user_home_t

This message appears, when trying to start openoffice. I've installed the
openoffice version from openoffice.org.

Jun 13 11:21:52 mymachine kernel: audit(1118654512.067:0): avc:  denied  {
execmod } for  pid=6188 comm=soffice.bin
path=/opt/openoffice.org1.9.104/program/libicudata.so.26.0.1 dev=hda6 ino=54865
scontext=user_u:system_r:unconfined_t tcontext=system_u:object_r:usr_t tclass=file

the same happens with the current stable openoffice version:

Jun 13 11:22:53 mymachine kernel: audit(1118654573.135:0): avc:  denied  {
execmod } for  pid=6215 comm=soffice.bin
path=/opt/OpenOffice.org/program/libicudata.so.22.0 dev=hda6 ino=51385
scontext=user_u:system_r:unconfined_t tcontext=root:object_r:usr_t tclass=file

The system itself is stable, but these few examples show, that there's something
wrong !!

If I knew how to configure this big selinux monster, I'd try to find the bug
myself. Do you have any comprehensible tutorials?
Comment 5 František Dvořák 2005-06-13 14:11:52 EDT

In short: 
  - directory /etc/selinux/targeted/src/policy
  - do 'make install' after policy change
  - do 'fixlabels restore' to set context in whole filesystem,
    or read 'man setfiles' if you want change just one dir/file or test

I guess the bug is somewhere in selinux binary. Try remove all '--' and all
should work again. I see in previous release '--' was used too, but not so much,
so no error was visible (lib_t is enough for libraries, but desired idea was to
use shlib_t in /usr/lib, for example).
Comment 6 František Dvořák 2005-06-13 14:16:36 EDT
(should work again except the /opt/.*lib dir, of course)
Comment 7 Boris Glawe 2005-06-13 15:46:01 EDT
"I guess the bug is somewhere in selinux binary. Try remove all '--' and all
should work again. I see in previous release '--' was used too, but not so much,
so no error was visible (lib_t is enough for libraries, but desired idea was to
use shlib_t in /usr/lib, for example)."

Sorry, but I didn't understand you.
What do you mean by "removing all '--' " ?? Could you please explain it again?
Comment 8 František Dvořák 2005-06-14 05:39:36 EDT
I mean remove all '--' from configuration file /etc/selinux/targeted/src/policy/

So commands like this:
  cd /etc/selinux/targeted/src/policy/
  # correct '--'
  cp file_contexts/types.fc file_contexts/types.fc.orig
  cat file_contexts/types.fc.orig | sed -e 's/--//' > file_contexts/types.fc
  # corect there /opt/lib too, according to my previous mail
  (vi file_contexts/types.fc)
  make install
  fixlabels restore

PS: I'm just bug reporter. I wasn't so active to explore selinux sources...
Comment 9 Boris Glawe 2005-06-14 16:11:55 EDT
I've followed your hint, but it didn't help, sorry.

Am I the only one who has this problem? I am wondering, why there are so few bug
reports about this issue.

Where could be the reason?

I've got the same selinux-policy as other users, and I've done "filfiles
relabel" dozens of times the last days...
Comment 10 František Dvořák 2005-06-14 17:48:35 EDT
Hmm, I checked the 1.17.30-3.9 version in testing updates of FC3 and the
opt-problem wasn't fixed yet. :-(

Good message: '--' was fixed. :-)

I think developers was notified about this bug, so if previous selinux policy
was OK for you, I advice you downgrade back to version 1.17.30-2.96 for now
(remove and install old, maybe '--force' would work too...) and relabel again.
Comment 11 Daniel Walsh 2005-06-15 10:56:43 EDT
If you install 1.17.30-3.9 and 

setsebool -P allow_execmod=1

Does this fix the problem?

I have no idea why downgrading to previous policy would fix this problem.  This
problem comes because of the new kernel.  Basically the kernel update contains
new AVC checks execmod/execmem, and policy did not handle it in the past.

Comment 12 Daniel Walsh 2005-06-15 14:41:46 EDT
Fixed in selinux-policy-targeted-1.17.30-3.9
Comment 13 František Dvořák 2005-06-16 08:51:49 EDT
Yes, you're right. It's fixed. 

Now there remains only minor bug (it hasn't effect to functionality):

[valtri@funus ~]$ ls -lZ /opt/lib/*.so | head -1
lrwxrwxrwx  root     root     system_u:object_r:usr_t         

I think desired is:

lrwxrwxrwx  root     root     system_u:object_r:shlib_t         

Anyway it works nice on my system, now. Thank you.
Comment 14 Daniel Walsh 2005-06-16 16:33:18 EDT
Does restorecon -R -v /opt fix the labeling?

Comment 15 František Dvořák 2005-06-25 08:49:56 EDT
No, it doesn't.

[root@funus valtri]# restorecon -R -v /opt
[root@funus valtri]# ls -Z /opt/lib/*.so | tail -1
lrwxrwxrwx  root     root     system_u:object_r:usr_t          /opt/lib/libxine.so
Comment 16 Daniel Walsh 2005-06-25 16:23:52 EDT
What version of policy do you have installed?

Comment 17 František Dvořák 2005-06-25 16:54:39 EDT
1.17.30-3.9 - the latest from FC3 updates.

Btw. look at /etc/selinux/targeted/src/policy/file_contexts/types.fc. There is:


shouldn't it be:


Comment 18 Daniel Walsh 2005-06-26 07:25:39 EDT
Not quite but it is broken.


Is in the next test release.

Comment 19 František Dvořák 2005-06-28 15:01:48 EDT
Installed selinux-policy-targeted-1.17.30-3.13 from FC3 and all is OK now.

Thank you.

Note You need to log in before you can comment on or make changes to this bug.