Bug 199005 - avc: denied { unlink } for comm="prelink" name="prelink.cache"
avc: denied { unlink } for comm="prelink" name="prelink.cache"
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
All Linux
medium Severity medium
: ---
: ---
Assigned To: Daniel Walsh
Depends On:
  Show dependency treegraph
Reported: 2006-07-15 11:34 EDT by Sitsofe Wheeler
Modified: 2007-11-30 17:11 EST (History)
3 users (show)

See Also:
Fixed In Version: Current
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2007-03-28 16:02:55 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Sitsofe Wheeler 2006-07-15 11:34:07 EDT
Description of problem:
dmesg is full of warnings like:
audit(1152935399.786:15): avc:  denied  { unlink } for  pid=9017 comm="prelink"
name="prelink.cache" dev=hda3 ino=71440 scontext=user_u:system_r:prelink_t:s0
tcontext=user_u:object_r:etc_t:s0 tclass=file

Version-Release number of selected component (if applicable):

How reproducible:
Every time

Steps to Reproduce:
1. Install FC5.
2. Apply all updates.
3. Wait for nightly prelink rebuild.
Actual results:
selinux warnings in dmesg.

Expected results:
No warnings.

Additional info:
$ ls -Z /etc/prelink.c*
-rw-r--r--  root root user_u:object_r:etc_t            /etc/prelink.cache
-rw-r--r--  root root system_u:object_r:etc_t          /etc/prelink.conf

I sort of suspect that the selinux policy for prelink has been updated but a
relabel was never forced on those files. This is seen on all of the 9 FC5
machines we have here. 

prelink seems to have been causing selinux warnings for some time. If there is
some sort of selinux-policy testsuite I'd recommend that prelink be added to it
as it seems to have had a fair few problems.
Comment 1 Daniel Walsh 2006-07-17 09:22:36 EDT
restorecon /etc/prelink.cache should fix the problem,
prelink has been updated in FC6 to play better with SELinux.  Not sure if this
is being backported.
Comment 2 Sitsofe Wheeler 2006-07-20 02:20:26 EDT
And indeed it does. I wound up doing a full filesystem relabel because I was
worried that prelink wouldn't be the only package with this issue (and that took
ages). I guess there needs to be a warning if manual relabelling like this needs
to be done or prelink starts having to accrue massive baggage in the form of
forced relabels of files whose context changes across the life of a distro... 
Comment 3 Daniel Walsh 2007-03-28 16:02:55 EDT
Closing bugs

Note You need to log in before you can comment on or make changes to this bug.