213588 – SELinux is preventing /usr/sbin/prelink (prelink_t) "read" to lib (usr_t).

Bug 213588 - SELinux is preventing /usr/sbin/prelink (prelink_t) "read" to lib (usr_t).

Summary: SELinux is preventing /usr/sbin/prelink (prelink_t) "read" to lib (usr_t).

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy-targeted
Sub Component:
Version:	6
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Daniel Walsh
QA Contact:	Ben Levenson
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2006-11-02 04:49 UTC by Ben Liblit
Modified:	2007-11-30 22:11 UTC (History)
CC List:	1 user (show)
Fixed In Version:	Current
Clone Of:
Environment:
Last Closed:	2007-08-22 14:02:56 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Ben Liblit 2006-11-02 04:49:40 UTC

avc denials of the following form appear in the system logs:

avc: denied { read } for comm='"prelink"' dev='hda3' egid='0' euid='0'
exe='"/usr/sbin/prelink"' exit='-13' fsgid='0' fsuid='0' gid='0' items='0'
name='"lib"' pid='19492' scontext=system_u:system_r:prelink_t:s0-s0:c0.c1023
sgid='0' subj='system_u:system_r:prelink_t:s0-s0:c0.c1023' suid='0'
tclass='lnk_file' tcontext=user_u:object_r:usr_t:s0 tty='(none)' uid='0'

Here's some additional information collected by the setroubleshoot browser:

Source Context:  system_u:system_r:prelink_t:SystemLow-SystemHigh
Target Context:  user_u:object_r:usr_t
Target Objects:  lib [ lnk_file ]
Affected RPM Packages:  prelink-0.3.9-2 [application]
                        filesystem-2.4.0-1 [target]
Policy RPM:  selinux-policy-2.4.1-3.fc6
Selinux Enabled:  True
Policy Type:  targeted
MLS Enabled:  True
Enforcing Mode:  Enforcing
Plugin Name:  plugins.catchall
Host Name:  localhost.localdomain
Platform:  Linux localhost.localdomain 2.6.18-1.2798.fc6 #1 SMP Mon Oct 16
           14:37:32 EDT 2006 i686 i686

I tried "restorecon -v lib", which is what the setroubleshoot system recommends.
 This produced an error message, as expected, since there was no "lib" in the
current directory.

I tried "restorecon -v /lib /usr/lib", assuming that one of those two
directories is what the setroubleshoot system's recommendation really meant to
refer me to.  This produced no output and the same avc denial appeared again two
days later.

Comment 1 Daniel Walsh 2006-11-06 19:12:30 UTC

Fixed in selinux-policy-2.4.3-1

Comment 2 jlbartos 2006-11-13 17:43:03 UTC

Source Context      system_u:system_r:prelink_t
Target Context      system_u:object_r:usr_t
Target Objects      vultureseye [ file ]
Affected RPM Packages  prelink-0.3.9-2 [application]
Policy RPM          selinux-policy-2.4.3-2.fc6
Selinux Enabled     True
Policy Type         targeted
MLS Enabled         True
Enforcing Mode      Enforcing
Plugin Name         plugins.catchall
Host Name           perec.laptop
Platform            Linux perec.laptop 2.6.18-1.2849_1.fc6.cubbi_suspend2 #1 SMP
Mon Nov 13 11:28:58 CET 2006 i686 i686

Raw Audit Messagesavc: denied { read } for comm='"prelink"' dev='hda3' egid='0'
euid='0' exe='"/usr/sbin/prelink"' exit='-13' fsgid='0' fsuid='0' gid='0'
items='0' name='"vultureseye"' pid='5610'
scontext=system_u:system_r:prelink_t:s0 sgid='0'
subj='system_u:system_r:prelink_t:s0' suid='0' tclass='file'
tcontext=system_u:object_r:usr_t:s0 tty='(none)' uid='0'

rpms:
nethack-vultures-2.1.0-8.fc6
nethack-3.4.3-12.fc6
viruskiller-1.0-2.fc6

files:
/usr/bin/vultureseye
/usr/bin/nethack
/usr/bin/vulturesclaw
/usr/bin/viruskiller

Comment 3 Daniel Walsh 2006-11-13 20:47:43 UTC

This looks like a labeling problem.  These files should be labeled bin_t.

restorecon -R -v /usr/bin

Comment 4 Daniel Walsh 2007-08-22 14:02:56 UTC

Closed as all fixes are in the current release

Note You need to log in before you can comment on or make changes to this bug.