Bug 213588 - SELinux is preventing /usr/sbin/prelink (prelink_t) "read" to lib (usr_t).
SELinux is preventing /usr/sbin/prelink (prelink_t) "read" to lib (usr_t).
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted (Show other bugs)
6
All Linux
medium Severity medium
: ---
: ---
Assigned To: Daniel Walsh
Ben Levenson
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2006-11-01 23:49 EST by Ben Liblit
Modified: 2007-11-30 17:11 EST (History)
1 user (show)

See Also:
Fixed In Version: Current
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-08-22 10:02:56 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Ben Liblit 2006-11-01 23:49:40 EST
avc denials of the following form appear in the system logs:

avc: denied { read } for comm='"prelink"' dev='hda3' egid='0' euid='0'
exe='"/usr/sbin/prelink"' exit='-13' fsgid='0' fsuid='0' gid='0' items='0'
name='"lib"' pid='19492' scontext=system_u:system_r:prelink_t:s0-s0:c0.c1023
sgid='0' subj='system_u:system_r:prelink_t:s0-s0:c0.c1023' suid='0'
tclass='lnk_file' tcontext=user_u:object_r:usr_t:s0 tty='(none)' uid='0'

Here's some additional information collected by the setroubleshoot browser:

Source Context:  system_u:system_r:prelink_t:SystemLow-SystemHigh
Target Context:  user_u:object_r:usr_t
Target Objects:  lib [ lnk_file ]
Affected RPM Packages:  prelink-0.3.9-2 [application]
                        filesystem-2.4.0-1 [target]
Policy RPM:  selinux-policy-2.4.1-3.fc6
Selinux Enabled:  True
Policy Type:  targeted
MLS Enabled:  True
Enforcing Mode:  Enforcing
Plugin Name:  plugins.catchall
Host Name:  localhost.localdomain
Platform:  Linux localhost.localdomain 2.6.18-1.2798.fc6 #1 SMP Mon Oct 16
           14:37:32 EDT 2006 i686 i686

I tried "restorecon -v lib", which is what the setroubleshoot system recommends.
 This produced an error message, as expected, since there was no "lib" in the
current directory.

I tried "restorecon -v /lib /usr/lib", assuming that one of those two
directories is what the setroubleshoot system's recommendation really meant to
refer me to.  This produced no output and the same avc denial appeared again two
days later.
Comment 1 Daniel Walsh 2006-11-06 14:12:30 EST
Fixed in selinux-policy-2.4.3-1
Comment 2 jlbartos 2006-11-13 12:43:03 EST
Source Context      system_u:system_r:prelink_t
Target Context      system_u:object_r:usr_t
Target Objects      vultureseye [ file ]
Affected RPM Packages  prelink-0.3.9-2 [application]
Policy RPM          selinux-policy-2.4.3-2.fc6
Selinux Enabled     True
Policy Type         targeted
MLS Enabled         True
Enforcing Mode      Enforcing
Plugin Name         plugins.catchall
Host Name           perec.laptop
Platform            Linux perec.laptop 2.6.18-1.2849_1.fc6.cubbi_suspend2 #1 SMP
Mon Nov 13 11:28:58 CET 2006 i686 i686

Raw Audit Messagesavc: denied { read } for comm='"prelink"' dev='hda3' egid='0'
euid='0' exe='"/usr/sbin/prelink"' exit='-13' fsgid='0' fsuid='0' gid='0'
items='0' name='"vultureseye"' pid='5610'
scontext=system_u:system_r:prelink_t:s0 sgid='0'
subj='system_u:system_r:prelink_t:s0' suid='0' tclass='file'
tcontext=system_u:object_r:usr_t:s0 tty='(none)' uid='0'

rpms:
nethack-vultures-2.1.0-8.fc6
nethack-3.4.3-12.fc6
viruskiller-1.0-2.fc6

files:
/usr/bin/vultureseye
/usr/bin/nethack
/usr/bin/vulturesclaw
/usr/bin/viruskiller
Comment 3 Daniel Walsh 2006-11-13 15:47:43 EST
This looks like a labeling problem.  These files should be labeled bin_t.

restorecon -R -v /usr/bin

Comment 4 Daniel Walsh 2007-08-22 10:02:56 EDT
Closed as all fixes are in the current release

Note You need to log in before you can comment on or make changes to this bug.