Bug 209951 - Prelink verify shows no output
Prelink verify shows no output
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted (Show other bugs)
All Linux
medium Severity high
: ---
: ---
Assigned To: Daniel Walsh
Ben Levenson
Depends On:
Blocks: FC5Update
  Show dependency treegraph
Reported: 2006-10-08 15:25 EDT by John Horne
Modified: 2007-11-30 17:11 EST (History)
3 users (show)

See Also:
Fixed In Version: Current
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2007-03-28 16:01:59 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description John Horne 2006-10-08 15:25:22 EDT
Description of problem:
If I run the command 'prelink -y --md5 /bin/cat' I get no output at all.

Version-Release number of selected component (if applicable):

How reproducible:
At this moment every time. However, the problem seems to
be inconsistent. 

Steps to Reproduce:
1. Run the above prelink command.
Actual results:
Nothing - no output.

Expected results:
MD5 hash of the /bin/cat file.

Additional info:
I have tested this with other files (e.g. /bin/ps) and get no output with those
either. The problem exists on more than one system.

My systems hasve SELinux enabled, but if I disable it (setenforce 0), then the
prelink command works.

One of the other reported prelink bugs had a comment saying that FC6 prelink has
been improved in working with SELinux. I have downloaded the FC6 SRPM and
rebuilt it on an FC5 system (the build didn't complete, a test failed, but it
did create the prelink binary). I ran the prelink binary in the BUILD directory
and the command worked fine. Re-running the FC5 command failed.

As such, would it be possible to backport the FC6 prelink command to FC5 please?


Comment 1 Jakub Jelinek 2006-10-09 05:36:45 EDT
If you compiled it yourself, most likely you haven't set the SELinux context
of the binary to system_u:object_r:prelink_exec_t.  There were no changes
whatsoever between FC5 and FC6 related to SELinux in the prelink sources,
except that the location of prelink.log file changed.
But that log file is only written in the cron.daily/prelink job and nothing
else, so it is completely unrelated to prelink --verify.
Trying this on current rawhide I see the SELinux policy is broken:
/usr/sbin/prelink -y --sha /bin/echo
/usr/sbin/prelink: Could not create temporary file /dev/shm/#prelink#.1U9vGB:
Permission denied
dmesg | tail -n 1
audit(1160386441.213:13): avc:  denied  { add_name } for  pid=27665
comm="prelink" name="#prelink#.1U9vGB" scontext=user_u:system_r:prelink_t:s0
tcontext=system_u:object_r:tmpfs_t:s0 tclass=dir

So, at least prelink_exec_t needs to be allowed to create/write/read files in
Comment 2 Jakub Jelinek 2006-10-09 05:41:31 EDT
Strangely rpm -V coreutils works, guess rpm changes the SELinux context
of the prelink binary it executes or something like that.
But, e.g.
/usr/sbin/prelink -y {,--md5,--sha} /some/elf/object
/usr/sbin/prelink -u /some/elf/object
/usr/sbin/prelink -u -o /tmp/foo /some/elf/object
should work even from the command line.
Comment 3 John Horne 2006-10-09 08:47:24 EDT
I tried your 'dmesg|tail -1' command and get:

  audit(1160397748.927:781): avc:  denied  { read write } for  pid=4626 
  comm="prelink" name="2" dev=devpts ino=4 scontext=user_u:system_r:prelink_t:s0 
  tcontext=user_u:object_r:devpts_t:s0 tclass=chr_file

I get the 'name="2"' I guess because I am using /dev/pts/2.

Likewise 'rpm -V `rpm -qf /bin/cat`' works.

Comment 4 James Antill 2006-10-09 15:18:28 EDT
 As a workaround you can do:

% runcon -t unconfined_t -- prelink -y --md5 /bin/cat            ~
60b898dae597cc87a4f4080cda7ea351  /bin/cat
Comment 5 John Horne 2006-10-10 16:12:32 EDT
Sorry for the delay. Yes, your workaround seems to work fine :-)


Comment 6 Daniel Walsh 2006-10-16 10:37:40 EDT
Fixed in selinux-policy-2.3.7-4.fc5
Comment 7 Daniel Walsh 2007-03-28 16:01:59 EDT
Closing bugs

Note You need to log in before you can comment on or make changes to this bug.