Bug 213588 - SELinux is preventing /usr/sbin/prelink (prelink_t) "read" to lib (usr_t).
Summary: SELinux is preventing /usr/sbin/prelink (prelink_t) "read" to lib (usr_t).
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted
Version: 6
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact: Ben Levenson
URL:
Whiteboard:
Keywords:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2006-11-02 04:49 UTC by Ben Liblit
Modified: 2007-11-30 22:11 UTC (History)
1 user (show)

(edit)
Clone Of:
(edit)
Last Closed: 2007-08-22 14:02:56 UTC


Attachments (Terms of Use)

Description Ben Liblit 2006-11-02 04:49:40 UTC
avc denials of the following form appear in the system logs:

avc: denied { read } for comm='"prelink"' dev='hda3' egid='0' euid='0'
exe='"/usr/sbin/prelink"' exit='-13' fsgid='0' fsuid='0' gid='0' items='0'
name='"lib"' pid='19492' scontext=system_u:system_r:prelink_t:s0-s0:c0.c1023
sgid='0' subj='system_u:system_r:prelink_t:s0-s0:c0.c1023' suid='0'
tclass='lnk_file' tcontext=user_u:object_r:usr_t:s0 tty='(none)' uid='0'

Here's some additional information collected by the setroubleshoot browser:

Source Context:  system_u:system_r:prelink_t:SystemLow-SystemHigh
Target Context:  user_u:object_r:usr_t
Target Objects:  lib [ lnk_file ]
Affected RPM Packages:  prelink-0.3.9-2 [application]
                        filesystem-2.4.0-1 [target]
Policy RPM:  selinux-policy-2.4.1-3.fc6
Selinux Enabled:  True
Policy Type:  targeted
MLS Enabled:  True
Enforcing Mode:  Enforcing
Plugin Name:  plugins.catchall
Host Name:  localhost.localdomain
Platform:  Linux localhost.localdomain 2.6.18-1.2798.fc6 #1 SMP Mon Oct 16
           14:37:32 EDT 2006 i686 i686

I tried "restorecon -v lib", which is what the setroubleshoot system recommends.
 This produced an error message, as expected, since there was no "lib" in the
current directory.

I tried "restorecon -v /lib /usr/lib", assuming that one of those two
directories is what the setroubleshoot system's recommendation really meant to
refer me to.  This produced no output and the same avc denial appeared again two
days later.

Comment 1 Daniel Walsh 2006-11-06 19:12:30 UTC
Fixed in selinux-policy-2.4.3-1

Comment 2 jlbartos 2006-11-13 17:43:03 UTC
Source Context      system_u:system_r:prelink_t
Target Context      system_u:object_r:usr_t
Target Objects      vultureseye [ file ]
Affected RPM Packages  prelink-0.3.9-2 [application]
Policy RPM          selinux-policy-2.4.3-2.fc6
Selinux Enabled     True
Policy Type         targeted
MLS Enabled         True
Enforcing Mode      Enforcing
Plugin Name         plugins.catchall
Host Name           perec.laptop
Platform            Linux perec.laptop 2.6.18-1.2849_1.fc6.cubbi_suspend2 #1 SMP
Mon Nov 13 11:28:58 CET 2006 i686 i686

Raw Audit Messagesavc: denied { read } for comm='"prelink"' dev='hda3' egid='0'
euid='0' exe='"/usr/sbin/prelink"' exit='-13' fsgid='0' fsuid='0' gid='0'
items='0' name='"vultureseye"' pid='5610'
scontext=system_u:system_r:prelink_t:s0 sgid='0'
subj='system_u:system_r:prelink_t:s0' suid='0' tclass='file'
tcontext=system_u:object_r:usr_t:s0 tty='(none)' uid='0'

rpms:
nethack-vultures-2.1.0-8.fc6
nethack-3.4.3-12.fc6
viruskiller-1.0-2.fc6

files:
/usr/bin/vultureseye
/usr/bin/nethack
/usr/bin/vulturesclaw
/usr/bin/viruskiller

Comment 3 Daniel Walsh 2006-11-13 20:47:43 UTC
This looks like a labeling problem.  These files should be labeled bin_t.

restorecon -R -v /usr/bin



Comment 4 Daniel Walsh 2007-08-22 14:02:56 UTC
Closed as all fixes are in the current release


Note You need to log in before you can comment on or make changes to this bug.