Description of problem: If I run the command 'prelink -y --md5 /bin/cat' I get no output at all. Version-Release number of selected component (if applicable): prelink-0.3.6-3 selinux-policy-2.3.7-2.fc5 selinux-policy-targeted-2.3.7-2.fc5 How reproducible: At this moment every time. However, the problem seems to be inconsistent. Steps to Reproduce: 1. Run the above prelink command. 2. 3. Actual results: Nothing - no output. Expected results: MD5 hash of the /bin/cat file. Additional info: I have tested this with other files (e.g. /bin/ps) and get no output with those either. The problem exists on more than one system. My systems hasve SELinux enabled, but if I disable it (setenforce 0), then the prelink command works. One of the other reported prelink bugs had a comment saying that FC6 prelink has been improved in working with SELinux. I have downloaded the FC6 SRPM and rebuilt it on an FC5 system (the build didn't complete, a test failed, but it did create the prelink binary). I ran the prelink binary in the BUILD directory and the command worked fine. Re-running the FC5 command failed. As such, would it be possible to backport the FC6 prelink command to FC5 please? Thanks, John.
If you compiled it yourself, most likely you haven't set the SELinux context of the binary to system_u:object_r:prelink_exec_t. There were no changes whatsoever between FC5 and FC6 related to SELinux in the prelink sources, except that the location of prelink.log file changed. But that log file is only written in the cron.daily/prelink job and nothing else, so it is completely unrelated to prelink --verify. Trying this on current rawhide I see the SELinux policy is broken: /usr/sbin/prelink -y --sha /bin/echo /usr/sbin/prelink: Could not create temporary file /dev/shm/#prelink#.1U9vGB: Permission denied dmesg | tail -n 1 audit(1160386441.213:13): avc: denied { add_name } for pid=27665 comm="prelink" name="#prelink#.1U9vGB" scontext=user_u:system_r:prelink_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=dir So, at least prelink_exec_t needs to be allowed to create/write/read files in /dev/shm/.
Strangely rpm -V coreutils works, guess rpm changes the SELinux context of the prelink binary it executes or something like that. But, e.g. /usr/sbin/prelink -y {,--md5,--sha} /some/elf/object or /usr/sbin/prelink -u /some/elf/object or /usr/sbin/prelink -u -o /tmp/foo /some/elf/object should work even from the command line.
FYI: I tried your 'dmesg|tail -1' command and get: audit(1160397748.927:781): avc: denied { read write } for pid=4626 comm="prelink" name="2" dev=devpts ino=4 scontext=user_u:system_r:prelink_t:s0 tcontext=user_u:object_r:devpts_t:s0 tclass=chr_file I get the 'name="2"' I guess because I am using /dev/pts/2. Likewise 'rpm -V `rpm -qf /bin/cat`' works. John.
As a workaround you can do: % runcon -t unconfined_t -- prelink -y --md5 /bin/cat ~ 60b898dae597cc87a4f4080cda7ea351 /bin/cat
Sorry for the delay. Yes, your workaround seems to work fine :-) Thanks, John.
Fixed in selinux-policy-2.3.7-4.fc5
Closing bugs