From Bugzilla Helper: User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.8) Gecko/20050513 Fedora/1.0.4-1.3.1 Firefox/1.0.4 Description of problem: install of selinux-policy-targeted-1.17.30-3.13 breaks snmptrapd: [root@axp init.d]# ./snmptrapd start Starting snmptrapd: /usr/sbin/snmptrapd: error while loading shared libraries: libbeecrypt.so.6: cannot enable executable stack as shared object requires: Permission denied Version-Release number of selected component (if applicable): net-snmp-5.2.1-10.FC3 beecrypt-3.1.0-6 selinux-policy-targeted-1.17.30-3.13 How reproducible: Always Steps to Reproduce: 1. cd /etc/init.d 2. ./snmptrapd start 3. Actual Results: Starting snmptrapd: /usr/sbin/snmptrapd: error while loading shared libraries: libbeecrypt.so.6: cannot enable executable stack as shared object requires: Permission denied Expected Results: [OK] Additional info:
gpg also refuses to work from within thunderbird. I have reverted to selinux-policy-targeted-1.17.30-3.9 and the problem(s) go away.
Fixed in selinux-policy-targeted-1.17.30-3.16
Any idea when that will hit the network?
Today.
This does not seem to be fixed: > service snmptrapd start Starting snmptrapd: /usr/sbin/snmptrapd: error while loading shared libraries: libbeecrypt.so.6: cannot enable executable stack as shared object requires: Permission denied audit(1121268331.738:0): avc: denied { execmem } for pid=3637 comm=snmptrapd scontext=root:system_r:snmpd_t tcontext=root:system_r:snmpd_t tclass=process > ls -lZ `locate libbeecrypt` lrwxrwxrwx root root system_u:object_r:lib_t /usr/lib/libbeecrypt.so.6 -> libbeecrypt.so.6.2.0* -rwxr-xr-x root root system_u:object_r:shlib_t /usr/lib/libbeecrypt.so.6.2.0* snmpd fails in the same way. > rpm -q kernel selinux-policy-targeted beecrypt kernel-2.6.11-1.35_FC3 selinux-policy-targeted-1.17.30-3.16 beecrypt-3.1.0-6
I have all the same software as you, and mine does work... perhaps something needs to be reset? I downgraded to the prior version of targeted before I upgraded again.
I just did a reboot with full relabel (touch /.autorelabel) and the problem persists.
Yes the problem is with beecrypt If you run execstack -c /usr/lib/libbeecrypt.so.6 Does it work?
FWIW, [ctilburg@axp ~]$ execstack -q /usr/lib/libbeecrypt.so.6 X /usr/lib/libbeecrypt.so.6
more precisely, the problem is with net-snmp-5.2.1.2-FC3.1.i386.rpm. I am running net-snmp-5.2.1-10.FC3 and snmptrapd works fine.
Re: #8, yes, if I do execstack -c, snmpd will at least start but I have no way to properly verify that the change doesn't break something. Re: #10, I beg to differ: > rpm -qa \*snmp\* net-snmp-5.2.1-10.FC3 net-snmp-libs-5.2.1-10.FC3 I don't have 5.2.1.2-FC3.1 yet as it hasn't propagated to my local mirror. Still, I really doubt that net-snmp is implicated here; it just has a special selinux context that doesn't allow loading of the beecrypt libraries.
OK, my bad. I'll change it back to beecrypt... but... I find it confusing that we are both running the same kernel, library, and selinux targeted policy, but yours fails and mine does not. I also did an autorelabel, and mine continues to work just fine. I just saw the new net-snmp come over the net and assumed you had a more recent version that mine.
Got mine to fail. Mystery solved. Turns out I had .rpmnew files in my /etc/selinux tree. Mv them to be the files, reboot, and now I get what you get.
Hmmm... maybe not just beecrypt... an execstack scan of /usr/lib for those marked X, and then an rpm -q --whatprovides reveals more: bogl-devel-0.1.18-4 bogl-0.1.18-4 libdv-devel-0.103-1 libdv-0.103-1 flac-devel-1.1.0-7 flac-1.1.0-7 compat-libgcj-8-3.3.4.2 gdk-pixbuf-devel-0.22.0-16.fc3 gdk-pixbuf-0.22.0-16.fc3 Glide3-devel-20010520-33 Glide3-20010520-33 libgnat-3.4.3-22.fc3 guile-devel-1.6.4-14 guile-1.6.4-14 SDL-1.2.7-8 SDL-devel-1.2.7-8 libsilc-0.9.12-7 libsilc-devel-0.9.12-7
also xorg-x11-devel-6.8.2-1.FC3.13 The good news is that according to rpm -q --whatrequires, none of these are required by anything on my system.
Oops... don't like that behaviour... the inclusion of the version number breaks the --whatprovides. here are the correct non-obvious results, some of which look rather important: bogl-bterm-0.1.18-4 pwlib-1.6.5-11 libdv-tools-0.103-1 compat-gcc-java-8-3.3.4.2 gnome-print-devel-0.37-10 gtkhtml-devel-1.1.9-10 gtk+-1.2.10-33 gtkhtml-1.1.9-10 gdk-pixbuf-gnome-0.22.0-16.fc3 gcc-gnat-3.4.3-22.fc3 g-wrap-devel-1.3.4-7 g-wrap-1.3.4-7 SDL_net-1.2.5-2 SDL_mixer-1.2.5-4 kdeaddons-3.3.1-1 SDL_image-devel-1.2.3-6 openmotif-devel-2.2.3-6.FC3.1 Xaw3d-devel-1.5-23 qt-devel-3.3.4-0.fc3.0 xorg-x11-deprecated-libs-devel-6.8.2-1.FC3.13 libxfce4mcs-devel-4.2.1-3.fc3
I have abandoned FC3 in favor of FC4.
*** Bug 163928 has been marked as a duplicate of this bug. ***
Reporter has moved onto FC4. Presuming fixed
(In reply to comment #2) > Fixed in selinux-policy-targeted-1.17.30-3.16 Still fails: [root@AG-IPMM lib]# rpm -q selinux-policy-targeted selinux-policy-targeted-1.17.30-3.16 [root@AG-IPMM lib]# service snmptrapd start Starting snmptrapd: /usr/sbin/snmptrapd: error while loading shared libraries: libbeecrypt.so.6: cannot enable executable stack as shared object requires: Permission denied [FAILED] [root@AG-IPMM lib]#