Bug 161859 - selinux-policy-targeted-1.17.30-3.13 breaks gpg
selinux-policy-targeted-1.17.30-3.13 breaks gpg
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted (Show other bugs)
3
i386 Linux
medium Severity high
: ---
: ---
Assigned To: Daniel Walsh
:
: 162397 (view as bug list)
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2005-06-27 17:27 EDT by David Baron
Modified: 2007-11-30 17:11 EST (History)
5 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2005-07-06 17:54:55 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description David Baron 2005-06-27 17:27:13 EDT
Description of problem:  Upgrading to selinux-policy-targeted-1.17.30-3.13 from 
1.17.30-3.9 (both in updates-released for FC3) breaks gpg.  gpg-signing a
message in mutt (or just running /usr/bin/gpg) gives the error:

/usr/bin/gpg: error while loading shared libraries: cannot restore segment prot
after reloc: Permission denied

and /var/log/messages contains the error:

Jun 27 21:24:14 ridley kernel: audit(1119907454.786:0): avc:  denied  { execmod
} for  pid=12571 comm=gpg path=/usr/bin/gpg dev=hda3 ino=888767
scontext=user_u:system_r:unconfined_t tcontext=system_u:object_r:bin_t tclass=file

Version-Release number of selected component (if applicable):
selinux-policy-targeted-1.17.30-3.13

How reproducible: Always

Steps to Reproduce:
1. Run /usr/bin/gpg
  
Actual results: Error messages above

Expected results: runs

Additional info: "chcon -t texrel_shlib_t /usr/bin/gpg" works around the problem
for me, although using something with "shlib" in it for a binary seems a bit odd
Comment 1 Aleksey Nogin 2005-06-29 13:15:41 EDT
Actually, this is not just signing - it breaks gpg completely:

% gpg --help
gpg: error while loading shared libraries: cannot restore segment prot after
reloc: Permission denied

P.S. CC'ing gnupg package owner.
Comment 2 Daniel Walsh 2005-06-29 13:26:47 EDT
Please try selinux-policy-targeted-1.17.30-3.16

Available on ftp://people.redhat.com/dwalsh/SELinux/FC3

Should be in fedora-testing tonight.
Comment 3 Greg Metcalfe 2005-06-29 14:01:43 EDT
I can verify Aleksey's comment regarding a complete breakage of pgp. I've jsut 
seen it in Kmail, and at the commandline. 
 
I've updated 3.13 to 3.16 and found that to be a fix. On one hand, I'm not 
happy about having to grab a policy that's not even in testing. On the other 
hand, thanks for the fast turnaround. On the gripping hand, SELinux policy 
testing is clearly in a Bad Place.  
  
I'll try to reboot in a few minutes, and see if 3.16 breaks anything.  
Comment 4 Greg Metcalfe 2005-06-29 14:15:10 EDT
After reboot: 
An error occurred while loading or saving configuration information for 
Nautilus. Some of your configuration settings may not work properly. 
 
With the old policy, I got 62 lines from 'dmesg |grep 'avc:  denied' | wc -l' 
I have this in a text file, if anyone wants it. Shoot me a mail. 
 
With 3.16, the same grep returns nothing. Definitely making progress, Daniel! 
If I can provide any other information to help you out, please let me know. 
 
 
Comment 5 Daniel Walsh 2005-06-29 14:29:59 EDT
16 was just announced in testing.  Basically a minor fix from FC4 targeted policy

allow unconfined_domains file_type:file execmod;

Which allows all unconfined domains to execute apps like gpg, which currently
require execmod.
Comment 6 Greg Metcalfe 2005-06-29 14:34:48 EDT
Forgot to add details of the Nautilus error:  
Failed to contact configuration server; some possible causes are that you need  
to enable TCP/IP networking for ORBit, or you have stale NFS locks due to a  
system crash. See http://www.gnome.org/projects/gconf/ for information.  
(Details -  1: IOR file '/tmp/gconfd-gregm/lock/ior' not opened successfully,  
no gconfd located: No such file or directory 2: Failed to convert IOR '' to an  
object reference)  
Failed to contact configuration server; some possible causes are that you need  
to enable TCP/IP networking for ORBit, or you have stale NFS locks due to a  
system crash. See http://www.gnome.org/projects/gconf/ for information.  
(Details -  1: Failed to convert IOR '' to an object reference 2: Failed to  
convert IOR '' to an object reference)  
  
I'm not a Gnome user. I've no idea what all this means. But I have rebooted  
via ssh because a KDE launch 'show details' screen became unresponsive during  
the 3.13 problems, and I couldn't call another virtual terminal. That  
generates unclean filesystem stuff at restart, so in some ways, at least, it's  
interpreted as a crash. Though this should not happen, IMHO. I do not run NFS. 
Comment 7 Daniel Hammer 2005-07-01 08:35:10 EDT
In FC3 the current selinux-policy-targeted-1.17.30-3.15 also breaks gpg:

Jul  1 14:29:37 tunix kernel: audit(1120220977.153:0): avc:  denied  { execmod }
for  pid=5921 comm=gpg path=/usr/bin/gpg dev=sda2 ino=5792403
scontext=user_u:system_r:unconfined_t tcontext=system_u:object_r:bin_t tclass=file

All versions before worked fine for me.
Comment 8 Daniel Walsh 2005-07-02 16:01:08 EDT
Fixed in selinux-policy-targeted-1.17.30-3.16
Comment 9 Kevin Hart 2005-07-06 13:52:04 EDT
I had a similar problem, and the upgrade to 1.17.30-3.16 worked for me.
Comment 10 Kevin Hart 2005-07-06 13:53:31 EDT
*** Bug 162397 has been marked as a duplicate of this bug. ***
Comment 11 Greg Metcalfe 2005-07-06 13:59:17 EDT
1.17.30-3.16 seems to have worked for me as well, over a timeframe where I'm  
pretty confident that I would have seen the problem, if it were still present.  
  
If original reporter David Baron and the rest buy in, I'm fine with you 
closing this ticket. 

Note You need to log in before you can comment on or make changes to this bug.