161844 – crond, smbd, sshd errors

Bug 161844 - crond, smbd, sshd errors

Summary: crond, smbd, sshd errors

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy-targeted
Sub Component:
Version:	3
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Daniel Walsh
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2005-06-27 18:22 UTC by Nerijus Baliūnas
Modified:	2007-11-30 22:11 UTC (History)
CC List:	0 users
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2005-07-04 23:21:13 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Nerijus Baliūnas 2005-06-27 18:22:22 UTC

After update to selinux-policy-targeted 1.17.30-3.13 I see following errors in
syslog:

audit(1119895261.549:0): avc:  denied  { execmod } for  pid=19033 comm=crond
path=/lib/libnsl-2.3.5.so dev=md0 ino=999535
scontext=user_u:system_r:unconfined_t tcontext=system_u:object_r:lib_t tclass=file

audit(1119895261.552:0): avc:  denied  { execmod } for  pid=19033 comm=crond
path=/lib/libcrypt-2.3.5.so dev=md0 ino=999678
scontext=user_u:system_r:unconfined_t tcontext=system_u:object_r:lib_t tclass=file

audit(1119886648.341:0): avc:  denied  { execmod } for  pid=18933 comm=smbd
path=/lib/libnss_files-2.3.5.so dev=md0 ino=998312
scontext=user_u:system_r:unconfined_t tcontext=system_u:object_r:lib_t tclass=file

audit(1119889030.658:0): avc:  denied  { execmod } for  pid=18980 comm=sshd
path=/lib/libdl-2.3.5.so dev=md0 ino=999672
scontext=user_u:system_r:unconfined_t tcontext=system_u:object_r:lib_t tclass=file

I cannot even ssh into the box! It's good that I didn't disconnect from current
ssh session. For now I disabled selinux.

Comment 1 Nerijus Baliūnas 2005-06-27 21:18:23 UTC

It seems it also breaks squid:

audit(1119878211.583:0): avc:  denied  { 
append } for  pid=3071 exe=/usr/sbin/squid path=/var/log/squid/squid.out 
dev=sda2 ino=1465950 scontext=user_u:system_r:squid_t
tcontext=root:object_r:var_log_t tclass=file

Comment 2 Daniel Walsh 2005-06-29 15:34:34 UTC

You have a labeling problem.  Did you run with selinux disabled?  

restorecon  -R -v /var/log  

Should fix its labeling.

touch /.autorelabel 
reboot
Will relabel the entire system.

selinux-policy-targeted 1.17.30-3.15 should fix the lib_t error.
Dan

Comment 3 Nerijus Baliūnas 2005-06-29 15:56:50 UTC

I cannot reboot, so I ran fixfiles restore, but it didn't help (why?). Are you
sure relabeling /var/log will help with avc:  denied  { execmod } for  pid=18980
comm=sshd
path=/lib/libdl-2.3.5.so dev=md0 ino=999672 ? Or will 1.17.30-3.15 help even
without relabeling?

BTW, it happened on about 5 different servers, so of course I disabled selinux,
as otherwise customers would have killed me. And I'm very afraid to enable it now.

Is it possible to relabel the entire system without rebooting?

Comment 4 Daniel Walsh 2005-06-29 16:07:32 UTC

Please go to ftp://people.redhat.com/dwalsh/SELinux/FC3
and grab the latest policy

1.17.30-3.15 and see if this fixes the problem.  This should be available via
update tomorrow.

Dan

Comment 5 Daniel Walsh 2005-07-03 15:20:48 UTC

Fixed in selinux-policy-targeted-1.17.30-3.16

Note You need to log in before you can comment on or make changes to this bug.