Bug 161833 - snmptrapd refuses to start
snmptrapd refuses to start
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: beecrypt (Show other bugs)
3
i386 Linux
medium Severity medium
: ---
: ---
Assigned To: Paul Nasrat
: Security
: 163928 (view as bug list)
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2005-06-27 12:46 EDT by Charles C. Van Tilburg
Modified: 2007-11-30 17:11 EST (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2005-09-05 03:37:14 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Charles C. Van Tilburg 2005-06-27 12:46:40 EDT
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.8) Gecko/20050513 Fedora/1.0.4-1.3.1 Firefox/1.0.4

Description of problem:
install of selinux-policy-targeted-1.17.30-3.13 breaks snmptrapd:

[root@axp init.d]# ./snmptrapd start
Starting snmptrapd: /usr/sbin/snmptrapd: error while loading shared libraries: libbeecrypt.so.6: cannot enable executable stack as shared object requires: Permission denied

Version-Release number of selected component (if applicable):
net-snmp-5.2.1-10.FC3 beecrypt-3.1.0-6 selinux-policy-targeted-1.17.30-3.13

How reproducible:
Always

Steps to Reproduce:
1. cd /etc/init.d
2. ./snmptrapd start
3.
  

Actual Results:  Starting snmptrapd: /usr/sbin/snmptrapd: error while loading shared libraries: libbeecrypt.so.6: cannot enable executable stack as shared object requires: Permission denied

Expected Results:  [OK]

Additional info:
Comment 1 Charles C. Van Tilburg 2005-06-28 08:35:22 EDT
gpg also refuses to work from within thunderbird.

I have reverted to selinux-policy-targeted-1.17.30-3.9 and the
problem(s) go away.
Comment 2 Daniel Walsh 2005-07-03 11:56:40 EDT
Fixed in selinux-policy-targeted-1.17.30-3.16
Comment 3 Charles C. Van Tilburg 2005-07-03 16:22:19 EDT
Any idea when that will hit the network?
Comment 4 Daniel Walsh 2005-07-05 06:57:28 EDT
Today.
Comment 5 Jason Tibbitts 2005-07-13 11:28:59 EDT
This does not seem to be fixed:

> service snmptrapd start
Starting snmptrapd: /usr/sbin/snmptrapd: error while loading shared libraries:
libbeecrypt.so.6: cannot enable executable stack as shared object requires:
Permission denied

audit(1121268331.738:0): avc:  denied  { execmem } for  pid=3637 comm=snmptrapd
scontext=root:system_r:snmpd_t tcontext=root:system_r:snmpd_t tclass=process

> ls -lZ `locate libbeecrypt`
lrwxrwxrwx  root     root     system_u:object_r:lib_t         
/usr/lib/libbeecrypt.so.6 -> libbeecrypt.so.6.2.0*
-rwxr-xr-x  root     root     system_u:object_r:shlib_t       
/usr/lib/libbeecrypt.so.6.2.0*

snmpd fails in the same way.

> rpm -q kernel selinux-policy-targeted beecrypt
kernel-2.6.11-1.35_FC3
selinux-policy-targeted-1.17.30-3.16
beecrypt-3.1.0-6
Comment 6 Charles C. Van Tilburg 2005-07-13 11:50:40 EDT
I have all the same software as you, and mine does
work... perhaps something needs to be reset?  I
downgraded to the prior version of targeted before
I upgraded again.
Comment 7 Jason Tibbitts 2005-07-13 12:25:03 EDT
I just did a reboot with full relabel (touch /.autorelabel) and the problem
persists.
Comment 8 Daniel Walsh 2005-07-13 12:31:08 EDT
Yes the problem is with beecrypt

If you run 

 execstack -c /usr/lib/libbeecrypt.so.6

Does it work?
Comment 9 Charles C. Van Tilburg 2005-07-13 12:45:07 EDT
FWIW, 

[ctilburg@axp ~]$ execstack -q /usr/lib/libbeecrypt.so.6
X /usr/lib/libbeecrypt.so.6

Comment 10 Charles C. Van Tilburg 2005-07-13 13:21:02 EDT
more precisely, the problem is with 
net-snmp-5.2.1.2-FC3.1.i386.rpm.  I am 
running net-snmp-5.2.1-10.FC3 and 
snmptrapd works fine.



Comment 11 Jason Tibbitts 2005-07-13 13:33:55 EDT
Re: #8, yes, if I do execstack -c, snmpd will at least start but I have no way
to properly verify that the change doesn't break something.

Re: #10, I beg to differ:

> rpm -qa \*snmp\*
net-snmp-5.2.1-10.FC3
net-snmp-libs-5.2.1-10.FC3

I don't have 5.2.1.2-FC3.1 yet as it hasn't propagated to my local mirror. 
Still, I really doubt that net-snmp is implicated here; it just has a special
selinux context that doesn't allow loading of the beecrypt libraries.
Comment 12 Charles C. Van Tilburg 2005-07-13 13:41:08 EDT
OK, my bad.  I'll change it back to beecrypt... but...

I find it confusing that we are both running the same 
kernel, library, and selinux targeted policy, but yours
fails and mine does not.  I also did an autorelabel,
and mine continues to work just fine.

I just saw the new net-snmp come over the net and 
assumed you had a more recent version that mine.
Comment 13 Charles C. Van Tilburg 2005-07-13 14:22:53 EDT
Got mine to fail.  Mystery solved.

Turns out I had .rpmnew files in my /etc/selinux tree.  

Mv them to be the files, reboot, and now I get what you get.
Comment 14 Charles C. Van Tilburg 2005-07-13 15:02:04 EDT
Hmmm... maybe not just beecrypt... an execstack scan
of /usr/lib for those marked X, and then an rpm -q
--whatprovides reveals more:

bogl-devel-0.1.18-4
bogl-0.1.18-4
libdv-devel-0.103-1
libdv-0.103-1
flac-devel-1.1.0-7
flac-1.1.0-7
compat-libgcj-8-3.3.4.2
gdk-pixbuf-devel-0.22.0-16.fc3
gdk-pixbuf-0.22.0-16.fc3
Glide3-devel-20010520-33
Glide3-20010520-33
libgnat-3.4.3-22.fc3
guile-devel-1.6.4-14
guile-1.6.4-14
SDL-1.2.7-8
SDL-devel-1.2.7-8
libsilc-0.9.12-7
libsilc-devel-0.9.12-7
Comment 15 Charles C. Van Tilburg 2005-07-13 15:33:17 EDT
also xorg-x11-devel-6.8.2-1.FC3.13

The good news is that according to rpm -q 
--whatrequires, none of these are required 
by anything on my system.
Comment 16 Charles C. Van Tilburg 2005-07-13 16:00:57 EDT
Oops... don't like that behaviour... the inclusion
of the version number breaks the --whatprovides.

here are the correct non-obvious results, some of
which look rather important:

bogl-bterm-0.1.18-4
pwlib-1.6.5-11
libdv-tools-0.103-1
compat-gcc-java-8-3.3.4.2
gnome-print-devel-0.37-10
gtkhtml-devel-1.1.9-10
gtk+-1.2.10-33
gtkhtml-1.1.9-10
gdk-pixbuf-gnome-0.22.0-16.fc3
gcc-gnat-3.4.3-22.fc3
g-wrap-devel-1.3.4-7
g-wrap-1.3.4-7
SDL_net-1.2.5-2
SDL_mixer-1.2.5-4
kdeaddons-3.3.1-1
SDL_image-devel-1.2.3-6
openmotif-devel-2.2.3-6.FC3.1
Xaw3d-devel-1.5-23
qt-devel-3.3.4-0.fc3.0
xorg-x11-deprecated-libs-devel-6.8.2-1.FC3.13
libxfce4mcs-devel-4.2.1-3.fc3
Comment 17 Charles C. Van Tilburg 2005-07-20 11:15:44 EDT
I have abandoned FC3 in favor of FC4.
Comment 18 Paul Nasrat 2005-07-22 12:36:47 EDT
*** Bug 163928 has been marked as a duplicate of this bug. ***
Comment 19 Rahul Sundaram 2005-09-05 03:37:14 EDT
Reporter has moved onto FC4. Presuming fixed
Comment 20 Nigel Horne 2005-10-17 06:13:17 EDT
(In reply to comment #2)
> Fixed in selinux-policy-targeted-1.17.30-3.16

Still fails:

[root@AG-IPMM lib]# rpm -q selinux-policy-targeted
selinux-policy-targeted-1.17.30-3.16
[root@AG-IPMM lib]# service snmptrapd start
Starting snmptrapd: /usr/sbin/snmptrapd: error while loading shared
libraries: libbeecrypt.so.6: cannot enable executable stack as shared
object requires: Permission denied
                                                           [FAILED]
[root@AG-IPMM lib]#

Note You need to log in before you can comment on or make changes to this bug.