Bug 161844 - crond, smbd, sshd errors
crond, smbd, sshd errors
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted (Show other bugs)
3
All Linux
medium Severity medium
: ---
: ---
Assigned To: Daniel Walsh
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2005-06-27 14:22 EDT by Nerijus Baliūnas
Modified: 2007-11-30 17:11 EST (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2005-07-04 19:21:13 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Nerijus Baliūnas 2005-06-27 14:22:22 EDT
After update to selinux-policy-targeted 1.17.30-3.13 I see following errors in
syslog:

audit(1119895261.549:0): avc:  denied  { execmod } for  pid=19033 comm=crond
path=/lib/libnsl-2.3.5.so dev=md0 ino=999535
scontext=user_u:system_r:unconfined_t tcontext=system_u:object_r:lib_t tclass=file

audit(1119895261.552:0): avc:  denied  { execmod } for  pid=19033 comm=crond
path=/lib/libcrypt-2.3.5.so dev=md0 ino=999678
scontext=user_u:system_r:unconfined_t tcontext=system_u:object_r:lib_t tclass=file

audit(1119886648.341:0): avc:  denied  { execmod } for  pid=18933 comm=smbd
path=/lib/libnss_files-2.3.5.so dev=md0 ino=998312
scontext=user_u:system_r:unconfined_t tcontext=system_u:object_r:lib_t tclass=file

audit(1119889030.658:0): avc:  denied  { execmod } for  pid=18980 comm=sshd
path=/lib/libdl-2.3.5.so dev=md0 ino=999672
scontext=user_u:system_r:unconfined_t tcontext=system_u:object_r:lib_t tclass=file

I cannot even ssh into the box! It's good that I didn't disconnect from current
ssh session. For now I disabled selinux.
Comment 1 Nerijus Baliūnas 2005-06-27 17:18:23 EDT
It seems it also breaks squid:

audit(1119878211.583:0): avc:  denied  { 
append } for  pid=3071 exe=/usr/sbin/squid path=/var/log/squid/squid.out 
dev=sda2 ino=1465950 scontext=user_u:system_r:squid_t
tcontext=root:object_r:var_log_t tclass=file
Comment 2 Daniel Walsh 2005-06-29 11:34:34 EDT
You have a labeling problem.  Did you run with selinux disabled?  

restorecon  -R -v /var/log  

Should fix its labeling.

touch /.autorelabel 
reboot
Will relabel the entire system.

selinux-policy-targeted 1.17.30-3.15 should fix the lib_t error.
Dan
Comment 3 Nerijus Baliūnas 2005-06-29 11:56:50 EDT
I cannot reboot, so I ran fixfiles restore, but it didn't help (why?). Are you
sure relabeling /var/log will help with avc:  denied  { execmod } for  pid=18980
comm=sshd
path=/lib/libdl-2.3.5.so dev=md0 ino=999672 ? Or will 1.17.30-3.15 help even
without relabeling?

BTW, it happened on about 5 different servers, so of course I disabled selinux,
as otherwise customers would have killed me. And I'm very afraid to enable it now.

Is it possible to relabel the entire system without rebooting?
Comment 4 Daniel Walsh 2005-06-29 12:07:32 EDT
Please go to ftp://people.redhat.com/dwalsh/SELinux/FC3
and grab the latest policy

1.17.30-3.15 and see if this fixes the problem.  This should be available via
update tomorrow.

Dan
Comment 5 Daniel Walsh 2005-07-03 11:20:48 EDT
Fixed in selinux-policy-targeted-1.17.30-3.16

Note You need to log in before you can comment on or make changes to this bug.